Bläddra i källkod

Standardize apache’s 301 redirect to https, and enable HSTS

Luke Cyca 11 år sedan
förälder
incheckning
37a0400c22

+ 2
- 2
roles/blog/templates/etc_apache2_sites-available_blog.j2 Visa fil

@@ -2,7 +2,7 @@
2 2
     ServerName {{ domain }}
3 3
     ServerAlias www.{{ domain }}
4 4
 
5
-    Redirect / https://{{ domain }}/
5
+    Redirect permanent / https://{{ domain }}/
6 6
 </VirtualHost>
7 7
 
8 8
 
@@ -14,10 +14,10 @@
14 14
     SSLProtocol ALL -SSLv2
15 15
     SSLHonorCipherOrder On
16 16
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
17
-
18 17
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19 18
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20 19
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
20
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
21 21
 
22 22
     DocumentRoot            "/var/www/{{ domain }}"
23 23
     DirectoryIndex          index.html

+ 4
- 0
roles/common/tasks/main.yml Visa fil

@@ -44,6 +44,10 @@
44 44
   command: a2dissite default removes=/etc/apache2/sites-enabled/default
45 45
   notify: restart apache
46 46
 
47
+- name: Enable Apache headers module
48
+  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
49
+  notify: restart apache
50
+
47 51
 - include: encfs.yml tags=encfs
48 52
 - include: users.yml tags=users
49 53
 - include: ssl.yml tags=ssl

+ 7
- 1
roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2 Visa fil

@@ -1,3 +1,9 @@
1
+<VirtualHost *:80>
2
+    ServerName {{ owncloud_domain }}
3
+
4
+    Redirect permanent / https://{{ owncloud_domain }}/
5
+</VirtualHost>
6
+
1 7
 <VirtualHost *:443>
2 8
     ServerName {{ owncloud_domain }}
3 9
 
@@ -5,10 +11,10 @@
5 11
     SSLProtocol ALL -SSLv2
6 12
     SSLHonorCipherOrder On
7 13
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
8
-
9 14
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
10 15
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
11 16
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
17
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
12 18
 
13 19
     DocumentRoot            /var/www/owncloud
14 20
     Options                 -Indexes

+ 4
- 6
roles/webmail/templates/etc_apache2_sites-available_roundcube.j2 Visa fil

@@ -1,10 +1,7 @@
1 1
 <VirtualHost *:80> 
2 2
     ServerName {{ webmail_domain }}
3
- 
4
-    RewriteEngine on 
5
-    RewriteCond %{SERVER_PORT} !^443$ 
6
-    RewriteRule ^/(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] 
7
- 
3
+
4
+    Redirect permanent / https://{{ webmail_domain }}/
8 5
 </VirtualHost>
9 6
 
10 7
 <VirtualHost *:443>
@@ -14,10 +11,11 @@
14 11
     SSLProtocol ALL -SSLv2
15 12
     SSLHonorCipherOrder On
16 13
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
17
-
18 14
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19 15
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20 16
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
17
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
18
+
21 19
     # Those aliases do not work properly with several hosts on your apache server
22 20
     # Uncomment them to use it or adapt them to your configuration
23 21
     #    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/

Laddar…
Avbryt
Spara