From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 9 Oct 2014 01:59:52 +0000 (-0400)
Subject: Force HTTPS and enable HSTS
X-Git-Url: https://sipb.mit.edu/gitweb.cgi/sipb-www.git/commitdiff_plain/81daec1661bb52228004c1d84d9e89ad08107e70

Force HTTPS and enable HSTS
---

diff --git a/.htaccess b/.htaccess
index 37325c0..91e2c1d 100644
--- a/.htaccess
+++ b/.htaccess
@@ -4,14 +4,22 @@
     SetHandler none
 </Files>
 
+<If "%{HTTPS} != 'on' || %{SERVER_NAME} in {'sipb', 'sipb-www.scripts', 'sipb-www.scripts.mit.edu', 'scripts', 'scripts.mit.edu', 'scripts-cert', 'scripts-cert.mit.edu'}">
+RedirectPermanent / https://sipb.mit.edu/
+</If>
+
+Header always set Strict-Transport-Security "max-age=31536000"
+
+# /~sipb-www is only used internally
+<If "reqenv('REDIRECT_STATUS') == '' && %{SERVER_NAME} in {'sipb', 'sipb.mit.edu', 'sipb-www.scripts', 'sipb-www.scripts.mit.edu', 'scripts', 'scripts.mit.edu', 'scripts-cert', 'scripts-cert.mit.edu'}">
+RedirectPermanent /~sipb-www https://sipb.mit.edu
+</If>
+
+Options +FollowSymLinks
+
 RewriteEngine On
 RewriteBase /
 
-# Canonicalize on sipb.mit.edu
-RewriteCond %{HTTP_HOST} !^sipb.mit.edu$ [NC]
-RewriteCond %{HTTPS} !=on
-RewriteRule ^(.*)$ http://sipb.mit.edu/$1 [R=301,L]
-
 # Serve some CGI scripts from _wiki-cgi
 RewriteRule ^ikiwiki.cgi$ _wiki-cgi/ikiwiki.cgi [L]
 RewriteRule ^update.cgi$ _wiki-cgi/update.cgi [L]