Enable HSTS – Apache – openSUSE Leap – GCP

Now you want to secure your Apache so it shows HSTS status with padlock icon in URL bar. This is my environment:

Now here comes the editing part:
Go to /etc/sysconfig. Open apache2 using vi. Add “headers” in “APACHE_MODULES”. Save and quit. Then go to /etc/apache2/vhosts.d/vhost.yoursubdomain.conf. Add the following line:

<VirtualHost *:80>
 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 
 ServerName subdomain.yourdomain.com
 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

<VirtualHost *:443>
 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
SSLEngine On
# Put other configuration here.

Do stop apache2 service: systemctl stop apache2
Do start apache2 service: systemctl start apache2
Verify your HSTS configuration using bash terminal: curl -s -D- https://subdomain.yourdomain.com/ | grep -i Strict. It should print: strict-transport-security: max-age=63072000; includeSubdomains; preload

Bonus: put this line after SSLEngine On

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on

That configuration should disable TLS1.0 and TLS1.1 plus enable the TLS1.2 and TLS1.3 if they were supported by your apache version.


Leave a Reply