Enable HSTS – Apache – openSUSE Leap – GCP

Now you want to secure your Apache so it shows HSTS status with padlock icon in URL bar. This is my environment:

Now here comes the editing part:
Go to /etc/sysconfig. Open apache2 using vi. Add “headers” in “APACHE_MODULES”. Save and quit. Then go to /etc/apache2/vhosts.d/vhost.yoursubdomain.conf. Add the following line:

<VirtualHost *:80>
 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 
 ServerName subdomain.yourdomain.com
 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

<VirtualHost *:443>
 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
SSLEngine On
# Put other configuration here.

Do stop apache2 service: systemctl stop apache2
Do start apache2 service: systemctl start apache2
Verify your HSTS configuration using bash terminal: curl -s -D- https://subdomain.yourdomain.com/ | grep -i Strict. It should print: strict-transport-security: max-age=63072000; includeSubdomains; preload

Bonus: put this line after SSLEngine On

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on

That configuration should disable TLS1.0 and TLS1.1 plus enable the TLS1.2 and TLS1.3 if they were supported by your apache version.

Work till death do me part.

Leave a Reply