feat(router): use one folder for all HSTS keys

Author: wenzowski

docs/customizing_deis/router_settings.rst

@@ -59,8 +59,11 @@ setting                                      description
 /deis/router/gzipVary                        nginx gzipVary setting (default: on)
 /deis/router/gzipDisable                     nginx gzipDisable setting (default: "msie6")
 /deis/router/gzipTypes                       nginx gzipTypes setting (default: "application/x-javascript application/xhtml+xml application/xml application/xml+rss application/json text/css text/javascript text/plain text/xml")
+/deis/router/hsts/enabled                    enable HTTP Strict Transport Security headers for HTTPS requests (default: false)
+/deis/router/hsts/maxAge                     maximum number of seconds user agents should observe HSTS rewrites (default: 2628000)
+/deis/router/hsts/includeSubDomains          enforce HSTS for requests on all subdomains (default: false)
+/deis/router/hsts/preload                    allow the domain to be included in the HSTS preload list (default: false)
 /deis/router/maxWorkerConnections            maximum number of simultaneous connections that can be opened by a worker process (default: 768)
-/deis/router/secondsToEnforceHSTS            maximum time to observe HSTS when enforceHTTPS is enabled (default: 2628000)
 /deis/router/serverNameHashMaxSize           nginx server_names_hash_max_size setting (default: 512)
 /deis/router/serverNameHashBucketSize        nginx server_names_hash_bucket_size (default: 64)
 /deis/router/sslCert                         cluster-wide SSL certificate

router/boot.go

@@ -59,6 +59,7 @@ func main() {
 	mkdirEtcd(client, "/deis/builder")
 	mkdirEtcd(client, "/deis/certs")
 	mkdirEtcd(client, "/deis/router/hosts")
+	mkdirEtcd(client, "/deis/router/hsts")
 
 	setDefaultEtcd(client, etcdPath+"/gzip", "on")
 

router/image/templates/nginx.conf

@@ -69,13 +69,18 @@ http {
       ''      $scheme;
     }
 
-    {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") "false" }}
-
-    {{ $secondsToEnforceHSTS := or (getv "/deis/router/secondsToEnforceHSTS") "2628000" }}
+    ## HSTS instructs the browser to replace all HTTP links with HTTPS links for this domain until maxAge seconds from now
+    {{ $enableHSTS := or (getv "/deis/router/hsts/enabled") "false" }}
+    {{ $maxAgeHSTS := or (getv "/deis/router/hsts/maxAge") "2628000" }}
+    {{ $includeSubdomainsHSTS := or (getv "/deis/router/hsts/includeSubDomains") "false" }}
+    {{ $preloadHSTS := or (getv "/deis/router/hsts/preload") "false" }}
     map $access_scheme $sts {
-      'https' 'max-age={{ $secondsToEnforceHSTS }}; preload';
+      'https' 'max-age={{ $maxAgeHSTS }}{{ if eq $includeSubdomainsHSTS "true" }}; includeSubDomains{{ end }}{{ if eq $preloadHSTS "true" }}; preload{{ end }}';
     }
 
+    ## since HSTS headers are not permitted on HTTP requests, 301 redirects to HTTPS resources are also necessary
+    {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") $enableHSTS "false" }}
+
     ## start deis-controller
     {{ if exists "/deis/controller/host" }}
     upstream deis-controller {
@@ -119,6 +124,9 @@ http {
         if ($access_scheme != "https") {
           return 301 https://$host$request_uri;
         }
+        {{ end }}
+
+        {{ if eq $enableHSTS "true" }}
         add_header Strict-Transport-Security $sts always;
         {{ end }}
     }
@@ -230,6 +238,9 @@ http {
             if ($access_scheme != "https") {
               return 301 https://$host$request_uri;
             }
+            {{ end }}
+
+            {{ if eq $enableHSTS "true" }}
             add_header Strict-Transport-Security $sts always;
             {{ end }}
 
@@ -289,6 +300,9 @@ http {
             if ($access_scheme != "https") {
               return 301 https://$host$request_uri;
             }
+            {{ end }}
+
+            {{ if eq $enableHSTS "true" }}
             add_header Strict-Transport-Security $sts always;
             {{ end }}