Browse Source

Standardize apache’s 301 redirect to https, and enable HSTS

Luke Cyca 11 years ago
parent
commit
37a0400c22

+ 2
- 2
roles/blog/templates/etc_apache2_sites-available_blog.j2 View File

2
     ServerName {{ domain }}
2
     ServerName {{ domain }}
3
     ServerAlias www.{{ domain }}
3
     ServerAlias www.{{ domain }}
4
 
4
 
5
-    Redirect / https://{{ domain }}/
5
+    Redirect permanent / https://{{ domain }}/
6
 </VirtualHost>
6
 </VirtualHost>
7
 
7
 
8
 
8
 
14
     SSLProtocol ALL -SSLv2
14
     SSLProtocol ALL -SSLv2
15
     SSLHonorCipherOrder On
15
     SSLHonorCipherOrder On
16
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
16
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
17
-
18
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
17
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
18
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
19
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
20
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
21
 
21
 
22
     DocumentRoot            "/var/www/{{ domain }}"
22
     DocumentRoot            "/var/www/{{ domain }}"
23
     DirectoryIndex          index.html
23
     DirectoryIndex          index.html

+ 4
- 0
roles/common/tasks/main.yml View File

44
   command: a2dissite default removes=/etc/apache2/sites-enabled/default
44
   command: a2dissite default removes=/etc/apache2/sites-enabled/default
45
   notify: restart apache
45
   notify: restart apache
46
 
46
 
47
+- name: Enable Apache headers module
48
+  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
49
+  notify: restart apache
50
+
47
 - include: encfs.yml tags=encfs
51
 - include: encfs.yml tags=encfs
48
 - include: users.yml tags=users
52
 - include: users.yml tags=users
49
 - include: ssl.yml tags=ssl
53
 - include: ssl.yml tags=ssl

+ 7
- 1
roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2 View File

1
+<VirtualHost *:80>
2
+    ServerName {{ owncloud_domain }}
3
+
4
+    Redirect permanent / https://{{ owncloud_domain }}/
5
+</VirtualHost>
6
+
1
 <VirtualHost *:443>
7
 <VirtualHost *:443>
2
     ServerName {{ owncloud_domain }}
8
     ServerName {{ owncloud_domain }}
3
 
9
 
5
     SSLProtocol ALL -SSLv2
11
     SSLProtocol ALL -SSLv2
6
     SSLHonorCipherOrder On
12
     SSLHonorCipherOrder On
7
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
13
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
8
-
9
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
14
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
10
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
15
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
11
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
16
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
17
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
12
 
18
 
13
     DocumentRoot            /var/www/owncloud
19
     DocumentRoot            /var/www/owncloud
14
     Options                 -Indexes
20
     Options                 -Indexes

+ 4
- 6
roles/webmail/templates/etc_apache2_sites-available_roundcube.j2 View File

1
 <VirtualHost *:80> 
1
 <VirtualHost *:80> 
2
     ServerName {{ webmail_domain }}
2
     ServerName {{ webmail_domain }}
3
- 
4
-    RewriteEngine on 
5
-    RewriteCond %{SERVER_PORT} !^443$ 
6
-    RewriteRule ^/(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] 
7
- 
3
+
4
+    Redirect permanent / https://{{ webmail_domain }}/
8
 </VirtualHost>
5
 </VirtualHost>
9
 
6
 
10
 <VirtualHost *:443>
7
 <VirtualHost *:443>
14
     SSLProtocol ALL -SSLv2
11
     SSLProtocol ALL -SSLv2
15
     SSLHonorCipherOrder On
12
     SSLHonorCipherOrder On
16
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
13
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
17
-
18
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
14
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
15
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
16
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
17
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
18
+
21
     # Those aliases do not work properly with several hosts on your apache server
19
     # Those aliases do not work properly with several hosts on your apache server
22
     # Uncomment them to use it or adapt them to your configuration
20
     # Uncomment them to use it or adapt them to your configuration
23
     #    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
21
     #    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/

Loading…
Cancel
Save