Re: How to skip setting HSTS header for certain virtual hosts only?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Oct 7, 2014 at 9:22 AM, Eddie B <eddie@xxxxxxxxxxxxxxx> wrote:

I set HSTS for HTTPS only, using this directive at the beginning of httpd.conf (apache 2.2)

 

<IfModule mod_headers.c>

Header add Strict-Transport-Security "max-age=15768000;includeSubDomains" env=HTTPS

</IfModule>

 

How can I tell Apache to not set HSTS for specific virtual hosts (using some type of IF statement) using one global directive (instead of unsetting inside the specific vhost’s conf)?

 

Thanks

 
Try the following untested though:

SetEnvIF Host "domain1.*|domain2.*|domain[6-8].*" AllowDomain
SetEnvIF AllowDomain HTTPS HEADER_PROCESSING=1
<IfModule mod_headers.c>
Header add Strict-Transport-Security "max-age=15768000;includeSubDomains" env=HEADER_PROCESSING
</IfModule>

It's based on the fact that SetEnvIF[NoCase] can set|unset variables based on the value of previously processed variables by SetEnvIF[NoCase] command(s) in the same directives scope. Having said that maybe the HTTPS needs to be replaced with another env var set by SetEnvIF[NoCase] command too instead of the built in Apache env var that I used in the example.

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux