From b268713ba0cb031aa28406037242e6efabfec155 Mon Sep 17 00:00:00 2001 From: Maxime Jobin Date: Sun, 20 Dec 2015 20:50:30 -0500 Subject: [PATCH 1/4] Version change --- rocket-nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rocket-nginx.conf b/rocket-nginx.conf index 95e56ec..15072fc 100644 --- a/rocket-nginx.conf +++ b/rocket-nginx.conf @@ -10,7 +10,7 @@ # Tested with WP-Rocket version: 2.6.4 # Tested with NGINX: 1.8.0 (stable) # -# Version 1.0.1 +# Version 1.1 # ################################################################################################### From 36dd0690bbc1cd401649694e9dc1f131779fb663 Mon Sep 17 00:00:00 2001 From: Maxime Jobin Date: Sun, 20 Dec 2015 20:59:24 -0500 Subject: [PATCH 2/4] Update WP-Rocket test version. --- rocket-nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rocket-nginx.conf b/rocket-nginx.conf index 15072fc..64ee0d6 100644 --- a/rocket-nginx.conf +++ b/rocket-nginx.conf @@ -7,7 +7,7 @@ # Author: Maxime Jobin # URL: https://github.com/maximejobin/rocket-nginx # -# Tested with WP-Rocket version: 2.6.4 +# Tested with WP-Rocket version: 2.6.15 # Tested with NGINX: 1.8.0 (stable) # # Version 1.1 From d1005ab8ffd62d9fc2d19e42abfc6d668ef532c1 Mon Sep 17 00:00:00 2001 From: Maxime Jobin Date: Sun, 20 Dec 2015 21:00:57 -0500 Subject: [PATCH 3/4] Rename a variable to avoid conflicts. --- rocket-nginx.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rocket-nginx.conf b/rocket-nginx.conf index 64ee0d6..5db202c 100644 --- a/rocket-nginx.conf +++ b/rocket-nginx.conf @@ -24,7 +24,7 @@ set $rocket_encryption ""; # Is GZIP accepted by client ? set $rocket_file ""; # Filename to use set $rocket_is_bypassed "No"; # Header text added to check if the bypass worked or not. Header: X-Rocket-Nginx-Bypass set $rocket_reason ""; # Reason why cache file was not used. If cache file is used, what file was used -set $https_prefix ""; # HTTPS prefix to use when cached files are using HTTPS +set $rocket_https_prefix ""; # HTTPS prefix to use when cached files are using HTTPS ################################################################################################### @@ -38,11 +38,11 @@ if ($http_accept_encoding ~ gzip) { # Is SSL request ? if ($https = "on") { - set $https_prefix "-https"; + set $rocket_https_prefix "-https"; } # File/URL to return IF we must bypass WordPress -set $rocket_url "/wp-content/cache/wp-rocket/$http_host/$request_uri/index$https_prefix.html$rocket_encryption"; +set $rocket_url "/wp-content/cache/wp-rocket/$http_host/$request_uri/index$rocket_https_prefix.html$rocket_encryption"; set $rocket_file "$document_root$rocket_url"; From 7805d759ad869a942bd921b588567618593304b1 Mon Sep 17 00:00:00 2001 From: Maxime Jobin Date: Sun, 20 Dec 2015 22:07:41 -0500 Subject: [PATCH 4/4] Add HSTS support --- rocket-nginx.conf | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/rocket-nginx.conf b/rocket-nginx.conf index 5db202c..381b1d9 100644 --- a/rocket-nginx.conf +++ b/rocket-nginx.conf @@ -15,6 +15,7 @@ ################################################################################################### set $rocket_debug 0; # Add debug information into header +set $rocket_hsts_value ""; # HTTP Strict Transport Security (if you want overwrite default) ################################################################################################### # Do not alter theses values @@ -22,9 +23,11 @@ set $rocket_debug 0; # Add debug information into header set $rocket_bypass 1; # Should NGINX bypass WordPress and call cache file directly ? set $rocket_encryption ""; # Is GZIP accepted by client ? set $rocket_file ""; # Filename to use -set $rocket_is_bypassed "No"; # Header text added to check if the bypass worked or not. Header: X-Rocket-Nginx-Bypass +set $rocket_is_bypassed "No"; # Header text added to check if the bypass worked or not. Header: X-Rocket-Nginx-Bypass set $rocket_reason ""; # Reason why cache file was not used. If cache file is used, what file was used -set $rocket_https_prefix ""; # HTTPS prefix to use when cached files are using HTTPS +set $rocket_https_prefix ""; # HTTPS prefix to use when cached files are using HTTPS +set $rocket_hsts 0; # Is HSTS is off (0) by default. Will be turned on (1) if request is HTTPS +set $rocket_hsts_value_default "max-age=31536000; includeSubDomains"; ################################################################################################### @@ -39,6 +42,17 @@ if ($http_accept_encoding ~ gzip) { # Is SSL request ? if ($https = "on") { set $rocket_https_prefix "-https"; + set $rocket_hsts 1; +} + +# If HSTS value is not set, use default value +if ($rocket_hsts_value = "") { + set $rocket_hsts_value "$rocket_hsts_value_default"; +} + +# If HSTS is disabled, unset HSTS set for Rocket-Nginx configuration +if ($rocket_hsts = "0") { + set $rocket_hsts_value ""; } # File/URL to return IF we must bypass WordPress @@ -101,6 +115,7 @@ location ~ /wp-content/cache/wp-rocket/.*html$ { add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed; add_header X-Rocket-Nginx-Reason $rocket_reason; add_header X-Rocket-Nginx-File $rocket_file; + add_header Strict-Transport-Security "$rocket_hsts_value"; expires 30d; } @@ -114,6 +129,7 @@ location ~ /wp-content/cache/wp-rocket/.*_gzip$ { add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed; add_header X-Rocket-Nginx-Reason $rocket_reason; add_header X-Rocket-Nginx-File $rocket_file; + add_header Strict-Transport-Security "$rocket_hsts_value"; expires 30d; } @@ -122,6 +138,8 @@ add_header X-Rocket-Nginx-Bypass $rocket_is_bypassed; add_header X-Rocket-Nginx-Reason $rocket_reason; add_header X-Rocket-Nginx-File $rocket_file; +# No HSTS header added here. We suppose it's correctly added in the site configuration + ################################################################################################### # BROWSER CSS CACHE