Force HTTPS and enable HSTS
authorAnders Kaseorg <andersk@mit.edu>
Thu, 9 Oct 2014 01:59:52 +0000 (21:59 -0400)
committerAnders Kaseorg <andersk@mit.edu>
Sun, 25 Jan 2015 03:59:10 +0000 (22:59 -0500)
.htaccess

index 37325c0d75743bbab67acd38b42500e0d0b057ff..91e2c1d6f79a58c84fe0b4f6c7ba174cdba83d24 100644 (file)
--- a/.htaccess
+++ b/.htaccess
@@ -4,14 +4,22 @@
     SetHandler none
 </Files>
 
+<If "%{HTTPS} != 'on' || %{SERVER_NAME} in {'sipb', 'sipb-www.scripts', 'sipb-www.scripts.mit.edu', 'scripts', 'scripts.mit.edu', 'scripts-cert', 'scripts-cert.mit.edu'}">
+RedirectPermanent / https://sipb.mit.edu/
+</If>
+
+Header always set Strict-Transport-Security "max-age=31536000"
+
+# /~sipb-www is only used internally
+<If "reqenv('REDIRECT_STATUS') == '' && %{SERVER_NAME} in {'sipb', 'sipb.mit.edu', 'sipb-www.scripts', 'sipb-www.scripts.mit.edu', 'scripts', 'scripts.mit.edu', 'scripts-cert', 'scripts-cert.mit.edu'}">
+RedirectPermanent /~sipb-www https://sipb.mit.edu
+</If>
+
+Options +FollowSymLinks
+
 RewriteEngine On
 RewriteBase /
 
-# Canonicalize on sipb.mit.edu
-RewriteCond %{HTTP_HOST} !^sipb.mit.edu$ [NC]
-RewriteCond %{HTTPS} !=on
-RewriteRule ^(.*)$ http://sipb.mit.edu/$1 [R=301,L]
-
 # Serve some CGI scripts from _wiki-cgi
 RewriteRule ^ikiwiki.cgi$ _wiki-cgi/ikiwiki.cgi [L]
 RewriteRule ^update.cgi$ _wiki-cgi/update.cgi [L]