Set HSTS for sslonly websites in roles/httpd/reverseproxy

7 files changed, 1 insertions, 12 deletions

diff --git a/roles/fedora-web/getfedora/files/getfedora.org.conf b/roles/fedora-web/getfedora/files/getfedora.org.conf
index 9180635cb..7fc238f79 100644
--- a/roles/fedora-web/getfedora/files/getfedora.org.conf
+++ b/roles/fedora-web/getfedora/files/getfedora.org.conf
@@ -3,8 +3,6 @@ Alias /favicon.ico /srv/web/fedoraproject.org/static/images/favicon.ico
 
 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript
 
-Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
-
 FileETag MTime Size
 
 ExpiresActive On
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.bodhi.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.bodhi.conf
index 4cfa0a35d..bbb254330 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.bodhi.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.bodhi.conf
@@ -4,5 +4,3 @@ Header unset Set-Cookie
 
 ProxyPass {{localpath}} {{proxyurl}}{{remotepath}}
 ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}}
-
-Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.elections.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.elections.conf
index d9c3efc5e..b1c1a3a2d 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.elections.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.elections.conf
@@ -8,5 +8,3 @@ Header unset Set-Cookie
 
 ProxyPass {{localpath}} {{proxyurl}}{{remotepath}}
 ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}}
-
-Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.fas.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.fas.conf
index 7048e7487..beb69201b 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.fas.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.fas.conf
@@ -10,5 +10,3 @@ ProxyPassReverse /accounts/user/dogencert http://fas1/
 
 ProxyPass {{localpath}} {{proxyurl}}{{remotepath}}
 ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}}
-
-Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
index c94b9f77d..ec258f884 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
@@ -26,8 +26,6 @@ RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
 
-Header always add Strict-Transport-Security "max-age=15768000; preload"
-
 
 RewriteRule ^(.+) - [PT]
 
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf
index b89e28384..c1cf16303 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.pkgdb.conf
@@ -37,5 +37,3 @@ Header unset Set-Cookie
 
 ProxyPass {{localpath}} {{proxyurl}}{{remotepath}}
 ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}}
-
-Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index f70b43483..abdc8dc2f 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -14,6 +14,7 @@
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 {% else %}
   Include "conf.d/{{ name }}/*.conf"
 {% endif %}