From 7d179ed9dc441e4d692b50f374f0d583850b112b Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 1 Dec 2015 21:34:46 +0000
Subject: [PATCH] Merge patch to enable HSTS on id.fp.o. #4991

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/httpd/reverseproxy/templates/reversepassproxy.id.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
index 16259286c3..c453cb5358 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
@@ -2,6 +2,12 @@ RequestHeader unset Expect early
 RequestHeader set X-Forwarded-Scheme https early
 RequestHeader set X-Forwarded-Proto https early
 
+# Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
+# "includeSubdomains", because relying parties need to be able to access 
+# username.id.fedoraproject.org via plain HTTP 
+Header always add Strict-Transport-Security "max-age=15768000; preload" 
+
+
 RewriteEngine on
 
 RewriteMap lowercase int:tolower