rapid-cdn: c->h: Implement Strict-Transport-Security

7325762d · Łukasz Nowak · 48f41aa8 · 7325762d · 7325762d · 7325762d
Commit 7325762d authored Aug 25, 2022 by Łukasz Nowak
3 changed files
--- a/software/rapid-cdn/buildout.hash.cfg
+++ b/software/rapid-cdn/buildout.hash.cfg
@@ -38,7 +38,7 @@ md5sum = cba4d995962f7fbeae3f61c9372c4181

 [template-frontend-haproxy-configuration]
 _update_hash_filename_ = templates/frontend-haproxy.cfg.in
-md5sum = d5bcc1053a11ea322ce184b5014c1979
+md5sum = 7c96b713bd25fdad23ff20660e625a58

 [template-frontend-haproxy-crt-list]
 _update_hash_filename_ = templates/frontend-haproxy-crt-list.in

--- a/software/rapid-cdn/templates/default-virtualhost.conf.in
+++ b/software/rapid-cdn/templates/default-virtualhost.conf.in
@@ -21,21 +21,6 @@
    try_interval 250ms
 {%- endmacro %} {# proxy_header #}

-{%- macro hsts_header(tls) %}
-{%-   if tls %}
-{%-     if slave_parameter['strict-transport-security'] > 0 %}
-{%-       set strict_transport_security = ['max-age=%i' % (slave_parameter['strict-transport-security'],)] %}
-{%-       if slave_parameter['strict-transport-security-sub-domains'] %}
-{%-         do strict_transport_security.append('; includeSubDomains') %}
-{%-       endif %}
-{%-       if slave_parameter['strict-transport-security-preload'] %}
-{%-         do strict_transport_security.append('; preload') %}
-{%-       endif %}
-    header_downstream Strict-Transport-Security "{{ ''.join(strict_transport_security) }}"
-{%-     endif %}
-{%-   endif %}
-{%- endmacro %} {# hsts_header #}
-
 {%- for tls in [True, False] %}
 {%- if tls %}
 {%-   set backend_url = slave_parameter.get('backend-https-url', slave_parameter['backend-http-url']) %}

--- a/software/rapid-cdn/templates/frontend-haproxy.cfg.in
+++ b/software/rapid-cdn/templates/frontend-haproxy.cfg.in
@@ -97,6 +97,18 @@ backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
 {%-         else %}
  http-response add-header Via "%HV rapid-cdn-frontend-{{ configuration['node-id'] }}-{{ configuration['version-hash'] }}"
 {%-         endif %}
+{%-         if scheme == 'https' %}
+{%-           if slave_instance['strict-transport-security'] > 0 %}
+{%-             set strict_transport_security = ['max-age=%i' % (slave_instance['strict-transport-security'],)] %}
+{%-             if slave_instance['strict-transport-security-sub-domains'] %}
+{%-               do strict_transport_security.append('; includeSubDomains') %}
+{%-             endif %}
+{%-             if slave_instance['strict-transport-security-preload'] %}
+{%-               do strict_transport_security.append('; preload') %}
+{%-             endif %}
+  http-response set-header Strict-Transport-Security "{{ ''.join(strict_transport_security) }}"
+{%-           endif %}
+{%-         endif %}
 {%-         if info_dict['path'] %}
  http-request set-path {{ info_dict['path'] }}%[path]
 {%-         endif %} {# if info_dict['path'] #}