Do not includeSubDomains for id.fp.o STS

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

playbooks/include/proxies-websites.yml

@@ -661,6 +661,7 @@
     sslonly: true
     cert_name: "{{wildcard_cert_name}}"
     SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert
+    stssubdomains: false
     tags:
     - id.fedoraproject.org
 
@@ -670,6 +671,7 @@
     - "*.id.fedoraproject.org"
     # Must not be sslonly, because example.id.fedoraproject.org must be reachable
     # via plain http for openid identity support
+    sslonly: false
     cert_name: wildcard-2017.id.fedoraproject.org
     SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert
     tags:

roles/httpd/website/defaults/main.yml

@@ -9,3 +9,4 @@ ssl: true
 sslonly: false
 SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
 gzip: false
+stssubdomains: true

roles/httpd/website/templates/website.conf

@@ -55,7 +55,7 @@
   SSLCipherSuite {{ ssl_ciphers }}
 
 {% if sslonly %}
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=15768000; {% if stssubdomains %}includeSubDomains; {% endif %}preload"
 {% endif %}
   Include "conf.d/{{ name }}/*.conf"
 </VirtualHost>