add hsts header from nginx proxy

Mefl · web-flow · commit d5de0d62b0a2 · 2024-10-29T14:58:29.000Z
diff --git a/admin/servers.conf.erb b/admin/servers.conf.erb
@@ -59,6 +59,14 @@ split_clients "${request_id}" $upstream_host {
   * <%= ENV['APP'].gsub(/^pix-[^-]+-/, "pix-api-") %>.<%= ENV['API_HOST_SUFFIX'] || 'scalingo.io' %>;
 }
 
+#add a catch all on http port to forward to the convenient https
+server {
+    listen 80 default_server;
+    server_name _;
+    add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
+    return 301 https://$host$request_uri;
+}
+
 server {
   access_log logs/access.log keyvalue;
   server_name localhost;
@@ -119,6 +127,7 @@ server {
   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-XSS-Protection 1;
+  add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
 
   <% ENV.each do |key,value|
     if key.start_with? 'ADD_HTTP_HEADER' %>
diff --git a/certif/servers.conf.erb b/certif/servers.conf.erb
@@ -59,6 +59,14 @@ split_clients "${request_id}" $upstream_host {
   * <%= ENV['APP'].gsub(/^pix-[^-]+-/, "pix-api-") %>.<%= ENV['API_HOST_SUFFIX'] || 'scalingo.io' %>;
 }
 
+#add a catch all on http port to forward to the convenient https
+server {
+    listen 80 default_server;
+    server_name _;
+    add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
+    return 301 https://$host$request_uri;
+}
+
 server {
   access_log logs/access.log keyvalue;
   server_name localhost;
@@ -136,6 +144,7 @@ server {
   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-XSS-Protection 1;
+  add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
 
   <% ENV.each do |key,value|
     if key.start_with? 'ADD_HTTP_HEADER' %>
diff --git a/junior/servers.conf.erb b/junior/servers.conf.erb
@@ -36,6 +36,14 @@ upstream api {
     server <%= ENV['APP'].gsub(/^pix-[^-]+-/, "pix-api-") %>.<%= ENV['API_HOST_SUFFIX'] || 'scalingo.io' %>:443 max_fails=<%= ENV['NGINX_UPSTREAM_MAX_FAILS'] || 3 %> fail_timeout=<%= ENV['NGINX_UPSTREAM_FAIL_TIMEOUT'] || '5s' %>;
 }
 
+#add a catch all on http port to forward to the convenient https
+server {
+    listen 80 default_server;
+    server_name _;
+    add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
+    return 301 https://$host$request_uri;
+}
+
 server {
   access_log logs/access.log keyvalue;
   server_name localhost;
@@ -114,6 +122,7 @@ server {
   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-XSS-Protection 1;
+  add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
 
   <% ENV.each do |key,value|
     if key.start_with? 'ADD_HTTP_HEADER' %>
diff --git a/mon-pix/servers.conf.erb b/mon-pix/servers.conf.erb
@@ -59,6 +59,14 @@ split_clients "${request_id}" $upstream_host {
   * <%= ENV['APP'].gsub(/^pix-[^-]+-/, "pix-api-") %>.<%= ENV['API_HOST_SUFFIX'] || 'scalingo.io' %>;
 }
 
+#add a catch all on http port to forward to the convenient https
+server {
+    listen 80 default_server;
+    server_name _;
+    add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
+    return 301 https://$host$request_uri;
+}
+
 server {
   access_log logs/access.log keyvalue;
   server_name localhost;
@@ -143,6 +151,7 @@ server {
   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-XSS-Protection 1;
+  add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
 
   <% ENV.each do |key,value|
     if key.start_with? 'ADD_HTTP_HEADER' %>
diff --git a/orga/servers.conf.erb b/orga/servers.conf.erb
@@ -59,6 +59,14 @@ split_clients "${request_id}" $upstream_host {
   * <%= ENV['APP'].gsub(/^pix-[^-]+-/, "pix-api-") %>.<%= ENV['API_HOST_SUFFIX'] || 'scalingo.io' %>;
 }
 
+#add a catch all on http port to forward to the convenient https
+server {
+    listen 80 default_server;
+    server_name _;
+    add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
+    return 301 https://$host$request_uri;
+}
+
 server {
   access_log logs/access.log keyvalue;
   server_name localhost;
@@ -136,6 +144,7 @@ server {
   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-XSS-Protection 1;
+  add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
 
   <% ENV.each do |key,value|
     if key.start_with? 'ADD_HTTP_HEADER' %>
diff --git a/servers.conf.erb b/servers.conf.erb
@@ -16,6 +16,14 @@ log_format keyvalue
 # as we are about to override it in the server directive here below
 access_log off;
 
+#add a catch all on http port to forward to the convenient https
+server {
+    listen 80 default_server;
+    server_name _;
+    add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
+    return 301 https://$host$request_uri;
+}
+
 server {
   access_log logs/access.log keyvalue;
   server_name localhost;
@@ -39,6 +47,7 @@ server {
   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-XSS-Protection 1;
+  add_header Strict-Transport-Security "max-age=31536001; includeSubDomains; preload";
 
   <% ENV.each do |key,value|
     if key.start_with? 'ADD_HTTP_HEADER' %>
