Re: Adding HSTS or custom headers on redirect
Same problem here. Even worse because we want to redirect prefix instead of a static location. So we cannot use the fake backend hack.
Re: Adding HSTS or custom headers on redirect
Pavlos Parissis writes:
>
>
>
> On 2 December 2014 at 09:17, Samuel Reed gmail.com>
wrote:I'm running the latest 1.5 release.
> Our site runs primarily on the `www` subdomain, but we want to enable HSTS for
> all subdomains (includeSubdomains). Unfortunately, due to the way HSTS works,
> the HSTS header MUST be present on the redirect from https://example.com
tohttps://www.example.com. I am using configuration like:
> rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
> redirect prefix https://www.example.com code 301 if \
> { hdr(host) -i example.com }
> For whatever reason, even when the rspadd line is before the redirect, no
> headers are added to the redirect, making this impossible. I've considered
> a fake backend with a fake 503 file to get around this - something like:
> HTTP/1.1 301 Moved Permanently
> Cache-Control: no-cache
> Content-Length: 0
> Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
> Location: https://www.example.com/
> Connection: close
> While this will work, it feels really hacky. Is there a better way to add a
> header on a redirect?
>
>
> Have a look at the thread 'add response header based on presence of request
header', your case matches the case I mentioned there.
>
>
> Cheers,Pavlos
>
>
>
>
Hi Pavlos - unfortunately this does not match my use case,
I always want to send the HSTS header, it is not dependent
on the request. I just need to ensure that this
header is *always* sent, even on a redirect.
Re: Adding HSTS or custom headers on redirect
On 2 December 2014 at 09:17, Samuel Reed
wrote:
> I'm running the latest 1.5 release.
>
> Our site runs primarily on the `www` subdomain, but we want to enable HSTS
> for
> all subdomains (includeSubdomains). Unfortunately, due to the way HSTS
> works,
> the HSTS header MUST be present on the redirect from https://example.com
> to
> https://www.example.com. I am using configuration like:
>
> rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
> redirect prefix https://www.example.com code 301 if \
> { hdr(host) -i example.com }
>
> For whatever reason, even when the rspadd line is before the redirect, no
> headers are added to the redirect, making this impossible. I've considered
> a fake backend with a fake 503 file to get around this - something like:
>
> HTTP/1.1 301 Moved Permanently
> Cache-Control: no-cache
> Content-Length: 0
> Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
> Location: https://www.example.com/
> Connection: close
>
> While this will work, it feels really hacky. Is there a better way to add a
> header on a redirect?
>
>
Have a look at the thread 'add response header based on presence of request
header', your case matches the case I mentioned there.
Cheers,
Pavlos
Adding HSTS or custom headers on redirect
I'm running the latest 1.5 release.
Our site runs primarily on the `www` subdomain, but we want to enable HSTS for
all subdomains (includeSubdomains). Unfortunately, due to the way HSTS works,
the HSTS header MUST be present on the redirect from https://example.com to
https://www.example.com. I am using configuration like:
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
redirect prefix https://www.example.com code 301 if \
{ hdr(host) -i example.com }
For whatever reason, even when the rspadd line is before the redirect, no
headers are added to the redirect, making this impossible. I've considered
a fake backend with a fake 503 file to get around this - something like:
HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Content-Length: 0
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Location: https://www.example.com/
Connection: close
While this will work, it feels really hacky. Is there a better way to add a
header on a redirect?
Thanks
Sam
