From 80613eea0ed7295f38d03f80afaf8eb35b5ba9e5 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 18 Nov 2017 01:09:38 +0100
Subject: [PATCH] net/haproxy: support HSTS, refs #375

---
 .../OPNsense/HAProxy/forms/dialogFrontend.xml        | 12 ++++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml      | 11 +++++++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf  |  4 ++++
 3 files changed, 27 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index e9a1b33b5..3b1e3449a 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -104,6 +104,18 @@
         <type>text</type>
         <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
     </field>
+    <field>
+        <id>frontend.ssl_hstsEnabled</id>
+        <label>Enable HSTS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable HTTP Strict Transport Security.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_hstsMaxAge</id>
+        <label>HSTS max-age</label>
+        <type>text</type>
+        <help><![CDATA[Future requests to the domain should use only HTTPS for the specified time (in seconds): 15768000 = 6 months]]></help>
+    </field>
     <field>
         <label>Tuning Options</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index ae6724884..af366cdcb 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -348,6 +348,17 @@
                     <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherList>
+                <ssl_hstsEnabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </ssl_hstsEnabled>
+                <ssl_hstsMaxAge type="IntegerField">
+                    <default>15768000</default>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>1000000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                    <Required>Y</Required>
+                </ssl_hstsMaxAge>
                 <tuning_maxConnections type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>500000</MaximumValue>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index d0aeb2f27..b6b70b8b0 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -607,6 +607,10 @@ frontend {{frontend.name}}
 {%             do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
 {%           endif %}
 {%         endif %}
+{#         # HSTS #}
+{%         if frontend.ssl_hstsEnabled|default("") == '1' %}
+    http-response set-header Strict-Transport-Security max-age={{frontend.ssl_hstsMaxAge}}
+{%         endif %}
 {%       endif %}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}