Pull request 181: 2998-hsts
Squashed commit of the following:
commit 33f2a2f08b43dfe700703ad65e3d7a5b29bea309
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Aug 30 18:50:06 2023 +0300
Encryption: imp hsts doc
commit 2d5f3155eb2d55a5654e3ba45872152175cedf76
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Aug 30 18:38:42 2023 +0300
Configuration: HSTS
Ainar Garipov
parent
b3490ee566
commit
b0627444f0
|
|
@ -651,6 +651,9 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
|
||||||
|
|
||||||
Must match one of the DNS Names in the certificate.
|
Must match one of the DNS Names in the certificate.
|
||||||
- `force_https`: If `true`, force HTTP-to-HTTPS redirect.
|
- `force_https`: If `true`, force HTTP-to-HTTPS redirect.
|
||||||
|
|
||||||
|
**Since v0.107.37,** this setting also sets the
|
||||||
|
[`Strict-Transport-Security`][hsts] header.
|
||||||
- `port_https`: The HTTPS port. Used for both web UI and DNS-over-HTTPS. If
|
- `port_https`: The HTTPS port. Used for both web UI and DNS-over-HTTPS. If
|
||||||
`0`, HTTPS is disabled.
|
`0`, HTTPS is disabled.
|
||||||
- `port_dns_over_tls`: The DNS-over-TLS port. If `0`, DNS-over-TLS is
|
- `port_dns_over_tls`: The DNS-over-TLS port. If `0`, DNS-over-TLS is
|
||||||
|
|
@ -718,13 +721,14 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
|
||||||
|
|
||||||
Removing an entry from settings file will reset it to the default value. Deleting the file will reset all settings to the default values.
|
Removing an entry from settings file will reset it to the default value. Deleting the file will reset all settings to the default values.
|
||||||
|
|
||||||
[DHCP]: https://github.com/AdguardTeam/AdGuardHome/wiki/DHCP
|
[DDR]: https://www.ietf.org/archive/id/draft-ietf-add-ddr-06.html
|
||||||
[DNSCrypt]: https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt
|
[DHCP]: https://github.com/AdguardTeam/AdGuardHome/wiki/DHCP
|
||||||
|
[DNSCrypt]: https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt
|
||||||
|
[`dnscrypt`]: https://github.com/ameshkov/dnscrypt
|
||||||
[docker-conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Docker#configuration
|
[docker-conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Docker#configuration
|
||||||
[`dnscrypt`]: https://github.com/ameshkov/dnscrypt
|
[hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||||
[DDR]: https://www.ietf.org/archive/id/draft-ietf-add-ddr-06.html
|
[rfc6147]: https://datatracker.ietf.org/doc/html/rfc6147
|
||||||
[tls-names]: https://pkg.go.dev/crypto/tls#pkg-constants
|
[tls-names]: https://pkg.go.dev/crypto/tls#pkg-constants
|
||||||
[rfc6147]: https://datatracker.ietf.org/doc/html/rfc6147
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -217,13 +217,14 @@ Other HTTP headers may be supported by AdGuard Home in the future. However, any
|
||||||
headers-related feature requests should first be tried to be resolved by
|
headers-related feature requests should first be tried to be resolved by
|
||||||
configuring the reverse proxy itself.
|
configuring the reverse proxy itself.
|
||||||
|
|
||||||
For example, to implement the [HTTP Strict Transport Security][hsts] mechanism,
|
For example, to modify the [HTTP Strict Transport Security][hsts] mechanism to
|
||||||
something like the following piece of configuration might be used:
|
include the experimental `preload` directive, something like the following piece
|
||||||
|
of configuration might be used:
|
||||||
|
|
||||||
```nginx
|
```nginx
|
||||||
location /dns-query {
|
location /dns-query {
|
||||||
# …
|
# …
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
# …
|
# …
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue