Differences

This shows you the differences between two versions of the page.

--- apache:setting_up_hsts_in_apache [2019/11/29 16:19] – removed peter
+++ apache:setting_up_hsts_in_apache [2022/06/14 08:13] (current) – created peter
@@ Line 1: / Line 1: @@
+===== Ubuntu - Apache - Setting up HSTS in Apache =====
+Edit your **apache** configuration file (/etc/apache2/sites-enabled/website.conf and /etc/apache2/httpd.conf for example) and add the following to your VirtualHost:
+<file apache /etc/apache2/sites-enabled/website.conf>
+# Optionally load the headers module:
+LoadModule headers_module modules/mod_headers.so
+<VirtualHost 67.89.123.45:443>
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
+</VirtualHost>
+</file>
+Now your website will set the header every time someone visits, with an expiration date of two years (in seconds).  It sets it at every visit.  So tomorrow, it will say two years again.
+You do have to set it on the HTTPS vhost only.  It cannot be in the HTTP vhost.
+To redirect your visitors to the HTTPS version of your website, use the following configuration:
+<file apache>
+<VirtualHost *:80>
+  [...]
+  ServerName example.com
+  Redirect permanent / https://example.com/
+</VirtualHost>
+If you only redirect, you dont even need a document root.
+</file>
+You can also use **modrewrite**, however the above method is simpler and safer.  However, modrewrite below redirects the user to the page they were visiting over https, the above config just redirects to /:
+<file apache>
+<VirtualHost *:80>
+  [...]
+  <IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+  </IfModule>
+</VirtualHost>
+</file>
+And don't forget to restart Apache.