User Tools

Site Tools


apache:setting_up_hsts_in_apache

Ubuntu - Apache - Setting up HSTS in Apache

Edit your apache configuration file (/etc/apache2/sites-enabled/website.conf and /etc/apache2/httpd.conf for example) and add the following to your VirtualHost:

/etc/apache2/sites-enabled/website.conf
# Optionally load the headers module:
LoadModule headers_module modules/mod_headers.so
 
<VirtualHost 67.89.123.45:443>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
</VirtualHost>

Now your website will set the header every time someone visits, with an expiration date of two years (in seconds). It sets it at every visit. So tomorrow, it will say two years again.

You do have to set it on the HTTPS vhost only. It cannot be in the HTTP vhost.

To redirect your visitors to the HTTPS version of your website, use the following configuration:

<VirtualHost *:80>
  [...]
  ServerName example.com
  Redirect permanent / https://example.com/
</VirtualHost>
If you only redirect, you dont even need a document root.

You can also use modrewrite, however the above method is simpler and safer. However, modrewrite below redirects the user to the page they were visiting over https, the above config just redirects to /:

<VirtualHost *:80>
  [...]
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
  </IfModule>
</VirtualHost>

And don't forget to restart Apache.

apache/setting_up_hsts_in_apache.txt · Last modified: 2022/06/14 08:13 by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki