feat(nginx): enforce HTTPS-only with HSTS

Add Strict-Transport-Security (max-age 1y, includeSubDomains) to every TLS
server block in both vhost templates. Combined with the existing port-80
301 redirect, browsers refuse plain HTTP to these names after first visit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-09 01:21:17 +02:00
parent 3185fea4c1
commit a6155819b6
2 changed files with 8 additions and 0 deletions

View File

@@ -34,6 +34,7 @@ server {
ssl_certificate ${APP_DIR}/certs/${BASE_DOMAIN}/cert.pem;
ssl_certificate_key ${APP_DIR}/certs/${BASE_DOMAIN}/key.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Launcher downloads (populated by tooling/fetch-launcher.sh -> ./mirror/launcher).
location /launcher/ {
@@ -56,6 +57,7 @@ server {
ssl_certificate ${APP_DIR}/certs/pack.${BASE_DOMAIN}/cert.pem;
ssl_certificate_key ${APP_DIR}/certs/pack.${BASE_DOMAIN}/key.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Locally-hosted custom mod jars live outside ./pack; expose them at /custom/.
location /custom/ {
@@ -77,6 +79,7 @@ server {
ssl_certificate ${APP_DIR}/certs/auth.${BASE_DOMAIN}/cert.pem;
ssl_certificate_key ${APP_DIR}/certs/auth.${BASE_DOMAIN}/key.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
client_max_body_size 4m; # skin uploads