httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zoltán Halassy <cf0...@gmail.com>
Subject [users@httpd] VirtualHost conditionless HSTS
Date Thu, 13 Nov 2014 13:13:30 GMT
Hello!

Working with Apache 2.4.

I wanted to configure an https host with HSTS:

<VirtualHost *:443>
    [...]
    Header set Strict-Transport-Security "max-age=31556952"
    <Directory "/var/www/...">
        Require all granted
        [...]
    </Directory>
    [...]
</VirtualHost>

This works fine. However as soon as I require HTTP authentication on
apache level, the Header directive stops working for unauthenticated
users. Even if I provide "early" after the directive:

    Header set Strict-Transport-Security "max-age=31556952"
    <Directory "/var/www/...">
        Require valid-user
        AuthType ...
        [...]
    </Directory>

or

    Header set Strict-Transport-Security "max-age=31556952" early
    <Directory "/var/www/...">
        Require valid-user
        AuthType ...
        [...]
    </Directory>

Neither provides the HSTS header to an unauthenticated user. Is there
a simple way to inject the HSTS (or any) header to unauthenticated
users?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message