From 2ac8a57d0562139f7e624ffd7b4f65996bf798ae Mon Sep 17 00:00:00 2001
From: Till Maas <opensource@till.name>
Date: Thu, 12 Feb 2015 21:52:36 +0100
Subject: [PATCH] Set HSTS header in TLS vhost

---
 roles/httpd/website/templates/website.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index abdc8dc2fe..e07264ff54 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -14,7 +14,6 @@
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 {% else %}
   Include "conf.d/{{ name }}/*.conf"
 {% endif %}
@@ -46,6 +45,9 @@
   SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
 
+{% if sslonly %}
+  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+{% endif %}
   Include "conf.d/{{ name }}/*.conf"
 </VirtualHost>
 {% endif %}