Add hsts and redirect to https for keys. Ticket 4960

2015-12-01 17:58:02 +00:00 · 2015-12-01 17:58:02 +00:00 · a73d331bbf
commit a73d331bbf
parent 53f7d90e77
1 changed files with 6 additions and 4 deletions
--- a/roles/keyserver/files/sks.conf
+++ b/roles/keyserver/files/sks.conf
@ -40,11 +40,13 @@ NameVirtualHost *:443
 <VirtualHost *:80>
        ServerAdmin sysadmin-keys-members@fedoraproject.org
        ServerName keys.fedoraproject.org
-        ProxyPass / http://127.0.0.1:11371/
-        ProxyPassReverse / http://127.0.0.1:11371/
-        SetEnv proxy-nokeepalive 1
-	ProxyVia Full
+        RewriteEngine On
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+        # Set HSTS header via HTTP since it cannot be easily set in squid, which terminates HTTPS
+        Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 </VirtualHost>
+
 <VirtualHost *:443>
        ServerAdmin sysadmin-keys-members@fedoraproject.org
        ServerName keys.fedoraproject.org