fix: 解决网站反向代理在开启 HTTPS 后 HSTS 配置失效的问题 (#3483)

Refs https://github.com/1Panel-dev/1Panel/issues/2067 Refs https://github.com/1Panel-dev/1Panel/issues/3152
2025-01-18 22:22:59 +08:00 · 2023-12-29 18:41:41 +08:00 · 2023-12-29 18:41:41 +08:00 · 4d19e3904b
commit 4d19e3904b
parent d9005bc937
3 changed files with 55 additions and 0 deletions
--- a/backend/app/service/website.go
+++ b/backend/app/service/website.go
@ -654,6 +654,13 @@ func (w WebsiteService) OpWebsiteHTTPS(ctx context.Context, req request.WebsiteH
 		res        response.WebsiteHTTPS
 		websiteSSL model.WebsiteSSL
 	)
+	nginxInstall, err := getAppInstallByKey(constant.AppOpenresty)
+	if err != nil {
+		return nil, err
+	}
+	if err = ChangeHSTSConfig(req.Enable, nginxInstall, website); err != nil {
+		return nil, err
+	}
 	res.Enable = req.Enable
 	res.SSLProtocol = req.SSLProtocol
 	res.Algorithm = req.Algorithm
@ -765,6 +772,7 @@ func (w WebsiteService) OpWebsiteHTTPS(ctx context.Context, req request.WebsiteH

 		res.SSL = websiteSSL
 	}
+
 	website.Protocol = constant.ProtocolHTTPS
 	if err := applySSL(website, websiteSSL, req); err != nil {
 		return nil, err
@ -1528,6 +1536,9 @@ func (w WebsiteService) OperateProxy(req request.WebsiteProxyConfig) (err error)
 	}
 	location.UpdateDirective("proxy_pass", []string{req.ProxyPass})
 	location.UpdateDirective("proxy_set_header", []string{"Host", req.ProxyHost})
+	if website.Protocol == constant.ProtocolHTTPS {
+		location.UpdateDirective("add_header", []string{"Strict-Transport-Security", "\"max-age=31536000\""})
+	}
 	location.ChangePath(req.Modifier, req.Match)
 	if req.Cache {
 		location.AddCache(req.CacheTime, req.CacheUnit)
--- a/backend/app/service/website_utils.go
+++ b/backend/app/service/website_utils.go
@ -10,7 +10,9 @@ import (
 	"github.com/1Panel-dev/1Panel/backend/utils/nginx/components"
 	"gopkg.in/yaml.v3"
 	"log"
+	"os"
 	"path"
+	"path/filepath"
 	"reflect"
 	"strconv"
 	"strings"
@ -836,3 +838,44 @@ func UpdateSSLConfig(websiteSSL model.WebsiteSSL) error {
 	}
 	return nil
 }
+
+func ChangeHSTSConfig(enable bool, nginxInstall model.AppInstall, website model.Website) error {
+	includeDir := path.Join(nginxInstall.GetPath(), "www", "sites", website.Alias, "proxy")
+	fileOp := files.NewFileOp()
+	if !fileOp.Stat(includeDir) {
+		return nil
+	}
+	err := filepath.Walk(includeDir, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() {
+			if filepath.Ext(path) == ".conf" {
+				par, err := parser.NewParser(path)
+				if err != nil {
+					return err
+				}
+				config := par.Parse()
+				config.FilePath = path
+				directives := config.Directives
+				location, ok := directives[0].(*components.Location)
+				if !ok {
+					return nil
+				}
+				if enable {
+					location.UpdateDirective("add_header", []string{"Strict-Transport-Security", "\"max-age=31536000\""})
+				} else {
+					location.RemoveDirective("add_header", []string{"Strict-Transport-Security", "\"max-age=31536000\""})
+				}
+				if err = nginx.WriteConfig(config, nginx.IndentedStyle); err != nil {
+					return buserr.WithErr(constant.ErrUpdateBuWebsite, err)
+				}
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
--- a/backend/utils/nginx/components/config.go
+++ b/backend/utils/nginx/components/config.go
@ -47,6 +47,7 @@ var repeatKeys = map[string]struct {
 	"location":         {},
 	"include":          {},
 	"sub_filter":       {},
+	"add_header":       {},
 }

 func IsRepeatKey(key string) bool {