Now you want to secure your Apache so it shows HSTS status with padlock icon in URL bar. This is my environment:
- apache2-2.4.51-150400.6.11.1.x86_64
- opensuse Leap 15.4 on GCP
- You are root
- You did the redirect port 80 to 443 in apache virtualhost using mod_rewrite.
Now here comes the editing part:
Go to /etc/sysconfig. Open apache2 using vi. Add “headers” in “APACHE_MODULES”. Save and quit. Then go to /etc/apache2/vhosts.d/vhost.yoursubdomain.conf. Add the following line:
<VirtualHost *:80>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
ServerName subdomain.yourdomain.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
SSLEngine On
# Put other configuration here.
</VirtualHost>
Do stop apache2 service: systemctl stop apache2
Do start apache2 service: systemctl start apache2
Verify your HSTS configuration using bash terminal: curl -s -D- https://subdomain.yourdomain.com/ | grep -i Strict. It should print: strict-transport-security: max-age=63072000; includeSubdomains; preload
Bonus: put this line after SSLEngine On
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder onThat configuration should disable TLS1.0 and TLS1.1 plus enable the TLS1.2 and TLS1.3 if they were supported by your apache version.
