Re: Adding HSTS or custom headers on redirect

2015-02-16 Thread Jan Jezek
Same problem here. Even worse because we want to redirect prefix instead of
a static location. So we cannot use the fake backend hack.




Re: Adding HSTS or custom headers on redirect

2014-12-13 Thread Samuel Reed
Pavlos Parissis pavlos.parissis@... writes:

 
 
 
 On 2 December 2014 at 09:17, Samuel Reed samuel.trace.reed at gmail.com 
wrote:I'm running the latest 1.5 release.
 Our site runs primarily on the `www` subdomain, but we want to enable HSTS for
 all subdomains (includeSubdomains). Unfortunately, due to the way HSTS works,
 the HSTS header MUST be present on the redirect from https://example.com 
tohttps://www.example.com. I am using configuration like:
 rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
 redirect prefix https://www.example.com code 301 if \
 { hdr(host) -i example.com }
 For whatever reason, even when the rspadd line is before the redirect, no
 headers are added to the redirect, making this impossible. I've considered
 a fake backend with a fake 503 file to get around this - something like:
 HTTP/1.1 301 Moved Permanently
 Cache-Control: no-cache
 Content-Length: 0
 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
 Location: https://www.example.com/
 Connection: close
 While this will work, it feels really hacky. Is there a better way to add a
 header on a redirect?
 
 
 Have a look at the thread 'add response header based on presence of request 
header', your case matches the case I mentioned there.
 
 
 Cheers,Pavlos
 
 
 
 

Hi Pavlos - unfortunately this does not match my use case,
I always want to send the HSTS header, it is not dependent 
on the request. I just need to ensure that this 
header is *always* sent, even on a redirect.





Adding HSTS or custom headers on redirect

2014-12-02 Thread Samuel Reed
I'm running the latest 1.5 release.

Our site runs primarily on the `www` subdomain, but we want to enable HSTS for
all subdomains (includeSubdomains). Unfortunately, due to the way HSTS works,
the HSTS header MUST be present on the redirect from https://example.com to 
https://www.example.com. I am using configuration like:

rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
redirect prefix https://www.example.com code 301 if \
{ hdr(host) -i example.com }

For whatever reason, even when the rspadd line is before the redirect, no 
headers are added to the redirect, making this impossible. I've considered 
a fake backend with a fake 503 file to get around this - something like: 

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Content-Length: 0
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Location: https://www.example.com/
Connection: close

While this will work, it feels really hacky. Is there a better way to add a
header on a redirect?

Thanks
Sam




Re: Adding HSTS or custom headers on redirect

2014-12-02 Thread Pavlos Parissis
On 2 December 2014 at 09:17, Samuel Reed samuel.trace.r...@gmail.com
wrote:

 I'm running the latest 1.5 release.

 Our site runs primarily on the `www` subdomain, but we want to enable HSTS
 for
 all subdomains (includeSubdomains). Unfortunately, due to the way HSTS
 works,
 the HSTS header MUST be present on the redirect from https://example.com
 to
 https://www.example.com. I am using configuration like:

 rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
 redirect prefix https://www.example.com code 301 if \
 { hdr(host) -i example.com }

 For whatever reason, even when the rspadd line is before the redirect, no
 headers are added to the redirect, making this impossible. I've considered
 a fake backend with a fake 503 file to get around this - something like:

 HTTP/1.1 301 Moved Permanently
 Cache-Control: no-cache
 Content-Length: 0
 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
 Location: https://www.example.com/
 Connection: close

 While this will work, it feels really hacky. Is there a better way to add a
 header on a redirect?


Have a look at the thread 'add response header based on presence of request
header', your case matches the case I mentioned there.

Cheers,
Pavlos