Re: Adding HSTS or custom headers on redirect
Same problem here. Even worse because we want to redirect prefix instead of a static location. So we cannot use the fake backend hack.
Re: Adding HSTS or custom headers on redirect
Pavlos Parissis writes: > > > > On 2 December 2014 at 09:17, Samuel Reed gmail.com> wrote:I'm running the latest 1.5 release. > Our site runs primarily on the `www` subdomain, but we want to enable HSTS for > all subdomains (includeSubdomains). Unfortunately, due to the way HSTS works, > the HSTS header MUST be present on the redirect from https://example.com tohttps://www.example.com. I am using configuration like: > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains > redirect prefix https://www.example.com code 301 if \ > { hdr(host) -i example.com } > For whatever reason, even when the rspadd line is before the redirect, no > headers are added to the redirect, making this impossible. I've considered > a fake backend with a fake 503 file to get around this - something like: > HTTP/1.1 301 Moved Permanently > Cache-Control: no-cache > Content-Length: 0 > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > Location: https://www.example.com/ > Connection: close > While this will work, it feels really hacky. Is there a better way to add a > header on a redirect? > > > Have a look at the thread 'add response header based on presence of request header', your case matches the case I mentioned there. > > > Cheers,Pavlos > > > > Hi Pavlos - unfortunately this does not match my use case, I always want to send the HSTS header, it is not dependent on the request. I just need to ensure that this header is *always* sent, even on a redirect.
Re: Adding HSTS or custom headers on redirect
On 2 December 2014 at 09:17, Samuel Reed wrote: > I'm running the latest 1.5 release. > > Our site runs primarily on the `www` subdomain, but we want to enable HSTS > for > all subdomains (includeSubdomains). Unfortunately, due to the way HSTS > works, > the HSTS header MUST be present on the redirect from https://example.com > to > https://www.example.com. I am using configuration like: > > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains > redirect prefix https://www.example.com code 301 if \ > { hdr(host) -i example.com } > > For whatever reason, even when the rspadd line is before the redirect, no > headers are added to the redirect, making this impossible. I've considered > a fake backend with a fake 503 file to get around this - something like: > > HTTP/1.1 301 Moved Permanently > Cache-Control: no-cache > Content-Length: 0 > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > Location: https://www.example.com/ > Connection: close > > While this will work, it feels really hacky. Is there a better way to add a > header on a redirect? > > Have a look at the thread 'add response header based on presence of request header', your case matches the case I mentioned there. Cheers, Pavlos
Adding HSTS or custom headers on redirect
I'm running the latest 1.5 release. Our site runs primarily on the `www` subdomain, but we want to enable HSTS for all subdomains (includeSubdomains). Unfortunately, due to the way HSTS works, the HSTS header MUST be present on the redirect from https://example.com to https://www.example.com. I am using configuration like: rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains redirect prefix https://www.example.com code 301 if \ { hdr(host) -i example.com } For whatever reason, even when the rspadd line is before the redirect, no headers are added to the redirect, making this impossible. I've considered a fake backend with a fake 503 file to get around this - something like: HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Content-Length: 0 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Location: https://www.example.com/ Connection: close While this will work, it feels really hacky. Is there a better way to add a header on a redirect? Thanks Sam