feat(router): enable HSTS when enforceHTTPS is set

wenzowski · wenzowski · commit b1a52f4c4583 · 2015-06-16T11:59:03.000-04:00
When browsers see the HSTS header on an HTTPS request then they rewrite all links for the current domain that point at HTTP resources to point to HTTPS resources. When /deis/router/enforceHTTPS is set, using HSTS avoids the extranneous 301 redirect to the HTTPS resource and prevents [some threats][1]. The HTTPS Strict Transport Security header mechanism is defined in [RFC-6797][2] [1]: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security [2]: https://tools.ietf.org/html/rfc6797
diff --git a/docs/customizing_deis/router_settings.rst b/docs/customizing_deis/router_settings.rst
@@ -60,6 +60,7 @@ setting                                      description
 /deis/router/gzipDisable                     nginx gzipDisable setting (default: "msie6")
 /deis/router/gzipTypes                       nginx gzipTypes setting (default: "application/x-javascript application/xhtml+xml application/xml application/xml+rss application/json text/css text/javascript text/plain text/xml")
 /deis/router/maxWorkerConnections            maximum number of simultaneous connections that can be opened by a worker process (default: 768)
+/deis/router/secondsToEnforceHSTS            maximum time to observe HSTS when enforceHTTPS is enabled (default: 2628000)
 /deis/router/serverNameHashMaxSize           nginx server_names_hash_max_size setting (default: 512)
 /deis/router/serverNameHashBucketSize        nginx server_names_hash_bucket_size (default: 64)
 /deis/router/sslCert                         cluster-wide SSL certificate
diff --git a/router/image/templates/nginx.conf b/router/image/templates/nginx.conf
@@ -71,6 +71,11 @@ http {
 
     {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") "false" }}
 
+    {{ $secondsToEnforceHSTS := or (getv "/deis/router/secondsToEnforceHSTS") "2628000" }}
+    map $access_scheme $sts {
+      'https' 'max-age={{ $secondsToEnforceHSTS }}; preload';
+    }
+
     ## start deis-controller
     {{ if exists "/deis/controller/host" }}
     upstream deis-controller {
@@ -114,6 +119,7 @@ http {
         if ($access_scheme != "https") {
           return 301 https://$host$request_uri;
         }
+        add_header Strict-Transport-Security $sts always;
         {{ end }}
     }
     ## end deis-controller
@@ -224,6 +230,7 @@ http {
             if ($access_scheme != "https") {
               return 301 https://$host$request_uri;
             }
+            add_header Strict-Transport-Security $sts always;
             {{ end }}
 
             ## workaround for nginx hashing empty string bug http://trac.nginx.org/nginx/ticket/765
@@ -282,6 +289,7 @@ http {
             if ($access_scheme != "https") {
               return 301 https://$host$request_uri;
             }
+            add_header Strict-Transport-Security $sts always;
             {{ end }}
 
             proxy_pass                  http://{{ $app }};
