7878#
7979nginx_legacy_initialize_flow () {
8080 info " Nginx: Enabling Flow site configuration ..."
81+
82+ addHeaderStrictTransportSecurity=" "
83+ if is_boolean_yes " ${NGINX_STRICT_TRANSPORT_SECURITY_ENABLE} " ; then
84+ if is_boolean_yes " ${NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD} " ; then
85+ info " Nginx: Enabling Strict Transport Security with preloading, max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE} ..."
86+ addHeaderStrictTransportSecurity=" add_header Strict-Transport-Security \" max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE} ; preload\" always;"
87+ else
88+ info " Nginx: Enabling Strict Transport Security without preloading, max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE} ..."
89+ addHeaderStrictTransportSecurity=" add_header Strict-Transport-Security \" max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE} \" always;"
90+ fi
91+ fi
92+
8193 cat > " ${NGINX_CONF_PATH} /sites-enabled/site.conf" << -EOM
8294
8395server {
@@ -94,6 +106,7 @@ server {
94106 # allow .well-known/... in root
95107 location ~ ^/\\ .well-known/.+ {
96108 allow all;
109+ add_header Via '\$ hostname' always;
97110 }
98111
99112 # deny files starting with a dot (having "/." in the path)
@@ -108,7 +121,6 @@ server {
108121 access_log off;
109122 }
110123
111- add_header Via '\$ hostname';
112124EOM
113125
114126 if [ " ${NGINX_AUTH_BASIC_REALM} " != " off" ; then
@@ -125,28 +137,15 @@ EOM
125137EOM
126138 fi
127139
128- if is_boolean_yes " ${NGINX_STRICT_TRANSPORT_SECURITY_ENABLE} " ; then
129- if is_boolean_yes " ${NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD} " ; then
130- info " Nginx: Enabling Strict Transport Security with preloading, max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE} ..."
131- cat >> " ${NGINX_CONF_PATH} /sites-enabled/site.conf" << -EOM
132- add_header Strict-Transport-Security "max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE} ; preload" always;
133- EOM
134- else
135- info " Nginx: Enabling Strict Transport Security without preloading, max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE} ..."
136- cat >> " ${NGINX_CONF_PATH} /sites-enabled/site.conf" << -EOM
137- add_header Strict-Transport-Security "max-age=${NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE} " always;
138- EOM
139- fi
140- else
141- info " Nginx: Strict Transport Security header is disabled"
142- fi
143-
144140 cat >> " ${NGINX_CONF_PATH} /sites-enabled/site.conf" << -EOM
145141 location ~ \\ .php\$ {
146142 include fastcgi_params;
147143
148144 client_max_body_size 500M;
149145
146+ add_header Via '\$ hostname' always;
147+ ${addHeaderStrictTransportSecurity}
148+
150149 fastcgi_pass ${BEACH_PHP_FPM_HOST} :${BEACH_PHP_FPM_PORT} ;
151150 fastcgi_index index.php;
152151
188187 expires 3600;
189188 proxy_set_header Authorization "";
190189 add_header Via 'Beach Asset Proxy';
190+ ${addHeaderStrictTransportSecurity}
191191 proxy_pass http://storage.googleapis.com/${BEACH_GOOGLE_CLOUD_STORAGE_PUBLIC_BUCKET} /\$ 1\$ is_args\$ args;
192192 }
193193EOM
@@ -196,12 +196,15 @@ EOM
196196 location ~* ^/_Resources/Persistent/(.*)$ {
197197 access_log off;
198198 expires 3600;
199+ add_header Via '\$ hostname' always;
200+ ${addHeaderStrictTransportSecurity}
199201 try_files \$ uri @fallback;
200202 }
201203
202204 location @fallback {
203205 set \$ assetUri ${BEACH_PERSISTENT_RESOURCES_FALLBACK_BASE_URI} \$ 1;
204206 add_header Via 'Beach Asset Fallback';
207+ ${addHeaderStrictTransportSecurity}
205208 resolver 8.8.8.8;
206209 proxy_pass \$ assetUri;
207210 }
@@ -212,11 +215,13 @@ EOM
212215 cat >> " ${NGINX_CONF_PATH} /sites-enabled/site.conf" << -EOM
213216 # everything is tried as file first, then passed on to index.php (i.e. Flow)
214217 location / {
218+ add_header Via '\$ hostname' always;
215219 try_files \$ uri /index.php?\$ args;
216220 }
217221
218222 # for all static resources
219223 location ~ ^/_Resources/Static/ {
224+ add_header Via '\$ hostname' always;
220225 access_log off;
221226 expires 3600;
222227 }
0 commit comments