Hi all,
for our current self hosted Discourse instances, we need to add “IncludeSubDomains” to our STS headers due to this being an expectation of our internal scanners.
Previously I achieved this by using some sed commands in app.yml in custom commands after build to update /etc/nginx/conf.d/discourse.confto include 'add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
as well as:
- replace:
filename: "/etc/nginx/conf.d/outlets/discourse/20-https.conf"
from: /add_header Strict-Transport-Security.+/
to: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
global: true
- replace:
filename: "/etc/nginx/conf.d/outlets/server/20-https.conf"
from: /add_header Strict-Transport-Security.+/
to: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
global: true
This previously worked. However, this has stopped working. I read that creating a new outlet file should allow me to add this using:
hooks:
after_code:
- file:
path: /etc/nginx/conf.d/outlets/server/90-hsts.conf
chmod: 444
contents: |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
However, this ends up in there being two STS headers present (one from the SSL template and one from my new template). Is there a better way of doing this so I don’t end up with two STS headers? I would have thought that nginx would respect the last header added, and ignore the SSL template header which just contains max-age=31536000; , so is this a defect? Thanks for any guidance you can provide.
