author | Matthew Wild <mwild1@gmail.com> |
Sun, 03 Mar 2024 16:03:27 +0000 | |
changeset 5858 | fcfe490de8a4 |
parent 5419 | f8797e3284ff |
permissions | -rw-r--r-- |
861
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
-- HTTP Strict Transport Security |
5415
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
2 |
-- https://www.rfc-editor.org/info/rfc6797 |
861
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
|
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
module:set_global(); |
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
|
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
local http_server = require "net.http.server"; |
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
|
863
efa9c1676d1f
mod_strict_https: Correct underscore to hypen in max-age directive
Kim Alvefur <zash@zash.se>
parents:
861
diff
changeset
|
8 |
local hsts_header = module:get_option_string("hsts_header", "max-age=31556952"); -- This means "Don't even try to access without HTTPS for a year" |
5419
f8797e3284ff
mod_strict_https: Add way to disable redirect
Kim Alvefur <zash@zash.se>
parents:
5415
diff
changeset
|
9 |
local redirect = module:get_option_boolean("hsts_redirect", true); |
861
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
|
5415
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
11 |
module:wrap_object_event(http_server._events, false, function(handlers, event_name, event_data) |
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
12 |
local request, response = event_data.request, event_data.response; |
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
13 |
if request and response then |
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
14 |
if request.secure then |
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
15 |
response.headers.strict_transport_security = hsts_header; |
5419
f8797e3284ff
mod_strict_https: Add way to disable redirect
Kim Alvefur <zash@zash.se>
parents:
5415
diff
changeset
|
16 |
elseif redirect then |
5415
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
17 |
-- This won't get the port number right |
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
18 |
response.headers.location = "https://" .. request.host .. request.path .. (request.query and "?" .. request.query or ""); |
861
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
return 301; |
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 |
end |
1b34c8e46ffb
mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
end |
5415
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
22 |
return handlers(event_name, event_data); |
b3158647cb36
mod_strict_https: Update to use modern APIs instead of monkey patching
Kim Alvefur <zash@zash.se>
parents:
863
diff
changeset
|
23 |
end); |