FIX: HSTS header was overwrote by Referrer-Policy add_header

[discourse_docker.git] / templates / web.ssl.template.yml

diff --git a/templates/web.ssl.template.yml b/templates/web.ssl.template.yml
index 7c358a932845c4d5e78124b73544919b73d6e45c..681abdc8bc90173fdb233b14d7c09a78f01348fd 100644 (file)
--- a/templates/web.ssl.template.yml
+++ b/templates/web.ssl.template.yml
@@ -9,7 +9,7 @@ run:
      to: |
        server {
          listen 80;
-         rewrite ^ https://$$ENV_DISCOURSE_HOSTNAME$request_uri? permanent;
+         return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
        }
        server {
   - replace:
@@ -37,3 +37,9 @@ run:
        if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
           rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent;
        }
+  - replace:
+     filename: "/etc/nginx/conf.d/discourse.conf"
+     from: /add_header Referrer-Policy 'no-referrer-when-downgrade';/m
+     to: |
+       add_header Referrer-Policy 'no-referrer-when-downgrade';
+       add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain