Merge pull request 'Add HSTS headers' (#48) from hsts into main

Reviewed-on: coop-cloud/nextcloud#48
Reviewed-by: moritz <moritz@noreply.git.coopcloud.tech>

.env.sample

@@ -81,3 +81,9 @@ DEFAULT_QUOTA="10 GB"
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
+
+# HSTS Options
+# Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
+#HSTS_ENABLED=1
+# Uncomment this line to add the `preload` part
+#HSTS_PRELOAD=1

abra.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 export FPM_TUNE_VERSION=v5
-export NGINX_CONF_VERSION=v7
+export NGINX_CONF_VERSION=v8
 export MY_CNF_VERSION=v5
 export ENTRYPOINT_VERSION=v3
 export ENTRYPOINT_WHITEBOARD_VERSION=v1

compose.yml

@@ -12,6 +12,8 @@ services:
       - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
+      - HSTS_ENABLED
+      - HSTS_PRELOAD
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached

nginx.conf.tmpl

@@ -45,6 +45,13 @@ http {
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
+        {{ if eq (env "HSTS_ENABLED") "1" }}
+        {{ if eq (env "HSTS_PRELOAD") "1" }}
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+        {{ else }}
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
+        {{ end }}
+        {{ end }}
 
         # set max upload size
         client_max_body_size 512M;