Implement global settings for https redirect

data/hooks/conf_regen/15-nginx

@@ -60,6 +60,7 @@ do_pre_regen() {
   main_domain=$(cat /etc/yunohost/current_host)
 
   # Support different strategy for security configurations
+  export redirect_to_https="$(yunohost settings get 'security.nginx.redirect_to_https')"
   export compatibility="$(yunohost settings get 'security.nginx.compatibility')"
   export experimental="$(yunohost settings get 'security.experimental.enabled')"
   ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"

data/templates/nginx/server.tpl.conf

@@ -14,10 +14,6 @@ server {
 
     include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
 
-    location /yunohost {
-        return 301 https://$http_host$request_uri;
-    }
-
     location ^~ '/.well-known/ynh-diagnosis/' {
         alias /tmp/.well-known/ynh-diagnosis/;
     }
@@ -26,6 +22,12 @@ server {
         alias /var/www/.well-known/{{ domain }}/autoconfig/mail/;
     }
 
+    {% if redirect_to_https != "False" %}
+    location / {
+        return 301 https://$http_host$request_uri;
+    }
+    {% endif %}
+
     access_log /var/log/nginx/{{ domain }}-access.log;
     error_log /var/log/nginx/{{ domain }}-error.log;
 }

locales/en.json

@@ -334,6 +334,7 @@
     "global_settings_key_doesnt_exists": "The key '{settings_key}' does not exist in the global settings, you can see all the available keys by running 'yunohost settings list'",
     "global_settings_reset_success": "Previous settings now backed up to {path}",
     "global_settings_setting_pop3_enabled": "Enable the POP3 protocol for the mail server",
+    "global_settings_setting_security_nginx_redirect_to_https": "Redirect HTTP requests to HTTPs by default (DO NOT TURN OFF unless you really know what you're doing!)",
     "global_settings_setting_security_nginx_compatibility": "Compatibility vs. security tradeoff for the web server NGINX. Affects the ciphers (and other security-related aspects)",
     "global_settings_setting_security_password_admin_strength": "Admin password strength",
     "global_settings_setting_security_password_user_strength": "User password strength",

src/yunohost/settings.py

@@ -76,6 +76,13 @@ DEFAULTS = OrderedDict(
             "security.ssh.port",
             {"type": "int", "default": 22},
         ),
+        (
+            "security.nginx.redirect_to_https",
+            {
+                "type": "bool",
+                "default": True,
+            },
+        ),
         (
             "security.nginx.compatibility",
             {
@@ -392,6 +399,7 @@ def trigger_post_change_hook(setting_name, old_value, new_value):
 
 
 @post_change_hook("ssowat.panel_overlay.enabled")
+@post_change_hook("security.nginx.redirect_to_https")
 @post_change_hook("security.nginx.compatibility")
 @post_change_hook("security.webadmin.allowlist.enabled")
 @post_change_hook("security.webadmin.allowlist")