nixos/nextcloud: Add option for max-age HSTS directive
* Add an option services.nextcloud.nginx.hstsMaxAge for setting the max-age directive of the Strict-Transport-Security HTTP header. * Make the Strict-Transport-Security HTTP header in the Nginx virtualhost block dependant upon the option services.nextcloud.https instead of services.nextcloud.nginx.recommendedHttpHeaders, as this header makes no sense when not using HTTPS. (Closes #169465)
This commit is contained in:
parent
c0b9099f13
commit
59244e07f0
@ -2514,6 +2514,16 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"
|
||||
enabled.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The Nextcloud module now allows setting the value of the
|
||||
<literal>max-age</literal> directive of the
|
||||
<literal>Strict-Transport-Security</literal> HTTP header,
|
||||
which is now controlled by the
|
||||
<literal>services.nextcloud.https</literal> option, rather
|
||||
than <literal>services.nginx.recommendedHttpHeaders</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>spark3</literal> package has been updated from
|
||||
|
@ -892,6 +892,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
- The Nextcloud module now supports to create a Mysql database automatically
|
||||
with `services.nextcloud.database.createLocally` enabled.
|
||||
|
||||
- The Nextcloud module now allows setting the value of the `max-age` directive of the `Strict-Transport-Security` HTTP header, which is now controlled by the `services.nextcloud.https` option, rather than `services.nginx.recommendedHttpHeaders`.
|
||||
|
||||
- The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)):
|
||||
|
||||
- Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`.
|
||||
|
@ -546,10 +546,23 @@ in {
|
||||
'';
|
||||
};
|
||||
|
||||
nginx.recommendedHttpHeaders = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable additional recommended HTTP response headers";
|
||||
nginx = {
|
||||
recommendedHttpHeaders = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable additional recommended HTTP response headers";
|
||||
};
|
||||
hstsMaxAge = mkOption {
|
||||
type = types.ints.positive;
|
||||
default = 15552000;
|
||||
description = ''
|
||||
Value for the <code>max-age</code> directive of the HTTP
|
||||
<code>Strict-Transport-Security</code> header.
|
||||
|
||||
See section 6.1.1 of IETF RFC 6797 for detailed information on this
|
||||
directive and header.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -983,7 +996,9 @@ in {
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header X-Frame-Options sameorigin;
|
||||
add_header Referrer-Policy no-referrer;
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
''}
|
||||
${optionalString (cfg.https) ''
|
||||
add_header Strict-Transport-Security "max-age=${toString cfg.nginx.hstsMaxAge}; includeSubDomains" always;
|
||||
''}
|
||||
client_max_body_size ${cfg.maxUploadSize};
|
||||
fastcgi_buffers 64 4K;
|
||||
|
Loading…
Reference in New Issue
Block a user