Merge pull request #48 from hartwork/hsts-preload-off-by-default

`Caddyfile.generate`: Make HSTS preloading optional and disabled by default

Author: hartwork

.github/workflows/expected-output.txt

@@ -12,7 +12,7 @@
 +example.org {
 +    import common
 +    reverse_proxy example-org:80 {
-+        header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
++        header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains"
 +    }
 +}
 +

Caddyfile.generate

@@ -8,6 +8,7 @@ from argparse import ArgumentParser
 from collections import namedtuple
 from configparser import ConfigParser, NoOptionError
 from contextlib import suppress
+from operator import attrgetter
 from tempfile import NamedTemporaryFile
 from textwrap import dedent
 
@@ -19,17 +20,15 @@ class CaddyfileGenerator:
             "alias_domains",
             "backend_authority",
             "domain",
+            "hsts_preload",
         ],
     )
 
     def __init__(self):
-        self._redir_target_of = {}
-        self._backend_of = {}
+        self._sites = []
 
     def add(self, site):
-        self._backend_of[site.domain] = site.backend_authority
-        for domain in site.alias_domains:
-            self._redir_target_of[domain] = site.domain
+        self._sites.append(site)
 
     def write_to(self, fp):
         print(
@@ -44,33 +43,40 @@ class CaddyfileGenerator:
             file=fp,
         )
 
-        for domain, backend_authority in sorted(self._backend_of.items()):
-            if backend_authority is None:
-                continue
+        sites_with_backends: list[self.Site] = [
+            s for s in self._sites if s.backend_authority is not None
+        ]
+        sites_with_alias_domains: list[self.Site] = [s for s in self._sites if s.alias_domains]
+
+        for site in sorted(sites_with_backends, key=attrgetter("domain")):
+            hsts_header_value = "max-age=63072000; includeSubDomains"
+            if site.hsts_preload:
+                hsts_header_value += "; preload"
 
             print(
                 dedent("""
                     %s {
                         import common
                         reverse_proxy %s {
-                            header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+                            header_down +Strict-Transport-Security "%s"
                         }
-                    }""")  # noqa: E501
-                % (domain, backend_authority),
-                file=fp,
-            )
-
-        for source_domain, target_domain in sorted(self._redir_target_of.items()):
-            print(
-                dedent("""
-                    %s {
-                        import common
-                        redir https://%s{uri}
                     }""")
-                % (source_domain, target_domain),
+                % (site.domain, site.backend_authority, hsts_header_value),
                 file=fp,
             )
 
+        for site in sorted(sites_with_alias_domains, key=attrgetter("domain")):
+            for alias_domain in sorted(site.alias_domains):
+                print(
+                    dedent("""
+                        %s {
+                            import common
+                            redir https://%s{uri}
+                        }""")
+                    % (alias_domain, site.domain),
+                    file=fp,
+                )
+
 
 def run(options):
     config = ConfigParser()
@@ -89,7 +95,9 @@ def run(options):
         except NoOptionError:
             backend_authority = None
 
-        site = CaddyfileGenerator.Site(alias_domains, backend_authority, domain)
+        hsts_preload = config.getboolean(domain, "hsts_preload", fallback=False)
+
+        site = CaddyfileGenerator.Site(alias_domains, backend_authority, domain, hsts_preload)
         caddyfile.add(site)
 
     with NamedTemporaryFile() as temp_file:

README.md

@@ -48,7 +48,7 @@ that I build upon prior to switching to
 
 # How to write the `sites.cfg` file
 
-The format is rather simple and has three options only.
+The format is rather simple and has four options only.
 Let's look at this example:
 
     [example.org]
@@ -64,7 +64,13 @@ content.  Here, `example-org` is the name of the Docker container that
 Docker DNS will let us access because we made both containers join external
 network `ssl-reverse-proxy` in their `docker-compose.yml` files.
 `aliases` is an optional list of domain names to have both HTTP and HTTPS
-redirect to master domain `example.org`.  That's it.
+redirect to master domain `example.org`.
+Adding `hsts_preload = true` is optional, defaults to false, and extends the
+[HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
+response headers to
+[unlock addition to the browser preload list](https://hstspreload.org/#submission-requirements)
+at [https://hstspreload.org/](https://hstspreload.org/).
+That's it.
 
 The `Caddyfile` generated from that very `sites.cfg` would read:
 
@@ -79,7 +85,7 @@ The `Caddyfile` generated from that very `sites.cfg` would read:
     example.org {
         import common
         reverse_proxy example-org:80 {
-            header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+            header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains"
         }
     }