Configuring HSTS In Apache

In recent years there has been a big push across the industry to encourage website operators to move towards not only supporting HTTPS on their websites, but also making it the default connection option. One very visible aspect of this has been the creation of the Let’s Encrypt certificate authority, a service that provides free domain validation SSL certificates using an automated system, making the enabling of HTTPS on your website easy.

At around the same time as the Let’s Encrypt project was started, a specification was being published for HTTP Strict Transport Security (HSTS). This is a system designed to make a number of man-in-the-middle attacks against websites much more difficult by preventing browsers from attempting to communicate with a website using HSTS over plain HTTP connections which can easily be read by an intercepting attacker.

So with your server set up and already able to serve websites over HTTPS for your chosen domain, we now need to look at the changes required for HSTS support. The first thing we have to do is enable the modules that we’ll need, which are rewrite and headers. For Debian and Ubuntu systems this can be done with the following commands:

sudo a2enmod rewrite

sudo a2enmod headers

For CentOS and Red Hat this is a touch more complicated as you’ll need to create the module files. In this example I’ll be using nano, but you can use whichever text editor you prefer. So first, let’s create the file to enable the rewrite module:

sudo nano /etc/httpd/conf.modules.d/02-rewrite.conf

Then paste in the following line:

Save and exit that file. We now need to do a file for the headers module:

sudo nano /etc/httpd/conf.modules.d/02-headers.conf

Paste the following line into the file:

Save and exit the file — you now have the modules configured.

Next, we need to configure the server to redirect HTTP connections to HTTPS and set the HSTS header. This can be done globally or at the individual virtualhost level. For this example I’m going to assume that you are running multiple domain websites on your server, and that you are using virtualhosts for them. So you’ll need to open the configuration file for the virtualhost that defines the domain for which you wish to apply HSTS and place the following lines within the virtualhost definition:

RewriteEngine On

RewriteCond %{HTTPS} off

</IfModule>

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

The first section informs Apache that it should redirect any connections to the virtualhost that come via HTTP to use HTTPS; you may or may not already have this configured from when you configured HTTPS for your server. The final line informs Apache that it should send the header for Strict-Transport-Security setting the max-age parameter to one year (in seconds), and that subdomains should be included when the browser records which domains to use HSTS with. If you don’t wish to configure HTTPS for all your subdomains then you can remove the “includeSubDomains” setting from the header.

Once you’ve set your virtualhost configuration you can save and exit the file. The final task is to restart Apache for it to take on the new configuration. For Debian and Ubuntu systems use:

sudo service apache2 restart

For CentOS and Red Hat systems use:

sudo service httpd restart

Now if you attempt to connect to your website from a web browser you should be redirected to your HTTPS site, and the browser should no longer try to connect via HTTP.

Related posts:

Air Berlin filed for bankruptcy protection this morning, the latest step in the collapse of the German airline. Flight operations continue but Etihad is no longer willing to pump cash into the…

Remember last week when we discussed the sham surgical Placebo study that was done on arthritic knee patients? In that study the patients receiving the Placebo “surgery” had no idea that they did not…