net/haproxy: support additional HSTS options, refs #447

2026-06-09 08:56:23 -04:00 · 2018-01-12 22:52:41 +01:00 · 2018-01-12 22:52:41 +01:00 · d2e057782d
commit d2e057782d
parent 79d4a7c79f
3 changed files with 30 additions and 2 deletions
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@ -110,6 +110,18 @@
        <type>checkbox</type>
        <help><![CDATA[Enable HTTP Strict Transport Security.]]></help>
    </field>
+    <field>
+        <id>frontend.ssl_hstsIncludeSubDomains</id>
+        <label>HSTS includeSubDomains</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable if all present and future subdomains will be HTTPS.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_hstsPreload</id>
+        <label>HSTS preload</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable if you like this domain to be included in the HSTS preload list.]]></help>
+    </field>
    <field>
        <id>frontend.ssl_hstsMaxAge</id>
        <label>HSTS max-age</label>
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@ -1,6 +1,6 @@
 <model>
    <mount>//OPNsense/HAProxy</mount>
-    <version>2.0.1</version>
+    <version>2.1.0</version>
    <description>
        the HAProxy load balancer
    </description>
@ -355,6 +355,14 @@
                    <default>1</default>
                    <Required>Y</Required>
                </ssl_hstsEnabled>
+                <ssl_hstsIncludeSubDomains type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </ssl_hstsIncludeSubDomains>
+                <ssl_hstsPreload type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </ssl_hstsPreload>
                <ssl_hstsMaxAge type="IntegerField">
                    <default>15768000</default>
                    <MinimumValue>1</MinimumValue>
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@ -608,7 +608,15 @@ frontend {{frontend.name}}
 {%           endif %}
 {#           # HSTS #}
 {%           if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %}
-    http-response set-header Strict-Transport-Security max-age={{frontend.ssl_hstsMaxAge}}
+{%             set hsts_options = [] %}
+{%             do hsts_options.append('max-age=' ~ frontend.ssl_hstsMaxAge) %}
+{%             if frontend.ssl_hstsIncludeSubDomains|default("") == '1' %}
+{%               do hsts_options.append('; includeSubDomains') %}
+{%             endif %}
+{%             if frontend.ssl_hstsPreload|default("") == '1' %}
+{%               do hsts_options.append('; preload') %}
+{%             endif %}
+    http-response set-header Strict-Transport-Security "{{ hsts_options|join('') }}"
 {%           endif %}
 {%         endif %}
 {%       endif %}