thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Standardize apache’s 301 redirect to https, and enable HSTS

Luke Cyca 11 years ago
parent
93e7b3e3bd
commit
37a0400c22
4 changed files with 17 additions and 9 deletions
Split View Show Diff Stats
  1. 2
    2
      roles/blog/templates/etc_apache2_sites-available_blog.j2
  2. 4
    0
      roles/common/tasks/main.yml
  3. 7
    1
      roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2
  4. 4
    6
      roles/webmail/templates/etc_apache2_sites-available_roundcube.j2

+ 2
- 2
roles/blog/templates/etc_apache2_sites-available_blog.j2 View File 

@@ -2,7 +2,7 @@
2 2 
     ServerName {{ domain }}
3 3 
     ServerAlias www.{{ domain }}
4 4
5 
-    Redirect / https://{{ domain }}/
5 
+    Redirect permanent / https://{{ domain }}/
6 6 
 </VirtualHost>
7 7
8 8 
 
@@ -14,10 +14,10 @@
14 14 
     SSLProtocol ALL -SSLv2
15 15 
     SSLHonorCipherOrder On
16 16 
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
17 
-
18 17 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19 18 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20 19 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
20 
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
21 21
22 22 
     DocumentRoot            "/var/www/{{ domain }}"
23 23 
     DirectoryIndex          index.html

+ 4
- 0
roles/common/tasks/main.yml View File 

@@ -44,6 +44,10 @@
44 44 
   command: a2dissite default removes=/etc/apache2/sites-enabled/default
45 45 
   notify: restart apache
46 46
47 
+- name: Enable Apache headers module
48 
+  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
49 
+  notify: restart apache
50 
+
47 51 
 - include: encfs.yml tags=encfs
48 52 
 - include: users.yml tags=users
49 53 
 - include: ssl.yml tags=ssl

+ 7
- 1
roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2 View File 

@@ -1,3 +1,9 @@
1 
+<VirtualHost *:80>
2 
+    ServerName {{ owncloud_domain }}
3 
+
4 
+    Redirect permanent / https://{{ owncloud_domain }}/
5 
+</VirtualHost>
6 
+
1 7 
 <VirtualHost *:443>
2 8 
     ServerName {{ owncloud_domain }}
3 9 
 
@@ -5,10 +11,10 @@
5 11 
     SSLProtocol ALL -SSLv2
6 12 
     SSLHonorCipherOrder On
7 13 
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
8 
-
9 14 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
10 15 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
11 16 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
17 
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
12 18
13 19 
     DocumentRoot            /var/www/owncloud
14 20 
     Options                 -Indexes

+ 4
- 6
roles/webmail/templates/etc_apache2_sites-available_roundcube.j2 View File 

@@ -1,10 +1,7 @@
1 1 
 <VirtualHost *:80>
2 2 
     ServerName {{ webmail_domain }}
3 
-
4 
-    RewriteEngine on
5 
-    RewriteCond %{SERVER_PORT} !^443$
6 
-    RewriteRule ^/(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
7 
-
3 
+
4 
+    Redirect permanent / https://{{ webmail_domain }}/
8 5 
 </VirtualHost>
9 6
10 7 
 <VirtualHost *:443>
 
@@ -14,10 +11,11 @@
14 11 
     SSLProtocol ALL -SSLv2
15 12 
     SSLHonorCipherOrder On
16 13 
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
17 
-
18 14 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19 15 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20 16 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
17 
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
18 
+
21 19 
     # Those aliases do not work properly with several hosts on your apache server
22 20 
     # Uncomment them to use it or adapt them to your configuration
23 21 
     #    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/

Write Preview
Loading…
Cancel
Save