Merge pull request #563 from aledbf/hsts-preload

Add option to disable hsts preload
kubernetes · Apr 6, 2017 · 7ca7652 · 7ca7652
2 parents 847c05d + cbe4029
commit 7ca7652
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md
@@ -285,6 +285,7 @@ https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-
 
 **hsts-max-age:** Sets the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
 
+**hsts-preload:** Enables or disables the preload attribute in the HSTS feature (if is enabled)
 
 **keep-alive:** Sets the time during which a keep-alive client connection will stay open on the server side.
 The zero value disables keep-alive client connections.
@@ -420,6 +421,7 @@ The following table shows the options, the default value and a description.
 |hsts|"true"|
 |hsts-include-subdomains|"true"|
 |hsts-max-age|"15724800"|
+|hsts-preload|"false"|
 |keep-alive|"75"|
 |map-hash-bucket-size|"64"|
 |max-worker-connections|"16384"|

diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go
@@ -144,6 +144,9 @@ type Configuration struct {
 	// accessed using HTTPS.
 	HSTSMaxAge string `json:"hsts-max-age,omitempty"`
 
+	// Enables or disables the preload attribute in HSTS feature
+	HSTSPreload bool `json:"hsts-preload,omitempty"`
+
 	// Time during which a keep-alive client connection will stay open on the server side.
 	// The zero value disables keep-alive client connections
 	// http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
@@ -271,6 +274,7 @@ func NewDefault() Configuration {
 		HSTS:                    true,
 		HSTSIncludeSubdomains:    true,
 		HSTSMaxAge:               hstsMaxAge,
+		HSTSPreload:              false,
 		GzipTypes:                gzipTypes,
 		KeepAlive:                75,
 		LargeClientHeaderBuffers: "4 8k",

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -229,7 +229,7 @@ http {
         {{ end }}
 
         {{ if (and (not (empty $server.SSLCertificate)) $cfg.HSTS) }}
-        more_set_headers                        "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; preload";
+        more_set_headers                        "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; {{ if $cfg.HSTSPreload }}preload{{ end }}";
         {{ end }}
 
         {{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }}