Caddyfile.generate: Make HSTS preloading optional and disabled by default

hartwork · hartwork · commit cdfe7653e940 · 2025-04-21T18:38:51.000+02:00
diff --git a/.github/workflows/expected-output.txt b/.github/workflows/expected-output.txt
@@ -12,7 +12,7 @@
 +example.org {
 +    import common
 +    reverse_proxy example-org:80 {
-+        header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
++        header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains"
 +    }
 +}
 +
diff --git a/Caddyfile.generate b/Caddyfile.generate
@@ -20,6 +20,7 @@ class CaddyfileGenerator:
             "alias_domains",
             "backend_authority",
             "domain",
+            "hsts_preload",
         ],
     )
 
@@ -48,15 +49,19 @@ class CaddyfileGenerator:
         sites_with_alias_domains: list[self.Site] = [s for s in self._sites if s.alias_domains]
 
         for site in sorted(sites_with_backends, key=attrgetter("domain")):
+            hsts_header_value = "max-age=63072000; includeSubDomains"
+            if site.hsts_preload:
+                hsts_header_value += "; preload"
+
             print(
                 dedent("""
                     %s {
                         import common
                         reverse_proxy %s {
-                            header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+                            header_down +Strict-Transport-Security "%s"
                         }
-                    }""")  # noqa: E501
-                % (site.domain, site.backend_authority),
+                    }""")
+                % (site.domain, site.backend_authority, hsts_header_value),
                 file=fp,
             )
 
@@ -90,7 +95,9 @@ def run(options):
         except NoOptionError:
             backend_authority = None
 
-        site = CaddyfileGenerator.Site(alias_domains, backend_authority, domain)
+        hsts_preload = config.getboolean(domain, "hsts_preload", fallback=False)
+
+        site = CaddyfileGenerator.Site(alias_domains, backend_authority, domain, hsts_preload)
         caddyfile.add(site)
 
     with NamedTemporaryFile() as temp_file:
diff --git a/README.md b/README.md
@@ -79,7 +79,7 @@ The `Caddyfile` generated from that very `sites.cfg` would read:
     example.org {
         import common
         reverse_proxy example-org:80 {
-            header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+            header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains"
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`+example.org {`
`13`	`13`	`+ import common`
`14`	`14`	`+ reverse_proxy example-org:80 {`
`15`		`-+ header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"`
	`15`	`++ header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains"`
`16`	`16`	`+ }`
`17`	`17`	`+}`
`18`	`18`	`+`
Original file line number	Diff line number	Diff line change
@@ -79,7 +79,7 @@ The `Caddyfile` generated from that very `sites.cfg` would read:
`79`	`79`	`example.org {`
`80`	`80`	`import common`
`81`	`81`	`reverse_proxy example-org:80 {`
`82`		`- header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"`
	`82`	`+ header_down +Strict-Transport-Security "max-age=63072000; includeSubDomains"`
`83`	`83`	`}`
`84`	`84`	`}`
`85`	`85`