nginx: Don't hard-code the HPKP headers.

Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
author: Guilhem Moulin <guilhem@fripost.org> 2016-07-12 03:10:33 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-07-12 03:10:33 +0200
commit: ef430522256013665205cdda05636846cc622251 (patch)
tree: 0912b6175af9e97fa76aaf47613bd1926893dc67 /certs/hpkp-hdr.j2
parent: 4e347178a85468cb2a6451a3a57c3379f832ca97 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/certs/hpkp-hdr.j2 b/certs/hpkp-hdr.j2
new file mode 100644
index 0000000..0226b5c
--- /dev/null
+++ b/certs/hpkp-hdr.j2
@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+{% set tmpl = template_path | basename %}
+{% set pubkey = "certs/public/" + tmpl.rstrip("hpkp-hdr.j2") + ".pub" %}
+
+{%- set pins = [] %}
+{% for pk in [pubkey] + lookup('pipe', 'ls -1 '+pubkey+'.back*').splitlines() -%}
+    {%- set sha256 = lookup('pipe', 'openssl pkey -pubin -outform DER <'+pk+' | openssl dgst -sha256 -binary | base64') -%}
+    {%- set _ = pins.append('pin-sha256="' + sha256 + '"') -%}
+{%- endfor %}
+
+{%- if pins | length > 0 %}
+{% set directives = pins + ['max-age=3600'] %}
+add_header Public-Key-Pins '{{ directives | join('; ') }}';
+{% endif %}
author	Guilhem Moulin <guilhem@fripost.org>	2016-07-12 03:10:33 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-07-12 03:10:33 +0200
commit	ef430522256013665205cdda05636846cc622251 (patch)
tree	0912b6175af9e97fa76aaf47613bd1926893dc67 /certs/hpkp-hdr.j2
parent	4e347178a85468cb2a6451a3a57c3379f832ca97 (diff)