httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <>
Subject Re: [users@httpd] How to skip setting HSTS header for certain virtual hosts only?
Date Tue, 07 Oct 2014 06:04:04 GMT
On Tue, Oct 7, 2014 at 9:22 AM, Eddie B <> wrote:

> I set HSTS for HTTPS only, using this directive at the beginning of
> httpd.conf (apache 2.2)
> <IfModule mod_headers.c>
> Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"
> env=HTTPS
> </IfModule>
> How can I tell Apache to not set HSTS for specific virtual hosts (using
> some type of IF statement) using one global directive (instead of unsetting
> inside the specific vhost’s conf)?
> Thanks

Try the following untested though:

SetEnvIF Host "domain1.*|domain2.*|domain[6-8].*" AllowDomain
<IfModule mod_headers.c>
Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"

It's based on the fact that SetEnvIF[NoCase] can set|unset variables based
on the value of previously processed variables by SetEnvIF[NoCase]
command(s) in the same directives scope. Having said that maybe the HTTPS
needs to be replaced with another env var set by SetEnvIF[NoCase] command
too instead of the built in Apache env var that I used in the example.

View raw message