httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] How to skip setting HSTS header for certain virtual hosts only?
Date Tue, 07 Oct 2014 06:04:04 GMT
On Tue, Oct 7, 2014 at 9:22 AM, Eddie B <eddie@mattermedia.com> wrote:

> I set HSTS for HTTPS only, using this directive at the beginning of
> httpd.conf (apache 2.2)
>
>
>
> <IfModule mod_headers.c>
>
> Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"
> env=HTTPS
>
> </IfModule>
>
>
>
> How can I tell Apache to not set HSTS for specific virtual hosts (using
> some type of IF statement) using one global directive (instead of unsetting
> inside the specific vhost’s conf)?
>
>
>
> Thanks
>

Try the following untested though:

SetEnvIF Host "domain1.*|domain2.*|domain[6-8].*" AllowDomain
SetEnvIF AllowDomain HTTPS HEADER_PROCESSING=1
<IfModule mod_headers.c>
Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"
env=HEADER_PROCESSING
</IfModule>

It's based on the fact that SetEnvIF[NoCase] can set|unset variables based
on the value of previously processed variables by SetEnvIF[NoCase]
command(s) in the same directives scope. Having said that maybe the HTTPS
needs to be replaced with another env var set by SetEnvIF[NoCase] command
too instead of the built in Apache env var that I used in the example.

Mime
View raw message