Merge branch '2124-fix-hsts' into 'master'

Make HSTS configuration single-level

Closes #2124

See merge request !1423

doc/settings/nginx.md

@@ -304,8 +304,8 @@ GitLab instance even once it will remember to no longer attempt insecure connect
 even when user is explicitly entering `http://` url. Such url will be automatically redirected by the browser to `https://` variant.
 
 ```ruby
-nginx['hsts']['max_age'] = 31536000
-nginx['hsts']['include_subdomains'] = false
+nginx['hsts_max_age'] = 31536000
+nginx['hsts_include_subdomains'] = false
 ```
 
 By default `max_age` is set for one year, this is how long browser will remember to only connect through HTTPS. 

files/gitlab-config-template/gitlab.rb.template

@@ -752,8 +752,8 @@ external_url 'GENERATED_EXTERNAL_URL'
 
 ##! **Defaults to forcing web browsers to always communicate using only HTTPS**
 ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-http-strict-transport-security
-# nginx['hsts']['max_age'] = 31536000
-# nginx['hsts']['include_subdomains'] = false
+# nginx['hsts_max_age'] = 31536000
+# nginx['hsts_include_subdomains'] = false
 
 ##! **Override only if you use a reverse proxy**
 ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -616,8 +616,8 @@ default['gitlab']['nginx']['real_ip_header'] = nil
 default['gitlab']['nginx']['real_ip_recursive'] = nil
 default['gitlab']['nginx']['server_names_hash_bucket_size'] = 64
 # HSTS
-default['gitlab']['nginx']['hsts']['max_age'] = 31536000
-default['gitlab']['nginx']['hsts']['include_subdomains'] = false
+default['gitlab']['nginx']['hsts_max_age'] = 31536000
+default['gitlab']['nginx']['hsts_include_subdomains'] = false
 
 ###
 # Nginx status

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -104,9 +104,9 @@ server {
 
   ## HSTS Config
   ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
-  <% unless @hsts['max_age'].nil? || @hsts['max_age'] <= 0 %>
-  add_header Strict-Transport-Security "max-age=<%= @hsts['max_age'] -%>
-<% if @hsts['include_subdomains'] %>; includeSubdomains<% end %>";
+  <% unless @hsts_max_age.nil? || @hsts_max_age <= 0 %>
+  add_header Strict-Transport-Security "max-age=<%= @hsts_max_age -%>
+<% if @hsts_include_subdomains %>; includeSubdomains<% end %>";
   <% end %>
 
   ## Individual nginx logs for this GitLab vhost

spec/chef/recipes/nginx_spec.rb

@@ -333,7 +333,7 @@ describe 'nginx' do
 
   context 'when hsts is disabled' do
     before do
-      stub_gitlab_rb(nginx: { hsts: { max_age: 0 } })
+      stub_gitlab_rb(nginx: { hsts_max_age: 0  })
     end
     it { is_expected.not_to render_file(gitlab_http_config).with_content(/add_header Strict-Transport-Security/) }
   end
@@ -342,7 +342,7 @@ describe 'nginx' do
 
   context 'when include_subdomains is enabled' do
     before do
-      stub_gitlab_rb(nginx: { hsts: { include_subdomains: true } })
+      stub_gitlab_rb(nginx: { hsts_include_subdomains: true })
     end
 
     it { is_expected.to render_file(gitlab_http_config).with_content(/add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";/) }
@@ -350,7 +350,7 @@ describe 'nginx' do
 
   context 'when max-age is set to 10' do
     before do
-      stub_gitlab_rb(nginx: { hsts: { max_age: 10 } })
+      stub_gitlab_rb(nginx: { hsts_max_age: 10 })
     end
 
     it { is_expected.to render_file(gitlab_http_config).with_content(/"max-age=10[^"]*"/) }