diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
commit | ef430522256013665205cdda05636846cc622251 (patch) | |
tree | 0912b6175af9e97fa76aaf47613bd1926893dc67 /certs/hpkp-hdr.j2 | |
parent | 4e347178a85468cb2a6451a3a57c3379f832ca97 (diff) |
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But
never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'certs/hpkp-hdr.j2')
-rw-r--r-- | certs/hpkp-hdr.j2 | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/certs/hpkp-hdr.j2 b/certs/hpkp-hdr.j2 new file mode 100644 index 0000000..0226b5c --- /dev/null +++ b/certs/hpkp-hdr.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +{% set tmpl = template_path | basename %} +{% set pubkey = "certs/public/" + tmpl.rstrip("hpkp-hdr.j2") + ".pub" %} + +{%- set pins = [] %} +{% for pk in [pubkey] + lookup('pipe', 'ls -1 '+pubkey+'.back*').splitlines() -%} + {%- set sha256 = lookup('pipe', 'openssl pkey -pubin -outform DER <'+pk+' | openssl dgst -sha256 -binary | base64') -%} + {%- set _ = pins.append('pin-sha256="' + sha256 + '"') -%} +{%- endfor %} + +{%- if pins | length > 0 %} +{% set directives = pins + ['max-age=3600'] %} +add_header Public-Key-Pins '{{ directives | join('; ') }}'; +{% endif %} |