Merge HSTS headers with TLS config

2025-01-03 06:27:58 -07:00 · 2025-01-03 06:27:58 -07:00 · 1ade01cd11
commit 1ade01cd11
parent 2e584825ff
7 changed files with 5 additions and 10 deletions
--- a/etc/nginx/conf.d/sites_miniflux.conf
+++ b/etc/nginx/conf.d/sites_miniflux.conf
@ -10,7 +10,6 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem;

-    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/cross-origin-security.conf;
    include snippets/quic.conf;
--- a/etc/nginx/conf.d/sites_nextcloud.conf
+++ b/etc/nginx/conf.d/sites_nextcloud.conf
@ -10,7 +10,6 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem;

-    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
--- a/etc/nginx/conf.d/sites_uptime-kuma.conf
+++ b/etc/nginx/conf.d/sites_uptime-kuma.conf
@ -10,7 +10,6 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem;

-    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/cross-origin-security.conf;
    include snippets/quic.conf;
--- a/etc/nginx/conf.d/sites_vaultwarden.conf
+++ b/etc/nginx/conf.d/sites_vaultwarden.conf
@ -10,7 +10,6 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem;

-    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/cross-origin-security.conf;
    include snippets/quic.conf;
--- a/etc/nginx/conf.d/tls.conf
+++ b/etc/nginx/conf.d/tls.conf
@ -19,6 +19,11 @@ ssl_session_ticket_key session-ticket-keys/3.key;
 ssl_session_ticket_key session-ticket-keys/2.key;
 ssl_session_ticket_key session-ticket-keys/1.key;

+# Enable HSTS header
+
+proxy_hide_header Strict-Transport-Security;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
 ## The following settings need to be declared manually per vhost:
 # ssl_certificate
 # ssl_certificate_key
--- a/etc/nginx/snippets/hsts.conf
+++ b/etc/nginx/snippets/hsts.conf
@ -1,5 +0,0 @@
-# Enable HSTS header
-# Only add this to server blocks with TLS
-
-proxy_hide_header Strict-Transport-Security;
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
--- a/setup.sh
+++ b/setup.sh
@ -128,7 +128,6 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null

 sudo mkdir -p /etc/nginx/snippets
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null