Undo 1ade01c - Split HSTS headers again

nginx-module-headers-more requires third party repo
2025-01-03 07:08:15 -07:00 · 2025-01-03 07:08:15 -07:00 · 662d06a701
commit 662d06a701
parent a4dd4b6237
7 changed files with 10 additions and 0 deletions
--- a/etc/nginx/conf.d/default-quic.conf
+++ b/etc/nginx/conf.d/default-quic.conf
@ -6,6 +6,7 @@ server {

    server_name hostname.of.your.server;

+    include snippets/hsts.conf;
    include snippets/quic.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
--- a/etc/nginx/conf.d/sites_miniflux.conf
+++ b/etc/nginx/conf.d/sites_miniflux.conf
@ -10,6 +10,7 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem;

+    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/cross-origin-security.conf;
    include snippets/quic.conf;
--- a/etc/nginx/conf.d/sites_nextcloud.conf
+++ b/etc/nginx/conf.d/sites_nextcloud.conf
@ -10,6 +10,7 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem;

+    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
--- a/etc/nginx/conf.d/sites_uptime-kuma.conf
+++ b/etc/nginx/conf.d/sites_uptime-kuma.conf
@ -10,6 +10,7 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem;

+    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/cross-origin-security.conf;
    include snippets/quic.conf;
--- a/etc/nginx/conf.d/sites_vaultwarden.conf
+++ b/etc/nginx/conf.d/sites_vaultwarden.conf
@ -10,6 +10,7 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem;

+    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/cross-origin-security.conf;
    include snippets/quic.conf;
--- a/etc/nginx/snippets/hsts.conf
+++ b/etc/nginx/snippets/hsts.conf
@ -0,0 +1,4 @@
+# Enable HSTS header
+# Only add this to server blocks with TLS
+proxy_hide_header Strict-Transport-Security;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
--- a/setup.sh
+++ b/setup.sh
@ -125,6 +125,7 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null

 sudo mkdir -p /etc/nginx/snippets
+unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null