From cbe402959768e0709c3cbad4f1a505141cfd6f62 Mon Sep 17 00:00:00 2001
From: Manuel de Brito Fontes <aledbf@gmail.com>
Date: Wed, 5 Apr 2017 22:48:43 -0300
Subject: [PATCH] Add option to disable hsts preload

---
 controllers/nginx/configuration.md                     | 2 ++
 controllers/nginx/pkg/config/config.go                 | 4 ++++
 controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md
index 20874502a5..e4a1147d4a 100644
--- a/controllers/nginx/configuration.md
+++ b/controllers/nginx/configuration.md
@@ -285,6 +285,7 @@ https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-
 
 **hsts-max-age:** Sets the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
 
+**hsts-preload:** Enables or disables the preload attribute in the HSTS feature (if is enabled)
 
 **keep-alive:** Sets the time during which a keep-alive client connection will stay open on the server side.
 The zero value disables keep-alive client connections.
@@ -420,6 +421,7 @@ The following table shows the options, the default value and a description.
 |hsts|"true"|
 |hsts-include-subdomains|"true"|
 |hsts-max-age|"15724800"|
+|hsts-preload|"false"|
 |keep-alive|"75"|
 |map-hash-bucket-size|"64"|
 |max-worker-connections|"16384"|
diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go
index 951d2833e1..3127294da8 100644
--- a/controllers/nginx/pkg/config/config.go
+++ b/controllers/nginx/pkg/config/config.go
@@ -144,6 +144,9 @@ type Configuration struct {
 	// accessed using HTTPS.
 	HSTSMaxAge string `json:"hsts-max-age,omitempty"`
 
+	// Enables or disables the preload attribute in HSTS feature
+	HSTSPreload bool `json:"hsts-preload,omitempty"`
+
 	// Time during which a keep-alive client connection will stay open on the server side.
 	// The zero value disables keep-alive client connections
 	// http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
@@ -271,6 +274,7 @@ func NewDefault() Configuration {
 		HSTS:                    true,
 		HSTSIncludeSubdomains:    true,
 		HSTSMaxAge:               hstsMaxAge,
+		HSTSPreload:              false,
 		GzipTypes:                gzipTypes,
 		KeepAlive:                75,
 		LargeClientHeaderBuffers: "4 8k",
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index 5d06aa5006..b8098880a5 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -229,7 +229,7 @@ http {
         {{ end }}
 
         {{ if (and (not (empty $server.SSLCertificate)) $cfg.HSTS) }}
-        more_set_headers                        "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; preload";
+        more_set_headers                        "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; {{ if $cfg.HSTSPreload }}preload{{ end }}";
         {{ end }}
 
         {{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }}