Merge "Fix Python version for Travis CI tests"
diff --git a/README.rst b/README.rst
index a920e2d..0ac937d 100644
--- a/README.rst
+++ b/README.rst
@@ -452,6 +452,11 @@
verify_depth: 1
session_cache: 'shared:SSL:15m'
session_timeout: '15m'
+ strict_transport_security:
+ max_age: 16000000
+ include_subdomains: False
+ always: true
+ enabled: true
Nginx stats server (required by collectd nginx plugin)
diff --git a/nginx/files/_ssl.conf b/nginx/files/_ssl.conf
index ac188f1..cd30666 100644
--- a/nginx/files/_ssl.conf
+++ b/nginx/files/_ssl.conf
@@ -1,4 +1,6 @@
+ {%- from "nginx/files/headers/_strict_transport_security.conf" import strict_transport_security %}
+
{%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}
{%- set ca_file=site.ssl.get('ca_file', '') %}
@@ -119,6 +121,7 @@
{%- if site.ssl.verify_depth is defined %}
ssl_verify_depth {{ site.ssl.verify_depth }};
{%- endif %}
+ {{ strict_transport_security(site) | indent(2) }}
{%- else %}
{#- Using this file is deprecated, it may be silensly removed in future. All options are now set from _ssl.conf #}
{#- Please check README about new option types #}
diff --git a/nginx/files/headers/_strict_transport_security.conf b/nginx/files/headers/_strict_transport_security.conf
new file mode 100644
index 0000000..c4961e7
--- /dev/null
+++ b/nginx/files/headers/_strict_transport_security.conf
@@ -0,0 +1,8 @@
+{%- macro strict_transport_security(site) %}
+{%- if site.ssl.strict_transport_security is defined and site.ssl.strict_transport_security.get('enabled', True) %}
+ {%- set max_age = site.ssl.strict_transport_security.get('max_age', '16000000') %}
+ {%- set include_subdomains = site.ssl.strict_transport_security.get('include_subdomains', False) %}
+ {%- set always = site.ssl.strict_transport_security.get('always', True) %}
+add_header Strict-Transport-Security "max-age={{ max_age }};{%- if include_subdomains %} includeSubDomains{%- endif %}"{%- if always %} always{%- endif %};
+{%- endif %}
+{%- endmacro %}
diff --git a/nginx/files/proxy.conf b/nginx/files/proxy.conf
index 82958c6..6687ad5 100644
--- a/nginx/files/proxy.conf
+++ b/nginx/files/proxy.conf
@@ -2,6 +2,8 @@
{%- include "nginx/files/_limit.conf" %}
+{%- from "nginx/files/headers/_strict_transport_security.conf" import strict_transport_security %}
+
server {
{%- include "nginx/files/_name.conf" %}
@@ -101,6 +103,7 @@
{%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}
add_header Front-End-Https on;
+ {{ strict_transport_security(site) | indent(6) }}
{%- endif %}
{%- if location.websocket is defined %}
diff --git a/tests/pillar/proxy_with_ssl.sls b/tests/pillar/proxy_with_ssl.sls
index a6e498b..824fa07 100644
--- a/tests/pillar/proxy_with_ssl.sls
+++ b/tests/pillar/proxy_with_ssl.sls
@@ -224,6 +224,10 @@
file: '/etc/ssl/client_cert.pem'
enabled: False
verify_client: 'off'
+ strict_transport_security:
+ max_age: 16000000
+ include_subdomains: True
+ always: True
nginx_proxy_site02:
enabled: true
type: nginx_proxy