Merge pull request #16888 from pecameron/bz1501133

openshift-merge-robot · web-flow · commit 91ca5a49ead9 · 2017-10-17T23:17:14.000-07:00
Automatic merge from submit-queue (batch tested with PRs 16888, 16911, 16913, 16904). Router - hsts for "edge" or "reencrypt" only Suppress Strict-Transport-Security header for http requests It is only emitted for https. bug 1501133 https://bugzilla.redhat.com/show_bug.cgi?id=1501133 see comment #3
diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
@@ -390,9 +390,11 @@ backend be_secure:{{$cfgIdx}}
     {{- end }}
   {{- end }}{{/* end disable cookies check */}}
 
-  {{- with $hsts := firstMatch $hstsPattern (index $cfg.Annotations "haproxy.router.openshift.io/hsts_header") }}
+  {{- if matchValues (print $cfg.TLSTermination) "edge" "reencrypt" }}
+    {{- with $hsts := firstMatch $hstsPattern (index $cfg.Annotations "haproxy.router.openshift.io/hsts_header") }}
   http-response set-header Strict-Transport-Security {{$hsts}}
-  {{- end }}{{/* hsts header */}}
+    {{- end }}{{/* hsts header */}}
+  {{- end }}{{/* is "edge" or "reencrypt" */}}
 
   {{- range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
     {{- if ne $weight 0 }}
