Enable HSTS for all apache served SSL sites
authorTom Hughes <tom@compton.nu>
Mon, 24 Nov 2014 19:08:42 +0000 (19:08 +0000)
committerTom Hughes <tom@compton.nu>
Tue, 9 Dec 2014 14:56:24 +0000 (14:56 +0000)
cookbooks/apache/recipes/ssl.rb
cookbooks/apache/templates/default/ssl.erb

index 700e10e..8efbe03 100644 (file)
@@ -29,6 +29,7 @@ apache_module "socache_shmcb" do
 end
 
 apache_module "ssl"
+apache_module "headers"
 
 apache_conf "ssl" do
   template "ssl.erb"
index 1124f66..6248699 100644 (file)
@@ -8,10 +8,14 @@ SSLCipherSuite aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5
 SSLCertificateFile /etc/ssl/certs/<%= @certificate %>.pem
 SSLCertificateKeyFile /etc/ssl/private/<%= @certificate %>.key
 SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem
-<% if node[:lsb][:release].to_f >= 14.04 -%>
 
+<% if node[:lsb][:release].to_f >= 14.04 -%>
 SSLUseStapling On
 SSLStaplingResponderTimeout 5
 SSLStaplingReturnResponderErrors off
 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
+
+Header setifempty Strict-Transport-Security max-age=86400 env=HTTPS
+<% else -%>
+Header set Strict-Transport-Security max-age=86400 env=HTTPS
 <% end -%>