From e1bb4e64a4edb9e6475baecbbb131cc89080161b Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 24 Nov 2017 22:49:05 +0000 Subject: [PATCH] Do not includeSubDomains for id.fp.o STS Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-websites.yml | 2 ++ roles/httpd/website/defaults/main.yml | 1 + roles/httpd/website/templates/website.conf | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index f1b2678b0d..9edc2aaade 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -661,6 +661,7 @@ sslonly: true cert_name: "{{wildcard_cert_name}}" SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert + stssubdomains: false tags: - id.fedoraproject.org @@ -670,6 +671,7 @@ - "*.id.fedoraproject.org" # Must not be sslonly, because example.id.fedoraproject.org must be reachable # via plain http for openid identity support + sslonly: false cert_name: wildcard-2017.id.fedoraproject.org SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert tags: diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml index 8ad299dd7a..3bc85e5b70 100644 --- a/roles/httpd/website/defaults/main.yml +++ b/roles/httpd/website/defaults/main.yml @@ -9,3 +9,4 @@ ssl: true sslonly: false SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert gzip: false +stssubdomains: true diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf index f66c349295..81a476b5a5 100644 --- a/roles/httpd/website/templates/website.conf +++ b/roles/httpd/website/templates/website.conf @@ -55,7 +55,7 @@ SSLCipherSuite {{ ssl_ciphers }} {% if sslonly %} - Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" + Header always add Strict-Transport-Security "max-age=15768000; {% if stssubdomains %}includeSubDomains; {% endif %}preload" {% endif %} Include "conf.d/{{ name }}/*.conf"