net/haproxy: support HSTS, refs opnsense#375

cquick97 · Nov 18, 2017 · 80613ee · 80613ee
1 parent f7afbc3
commit 80613ee
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -104,6 +104,18 @@
         <type>text</type>
         <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
     </field>
+    <field>
+        <id>frontend.ssl_hstsEnabled</id>
+        <label>Enable HSTS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable HTTP Strict Transport Security.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_hstsMaxAge</id>
+        <label>HSTS max-age</label>
+        <type>text</type>
+        <help><![CDATA[Future requests to the domain should use only HTTPS for the specified time (in seconds): 15768000 = 6 months]]></help>
+    </field>
     <field>
         <label>Tuning Options</label>
         <type>header</type>

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -348,6 +348,17 @@
                     <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherList>
+                <ssl_hstsEnabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </ssl_hstsEnabled>
+                <ssl_hstsMaxAge type="IntegerField">
+                    <default>15768000</default>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>1000000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                    <Required>Y</Required>
+                </ssl_hstsMaxAge>
                 <tuning_maxConnections type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>500000</MaximumValue>

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -607,6 +607,10 @@ frontend {{frontend.name}}
 {%             do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
 {%           endif %}
 {%         endif %}
+{#         # HSTS #}
+{%         if frontend.ssl_hstsEnabled|default("") == '1' %}
+    http-response set-header Strict-Transport-Security max-age={{frontend.ssl_hstsMaxAge}}
+{%         endif %}
 {%       endif %}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}