diff options
Diffstat (limited to 'certs/hpkp-hdr.j2')
| -rw-r--r-- | certs/hpkp-hdr.j2 | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/certs/hpkp-hdr.j2 b/certs/hpkp-hdr.j2 new file mode 100644 index 0000000..31cb81a --- /dev/null +++ b/certs/hpkp-hdr.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +{% set tmpl = template_path | basename %} +{% set pubkey = "certs/public/" + tmpl.rstrip("hpkp-hdr.j2") + ".pub" %} + +{%- set pins = [] %} +{% for pk in [pubkey] + lookup('pipe', 'ls -1 '+pubkey+'.back*').splitlines() -%} + {%- set sha256 = lookup('pipe', 'openssl pkey -pubin -outform DER <'+pk+' | openssl dgst -sha256 -binary | base64') -%} + {%- set _ = pins.append('pin-sha256="' + sha256 + '"') -%} +{%- endfor %} + +{%- if pins | length > 0 %} +{% set directives = pins + ['max-age=15768000'] %} +add_header Public-Key-Pins '{{ directives | join('; ') }}'; +{% endif %} |