NginxProxyManager
diff --git a/‎rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
Lines changed: 0 additions & 3 deletions b/‎rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
Lines changed: 0 additions & 3 deletions
diff --git a/‎src/backend/internal/dead-host.js
Lines changed: 21 additions & 18 deletions b/‎src/backend/internal/dead-host.js
Lines changed: 21 additions & 18 deletions
diff --git a/‎src/backend/internal/host.js
Lines changed: 31 additions & 2 deletions b/‎src/backend/internal/host.js
Lines changed: 31 additions & 2 deletions
diff --git a/‎src/backend/internal/proxy-host.js
Lines changed: 20 additions & 19 deletions b/‎src/backend/internal/proxy-host.js
Lines changed: 20 additions & 19 deletions
diff --git a/‎src/backend/internal/redirection-host.js
Lines changed: 21 additions & 18 deletions b/‎src/backend/internal/redirection-host.js
Lines changed: 21 additions & 18 deletions
diff --git a/‎src/backend/migrations/20190218060101_hsts.js
Lines changed: 53 additions & 0 deletions b/‎src/backend/migrations/20190218060101_hsts.js
Lines changed: 53 additions & 0 deletions
diff --git a/‎src/backend/schema/definitions.json
Lines changed: 10 additions & 0 deletions b/‎src/backend/schema/definitions.json
Lines changed: 10 additions & 0 deletions
@@ -7,6 +7,3 @@ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA
 ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
 S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;
-
-# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-add_header Strict-Transport-Security max-age=15768000;
@@ -47,6 +47,7 @@ const internalDeadHost = {
             .then(() => {
                 // At this point the domains should have been checked
                 data.owner_user_id = access.token.getUserId(1);
+                data               = internalHost.cleanSslHstsData(data);
 
                 return deadHostModel
                     .query()
@@ -89,11 +90,11 @@ const internalDeadHost = {
 
                 // Add to audit log
                 return internalAuditLog.add(access, {
-                    action:      'created',
-                    object_type: 'dead-host',
-                    object_id:   row.id,
-                    meta:        data
-                })
+                        action:      'created',
+                        object_type: 'dead-host',
+                        object_id:   row.id,
+                        meta:        data
+                    })
                     .then(() => {
                         return row;
                     });
@@ -144,9 +145,9 @@ const internalDeadHost = {
 
                 if (create_certificate) {
                     return internalCertificate.createQuickCertificate(access, {
-                        domain_names: data.domain_names || row.domain_names,
-                        meta:         _.assign({}, row.meta, data.meta)
-                    })
+                            domain_names: data.domain_names || row.domain_names,
+                            meta:         _.assign({}, row.meta, data.meta)
+                        })
                         .then(cert => {
                             // update host with cert id
                             data.certificate_id = cert.id;
@@ -162,7 +163,9 @@ const internalDeadHost = {
                 // Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
                 data = _.assign({}, {
                     domain_names: row.domain_names
-                },data);
+                }, data);
+
+                data = internalHost.cleanSslHstsData(data, row);
 
                 return deadHostModel
                     .query()
@@ -171,27 +174,27 @@ const internalDeadHost = {
                     .then(saved_row => {
                         // Add to audit log
                         return internalAuditLog.add(access, {
-                            action:      'updated',
-                            object_type: 'dead-host',
-                            object_id:   row.id,
-                            meta:        data
-                        })
+                                action:      'updated',
+                                object_type: 'dead-host',
+                                object_id:   row.id,
+                                meta:        data
+                            })
                             .then(() => {
                                 return _.omit(saved_row, omissions());
                             });
                     });
             })
             .then(() => {
                 return internalDeadHost.get(access, {
-                    id:     data.id,
-                    expand: ['owner', 'certificate']
-                })
+                        id:     data.id,
+                        expand: ['owner', 'certificate']
+                    })
                     .then(row => {
                         // Configure nginx
                         return internalNginx.configure(deadHostModel, 'dead_host', row)
                             .then(new_meta => {
                                 row.meta = new_meta;
-                                row = internalHost.cleanRowCertificateMeta(row);
+                                row      = internalHost.cleanRowCertificateMeta(row);
                                 return _.omit(row, omissions());
                             });
                     });
 
@@ -1,11 +1,40 @@
-'use strict';
-
+const _                    = require('lodash');
 const proxyHostModel       = require('../models/proxy_host');
 const redirectionHostModel = require('../models/redirection_host');
 const deadHostModel        = require('../models/dead_host');
 
 const internalHost = {
 
+    /**
+     * Makes sure that the ssl_* and hsts_* fields play nicely together.
+     * ie: if there is no cert, then force_ssl is off.
+     *     if force_ssl is off, then hsts_enabled is definitely off.
+     *
+     * @param   {object} data
+     * @param   {object} [existing_data]
+     * @returns {object}
+     */
+    cleanSslHstsData: function (data, existing_data) {
+        existing_data = existing_data === undefined ? {} : existing_data;
+
+        let combined_data = _.assign({}, existing_data, data);
+
+        if (!combined_data.certificate_id) {
+            combined_data.ssl_forced    = false;
+            combined_data.http2_support = false;
+        }
+
+        if (!combined_data.ssl_forced) {
+            combined_data.hsts_enabled = false;
+        }
+
+        if (!combined_data.hsts_enabled) {
+            combined_data.hsts_subdomains = false;
+        }
+
+        return combined_data;
+    },
+
     /**
      * used by the getAll functions of hosts, this removes the certificate meta if present
      *
 
@@ -1,5 +1,3 @@
-'use strict';
-
 const _                   = require('lodash');
 const error               = require('../lib/error');
 const proxyHostModel      = require('../models/proxy_host');
@@ -47,6 +45,7 @@ const internalProxyHost = {
             .then(() => {
                 // At this point the domains should have been checked
                 data.owner_user_id = access.token.getUserId(1);
+                data               = internalHost.cleanSslHstsData(data);
 
                 return proxyHostModel
                     .query()
@@ -90,11 +89,11 @@ const internalProxyHost = {
 
                 // Add to audit log
                 return internalAuditLog.add(access, {
-                    action:      'created',
-                    object_type: 'proxy-host',
-                    object_id:   row.id,
-                    meta:        data
-                })
+                        action:      'created',
+                        object_type: 'proxy-host',
+                        object_id:   row.id,
+                        meta:        data
+                    })
                     .then(() => {
                         return row;
                     });
@@ -109,7 +108,7 @@ const internalProxyHost = {
      */
     update: (access, data) => {
         let create_certificate = data.certificate_id === 'new';
-
+console.log('PH UPDATE:', data);
         if (create_certificate) {
             delete data.certificate_id;
         }
@@ -145,9 +144,9 @@ const internalProxyHost = {
 
                 if (create_certificate) {
                     return internalCertificate.createQuickCertificate(access, {
-                        domain_names: data.domain_names || row.domain_names,
-                        meta:         _.assign({}, row.meta, data.meta)
-                    })
+                            domain_names: data.domain_names || row.domain_names,
+                            meta:         _.assign({}, row.meta, data.meta)
+                        })
                         .then(cert => {
                             // update host with cert id
                             data.certificate_id = cert.id;
@@ -165,28 +164,30 @@ const internalProxyHost = {
                     domain_names: row.domain_names
                 }, data);
 
+                data = internalHost.cleanSslHstsData(data, row);
+
                 return proxyHostModel
                     .query()
                     .where({id: data.id})
                     .patch(data)
                     .then(saved_row => {
                         // Add to audit log
                         return internalAuditLog.add(access, {
-                            action:      'updated',
-                            object_type: 'proxy-host',
-                            object_id:   row.id,
-                            meta:        data
-                        })
+                                action:      'updated',
+                                object_type: 'proxy-host',
+                                object_id:   row.id,
+                                meta:        data
+                            })
                             .then(() => {
                                 return _.omit(saved_row, omissions());
                             });
                     });
             })
             .then(() => {
                 return internalProxyHost.get(access, {
-                    id:     data.id,
-                    expand: ['owner', 'certificate', 'access_list']
-                })
+                        id:     data.id,
+                        expand: ['owner', 'certificate', 'access_list']
+                    })
                     .then(row => {
                         // Configure nginx
                         return internalNginx.configure(proxyHostModel, 'proxy_host', row)
 
@@ -47,6 +47,7 @@ const internalRedirectionHost = {
             .then(() => {
                 // At this point the domains should have been checked
                 data.owner_user_id = access.token.getUserId(1);
+                data               = internalHost.cleanSslHstsData(data);
 
                 return redirectionHostModel
                     .query()
@@ -89,11 +90,11 @@ const internalRedirectionHost = {
 
                 // Add to audit log
                 return internalAuditLog.add(access, {
-                    action:      'created',
-                    object_type: 'redirection-host',
-                    object_id:   row.id,
-                    meta:        data
-                })
+                        action:      'created',
+                        object_type: 'redirection-host',
+                        object_id:   row.id,
+                        meta:        data
+                    })
                     .then(() => {
                         return row;
                     });
@@ -144,9 +145,9 @@ const internalRedirectionHost = {
 
                 if (create_certificate) {
                     return internalCertificate.createQuickCertificate(access, {
-                        domain_names: data.domain_names || row.domain_names,
-                        meta:         _.assign({}, row.meta, data.meta)
-                    })
+                            domain_names: data.domain_names || row.domain_names,
+                            meta:         _.assign({}, row.meta, data.meta)
+                        })
                         .then(cert => {
                             // update host with cert id
                             data.certificate_id = cert.id;
@@ -162,7 +163,9 @@ const internalRedirectionHost = {
                 // Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
                 data = _.assign({}, {
                     domain_names: row.domain_names
-                },data);
+                }, data);
+
+                data = internalHost.cleanSslHstsData(data, row);
 
                 return redirectionHostModel
                     .query()
@@ -171,27 +174,27 @@ const internalRedirectionHost = {
                     .then(saved_row => {
                         // Add to audit log
                         return internalAuditLog.add(access, {
-                            action:      'updated',
-                            object_type: 'redirection-host',
-                            object_id:   row.id,
-                            meta:        data
-                        })
+                                action:      'updated',
+                                object_type: 'redirection-host',
+                                object_id:   row.id,
+                                meta:        data
+                            })
                             .then(() => {
                                 return _.omit(saved_row, omissions());
                             });
                     });
             })
             .then(() => {
                 return internalRedirectionHost.get(access, {
-                    id:     data.id,
-                    expand: ['owner', 'certificate']
-                })
+                        id:     data.id,
+                        expand: ['owner', 'certificate']
+                    })
                     .then(row => {
                         // Configure nginx
                         return internalNginx.configure(redirectionHostModel, 'redirection_host', row)
                             .then(new_meta => {
                                 row.meta = new_meta;
-                                row = internalHost.cleanRowCertificateMeta(row);
+                                row      = internalHost.cleanRowCertificateMeta(row);
                                 return _.omit(row, omissions());
                             });
                     });
 
@@ -0,0 +1,53 @@
+'use strict';
+
+const migrate_name = 'hsts';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+    logger.info('[' + migrate_name + '] Migrating Up...');
+
+    return knex.schema.table('proxy_host', function (proxy_host) {
+            proxy_host.integer('hsts_enabled').notNull().unsigned().defaultTo(0);
+            proxy_host.integer('hsts_subdomains').notNull().unsigned().defaultTo(0);
+        })
+        .then(() => {
+            logger.info('[' + migrate_name + '] proxy_host Table altered');
+
+            return knex.schema.table('redirection_host', function (redirection_host) {
+                redirection_host.integer('hsts_enabled').notNull().unsigned().defaultTo(0);
+                redirection_host.integer('hsts_subdomains').notNull().unsigned().defaultTo(0);
+            });
+        })
+        .then(() => {
+            logger.info('[' + migrate_name + '] redirection_host Table altered');
+
+            return knex.schema.table('dead_host', function (dead_host) {
+                dead_host.integer('hsts_enabled').notNull().unsigned().defaultTo(0);
+                dead_host.integer('hsts_subdomains').notNull().unsigned().defaultTo(0);
+            });
+        })
+        .then(() => {
+            logger.info('[' + migrate_name + '] dead_host Table altered');
+        });
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex, Promise) {
+    logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+    return Promise.resolve(true);
+};
@@ -187,6 +187,16 @@
       "example": false,
       "type": "boolean"
     },
+    "hsts_enabled": {
+      "description": "Is HSTS Enabled",
+      "example": false,
+      "type": "boolean"
+    },
+    "hsts_subdomains": {
+      "description": "Is HSTS applicable to all subdomains",
+      "example": false,
+      "type": "boolean"
+    },
     "ssl_provider": {
       "type": "string",
       "pattern": "^(letsencrypt|other)$"