From 3ce3f0c3311b306f9808355397ee43424f14aa31 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Mon, 24 Nov 2014 19:08:42 +0000 Subject: [PATCH] Enable HSTS for all apache served SSL sites --- cookbooks/apache/recipes/ssl.rb | 1 + cookbooks/apache/templates/default/ssl.erb | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/cookbooks/apache/recipes/ssl.rb b/cookbooks/apache/recipes/ssl.rb index 700e10e4a..8efbe03d2 100644 --- a/cookbooks/apache/recipes/ssl.rb +++ b/cookbooks/apache/recipes/ssl.rb @@ -29,6 +29,7 @@ apache_module "socache_shmcb" do end apache_module "ssl" +apache_module "headers" apache_conf "ssl" do template "ssl.erb" diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb index 1124f66d8..62486999d 100644 --- a/cookbooks/apache/templates/default/ssl.erb +++ b/cookbooks/apache/templates/default/ssl.erb @@ -8,10 +8,14 @@ SSLCipherSuite aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5 SSLCertificateFile /etc/ssl/certs/<%= @certificate %>.pem SSLCertificateKeyFile /etc/ssl/private/<%= @certificate %>.key SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem -<% if node[:lsb][:release].to_f >= 14.04 -%> +<% if node[:lsb][:release].to_f >= 14.04 -%> SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000) + +Header setifempty Strict-Transport-Security max-age=86400 env=HTTPS +<% else -%> +Header set Strict-Transport-Security max-age=86400 env=HTTPS <% end -%> -- 2.43.2