How To: Enable HSTS on Vhosts and Over 2443¶
HTTP Strict Transport Security (HSTS) is a standard that ensures browsers always connect to a website over HTTPS.
Detailed information on HSTS can be found here: https://https.cio.gov/hsts/.
Information on how to check if HSTS is enabled can be found here: https://www.namecheap.com/support/knowledgebase/article.aspx/9711/38/how-to-check-if-hsts-is-enabled/.
Contents
To Add HSTS to a Single Domain¶
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, navigate to
/home/{unixuser}/var/{domain.com}/apache
, replacing{unixuser}
and{domain.com}
with the corresponding informationcd /home/{unixuser}/var/{domain.com}/apache
Using a text editor, create a file called
secure.conf
. The following example uses the Vim text editorvim secure.conf
Add the following line:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Save the file, and exit the text editor
Restart Apache
systemctl restart httpd
To Add HSTS to All Vhosts¶
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, run the following to edit the vhost template–this will prevent the changes from being overwritten upon update:
~iworx/bin/config.pex --customize-template http/vhost/single-vhost.tpl --for-global
Edit the
if $IS_SSL
section to add the following:{if $IS_SSL} Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" {$Config->include('http/vhost/ssl')} {/if}
Save the file and exit the text editor
Re-write the vhosts using the following command:
Note
It is recommended to back up all vhosts prior to running this command.
~iworx/bin/httpd.pex --write-vhosts-all
Check for syntax errors
httpd -t
Restart Apache
systemctl restart httpd
To Add HSTS Over Port 2443¶
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, use a text editor to open
/home/interworx/etc/httpd/httpd-custom.conf
. The following example uses the Vim text editorvim /home/interworx/etc/httpd/httpd-custom.conf
At line 85, add the following:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
The section will then look similar to the following:
<IfDefine SSL> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl
Restart InterWorx
systemctl restart iworx