Increase HSTS max age to one year

The HSTS preload list requires this now: https://hstspreload.org/
2018-02-07 12:42:36 +01:00 · 2018-02-07 12:42:36 +01:00 · 8f7acb0dde
commit 8f7acb0dde
parent 7edc8430dc
16 changed files with 35 additions and 35 deletions
--- a/files/fedora-cloud/haproxy.cfg
+++ b/files/fedora-cloud/haproxy.cfg
@ -68,44 +68,44 @@ defaults
 frontend neutron
  bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend neutron
-  # HSTS (15768000 seconds = 6 months)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  # HSTS (31536000 seconds = 365 days)
+  rspadd  Strict-Transport-Security:\ max-age=31536000

 frontend cinder
  bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend cinder
-  # HSTS (15768000 seconds = 6 months)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  # HSTS (31536000 seconds = 365 days)
+  rspadd  Strict-Transport-Security:\ max-age=31536000

 frontend swift
  bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend swift
-  # HSTS (15768000 seconds = 6 months)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  # HSTS (31536000 seconds = 365 days)
+  rspadd  Strict-Transport-Security:\ max-age=31536000

 frontend nova
  bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend nova
-  # HSTS (15768000 seconds = 6 months)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  # HSTS (31536000 seconds = 365 days)
+  rspadd  Strict-Transport-Security:\ max-age=31536000

 frontend ceilometer
  bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend ceilometer
-  # HSTS (15768000 seconds = 6 months)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  # HSTS (31536000 seconds = 365 days)
+  rspadd  Strict-Transport-Security:\ max-age=31536000

 frontend ec2
  bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend ec2
-  # HSTS (15768000 seconds = 6 months)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  # HSTS (31536000 seconds = 365 days)
+  rspadd  Strict-Transport-Security:\ max-age=31536000

 frontend glance
  bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend glance
-  # HSTS (15768000 seconds = 6 months)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  # HSTS (31536000 seconds = 365 days)
+  rspadd  Strict-Transport-Security:\ max-age=31536000

 backend neutron
  server neutron 127.0.0.1:8696 check
--- a/roles/anitya/frontend/templates/0_releasemonitoring.conf
+++ b/roles/anitya/frontend/templates/0_releasemonitoring.conf
@ -9,7 +9,7 @@
   SSLEngine on
   SSLProtocol {{ ssl_protocols }}
   SSLCipherSuite {{ ssl_ciphers }}
-   Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+   Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

   SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
   SSLCertificateChainFile /etc/pki/tls/certs/release-monitoring.org.intermediate.cert
--- a/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
+++ b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
@ -114,7 +114,7 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
  SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }}
  SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }}

-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  SSLHonorCipherOrder On

--- a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2
+++ b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2
@ -4,7 +4,7 @@
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    SSLCipherSuite {{ ssl_ciphers }}
    SSLHonorCipherOrder on
-    Header always add Strict-Transport-Security "max-age=15768000; preload"
+    Header always add Strict-Transport-Security "max-age=31536000; preload"

    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
@ -48,7 +48,7 @@
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    SSLCipherSuite {{ ssl_ciphers }}
    SSLHonorCipherOrder on
-    Header always add Strict-Transport-Security "max-age=15768000; preload"
+    Header always add Strict-Transport-Security "max-age=31536000; preload"

    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
--- a/roles/distgit/pagure/templates/z_pagure.conf
+++ b/roles/distgit/pagure/templates/z_pagure.conf
@ -11,7 +11,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
 #  SSLEngine on
 #  SSLProtocol all -SSLv2 -SSLv3
 #  # Use secure TLSv1.1 and TLSv1.2 ciphers
-#  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+#  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

 #  SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
 #  SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
@ -5,7 +5,7 @@ RequestHeader set X-Forwarded-Proto https early
 # Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
 # "includeSubdomains", because relying parties need to be able to access 
 # username.id.fedoraproject.org via plain HTTP 
-Header always add Strict-Transport-Security "max-age=15768000; preload" 
+Header always add Strict-Transport-Security "max-age=31536000; preload"

 RewriteEngine on

--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@ -55,7 +55,7 @@
  SSLCipherSuite {{ ssl_ciphers }}

 {% if sslonly %}
-  Header always add Strict-Transport-Security "max-age=15768000; {% if stssubdomains %}includeSubDomains; {% endif %}preload"
+  Header always add Strict-Transport-Security "max-age=31536000; {% if stssubdomains %}includeSubDomains; {% endif %}preload"
 {% endif %}
  Include "conf.d/{{ name }}/*.conf"
 </VirtualHost>
--- a/roles/infinote/templates/infinote.fedoraproject.org.conf
+++ b/roles/infinote/templates/infinote.fedoraproject.org.conf
@ -75,7 +75,7 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
  SSLCertificateKeyFile /etc/pki/tls/private/infinote.fedoraproject.org.key
  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert

-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  SSLHonorCipherOrder On

--- a/roles/keyserver/templates/sks.conf
+++ b/roles/keyserver/templates/sks.conf
@ -49,14 +49,14 @@ NameVirtualHost *:443
        RewriteCond %{HTTPS} off
        RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
-        Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+        Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 </VirtualHost>

 <VirtualHost *:443>
        ServerAdmin sysadmin-keys-members@fedoraproject.org
        ServerName keys.fedoraproject.org
 	ServerAlias keys02.fedoraproject.org
-        Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+        Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

        SSLEngine on
        SSLCertificateFile    /etc/letsencrypt/live/keys.fedoraproject.org/cert.pem
--- a/roles/kojipkgs/templates/kojipkgs.conf
+++ b/roles/kojipkgs/templates/kojipkgs.conf
@ -129,4 +129,4 @@ RewriteCond %{HTTP:X-Forwarded-For} !10.5.125.71
 RewriteRule ".*/.*openh264.*.(x86_64|armv7hl|i686|ppc64|ppc64le|aarch64|s390x).rpm$" "https://fedoraproject.org/wiki/non-distributable-rpms" [R=302,L]

 # Set HSTS header via HTTP since it cannot be easily set in squid, which terminates HTTPS
-Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
--- a/roles/nagios_server/templates/httpd/0_nagios-external.conf.j2
+++ b/roles/nagios_server/templates/httpd/0_nagios-external.conf.j2
@ -9,7 +9,7 @@
   SSLEngine on
   SSLProtocol {{ ssl_protocols }}
   SSLCipherSuite {{ ssl_ciphers }}
-   Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+   Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

   SSLCertificateFile /etc/pki/tls/certs/noc02.fedoraproject.org.cert
   SSLCertificateChainFile /etc/pki/tls/certs/noc02.fedoraproject.org.intermediate.cert
--- a/roles/nginx/templates/example_ssl.conf.2
+++ b/roles/nginx/templates/example_ssl.conf.2
@ -19,8 +19,8 @@
 #    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 #    ssl_prefer_server_ciphers on;
 #
-#    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-#    add_header Strict-Transport-Security max-age=15768000;
+#    # HSTS (ngx_http_headers_module is required) (31536000 seconds = 365 days)
+#    add_header Strict-Transport-Security max-age=31536000;

 #    location / {
 #        root   /usr/share/nginx/html;
--- a/roles/pagure/frontend/templates/0_pagure.conf
+++ b/roles/pagure/frontend/templates/0_pagure.conf
@ -69,7 +69,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}
  # Use secure TLSv1.1 and TLSv1.2 ciphers
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
  SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
@ -119,7 +119,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}
  # Use secure TLSv1.1 and TLSv1.2 ciphers
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  SSLCertificateFile /etc/pki/tls/certs/docs.pagure.org.crt
  SSLCertificateChainFile /etc/pki/tls/certs/docs.pagure.org.intermediate.crt
@ -145,7 +145,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}
  # Use secure TLSv1.1 and TLSv1.2 ciphers
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
  SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
--- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
+++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
@ -56,7 +56,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}
  # Use secure TLSv1.1 and TLSv1.2 ciphers
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  SSLCertificateFile    /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
@ -118,7 +118,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}
  # Use secure TLSv1.1 and TLSv1.2 ciphers
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"


  SSLCertificateFile    /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
--- a/roles/people/templates/people.conf
+++ b/roles/people/templates/people.conf
@ -34,7 +34,7 @@ NameVirtualHost *:80
  SSLCipherSuite {{ ssl_ciphers }}
  SSLProtocol {{ ssl_protocols }}

-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
 #  ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fedorapeople.org-error.log-%Y%m%d 86400 -l"
--- a/roles/ufmonitor/templates/ufmonitor.conf.j2
+++ b/roles/ufmonitor/templates/ufmonitor.conf.j2
@ -19,7 +19,7 @@
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}
  # Use secure TLSv1.1 and TLSv1.2 ciphers
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  SSLCertificateFile    /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem