Web security enhancements

* new dependency: libnginx-mod-http-headers-more-filter
* security headers in _general.conf (inherited to all vhosts)
* scheme-dependent Strict-Transport-Security header in nginx.conf

.templates/nginx/nginx.conf

@@ -3,6 +3,8 @@
 
 # Flags the  non 2xx or non 3xx (probably error) responses.
 map $status $errorlog_$PAR_PROXYPORT { ~^[23]  0; default 1; }
+# The STS header should only be sent over https.
+map $scheme $hsts_header_$PAR_PROXYPORT { https "max-age=31536000; includeSubDomains"; }
 
 # Virtualhost's configuration follows.
 server {
@@ -67,11 +69,11 @@ server {
     #
     # Static service.
 #   location / {
-#	root $PAR_SERVICE/storage/volumes/staticweb/;
-#	allow all;
-#	autoindex off;
-#	index index.html index.htm;
-#	try_files $ri $uri/ =404;
+#       root $PAR_SERVICE/storage/volumes/staticweb/;
+#       allow all;
+#       autoindex off;
+#       index index.html index.htm;
+#       try_files $ri $uri/ =404;
 #   }
     #
     # No static service, but we may provide the OPTIONS for a potential DAV client.
@@ -104,14 +106,11 @@ server {
     ssl_prefer_server_ciphers off;
     ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
 
-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    # Read before activating: https://blog.g3rt.nl/nginx-add_header-pitfall.html
-#   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-#   add_header X-Frame-Options SAMEORIGIN;
-#   add_header X-Content-Type-Options nosniff;
+    # Activate it only in case of stable https service.
+#   more_set_headers "Strict-Transport-Security: $hsts_header_$PAR_PROXYPORT";
+#   ssl_stapling on;
+#   ssl_stapling_verify on;
 
 }
 
-# That's all.
+# That's all.