Add hsts and redirect to https for keys. Ticket 4960

author: Kevin Fenzi <kevin@scrye.com> 2015-12-01 17:58:02 +0000
committer: Kevin Fenzi <kevin@scrye.com> 2015-12-01 17:58:02 +0000
commit: a73d331bbf39edc9ab7a28545e167546c9016da9 (patch)
tree: 4f4eb4f8b7aa36add3816c1a0e7847b42fcc512e /roles/keyserver/files
parent: 53f7d90e77e976810ec344960ba063f87bde7ba0 (diff)
download: ansible-a73d331bbf39edc9ab7a28545e167546c9016da9.tar.gz
ansible-a73d331bbf39edc9ab7a28545e167546c9016da9.tar.xz
ansible-a73d331bbf39edc9ab7a28545e167546c9016da9.zip
1 files changed, 6 insertions, 4 deletions
diff --git a/roles/keyserver/files/sks.conf b/roles/keyserver/files/sks.conf
index bc359b381..1e1773204 100644
--- a/roles/keyserver/files/sks.conf
+++ b/roles/keyserver/files/sks.conf
@@ -40,11 +40,13 @@ NameVirtualHost *:443
 <VirtualHost *:80>
         ServerAdmin sysadmin-keys-members@fedoraproject.org
         ServerName keys.fedoraproject.org
-        ProxyPass / http://127.0.0.1:11371/
-        ProxyPassReverse / http://127.0.0.1:11371/
-        SetEnv proxy-nokeepalive 1
-	ProxyVia Full
+        RewriteEngine On
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+        # Set HSTS header via HTTP since it cannot be easily set in squid, which terminates HTTPS
+        Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 </VirtualHost>
+
 <VirtualHost *:443>
         ServerAdmin sysadmin-keys-members@fedoraproject.org
         ServerName keys.fedoraproject.org
author	Kevin Fenzi <kevin@scrye.com>	2015-12-01 17:58:02 +0000
committer	Kevin Fenzi <kevin@scrye.com>	2015-12-01 17:58:02 +0000
commit	a73d331bbf39edc9ab7a28545e167546c9016da9 (patch)
tree	4f4eb4f8b7aa36add3816c1a0e7847b42fcc512e /roles/keyserver/files
parent	53f7d90e77e976810ec344960ba063f87bde7ba0 (diff)
download	ansible-a73d331bbf39edc9ab7a28545e167546c9016da9.tar.gz ansible-a73d331bbf39edc9ab7a28545e167546c9016da9.tar.xz ansible-a73d331bbf39edc9ab7a28545e167546c9016da9.zip