Standardize apache’s 301 redirect to https, and enable HSTS

roles/blog/templates/etc_apache2_sites-available_blog.j2

     ServerName {{ domain }}
     ServerAlias www.{{ domain }}
 
-    Redirect / https://{{ domain }}/
+    Redirect permanent / https://{{ domain }}/
 </VirtualHost>
 
 
     SSLProtocol ALL -SSLv2
     SSLHonorCipherOrder On
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
 
     DocumentRoot            "/var/www/{{ domain }}"
     DirectoryIndex          index.html

roles/common/tasks/main.yml

   command: a2dissite default removes=/etc/apache2/sites-enabled/default
   notify: restart apache
 
+- name: Enable Apache headers module
+  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
+  notify: restart apache
+
 - include: encfs.yml tags=encfs
 - include: users.yml tags=users
 - include: ssl.yml tags=ssl

roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2

+<VirtualHost *:80>
+    ServerName {{ owncloud_domain }}
+
+    Redirect permanent / https://{{ owncloud_domain }}/
+</VirtualHost>
+
 <VirtualHost *:443>
     ServerName {{ owncloud_domain }}
 
     SSLProtocol ALL -SSLv2
     SSLHonorCipherOrder On
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
 
     DocumentRoot            /var/www/owncloud
     Options                 -Indexes

roles/webmail/templates/etc_apache2_sites-available_roundcube.j2

 <VirtualHost *:80> 
     ServerName {{ webmail_domain }}
- 
-    RewriteEngine on 
-    RewriteCond %{SERVER_PORT} !^443$ 
-    RewriteRule ^/(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] 
- 
+
+    Redirect permanent / https://{{ webmail_domain }}/
 </VirtualHost>
 
 <VirtualHost *:443>
     SSLProtocol ALL -SSLv2
     SSLHonorCipherOrder On
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+
     # Those aliases do not work properly with several hosts on your apache server
     # Uncomment them to use it or adapt them to your configuration
     #    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/