X-Git-Url: https://git.ralfj.de/ansible.git/blobdiff_plain/d110535ffae3ecde454db40f4914c9afe564adfc..34cf4db2749cb9993eb062f6f4a32c1f4067a6b3:/roles/apache/templates/ssl.conf

diff --git a/roles/apache/templates/ssl.conf b/roles/apache/templates/ssl.conf
index fd99e1f..6a0b99f 100644
--- a/roles/apache/templates/ssl.conf
+++ b/roles/apache/templates/ssl.conf
@@ -6,7 +6,14 @@
 <Macro HTTP2HTTPS $domain>
     <VirtualHost *:80>
         ServerName $domain
-        Redirect permanent / https://$domain/
+        # Apparently you need the rewrite engine to implement
+        # a simple "redirect all except for..." policy. Amazing.
+        RewriteEngine on
+        # Do *not* redirect the acme-challenge dir to https, since otherwise the
+        # challenge cannot be fetched when there is no certificate yet for this domain.
+        RewriteRule ^/\.well-known/acme-challenge/(.*) /srv/acme-challenge/$1 [L]
+        # Make the upgrade to HTTPS a "permanent" redirect.
+        RewriteRule ^/(.*) https://$domain/$1 [R=301,L]
     </VirtualHost>
 </Macro>
 
@@ -17,7 +24,7 @@
     Header unset Strict-Transport-Security
     Header set Strict-Transport-Security "max-age=864000"
     # Make sure we load everything via HTTPS
-    Header set Content-Security-Policy "upgrade-insecure-requests"
+    Header add Content-Security-Policy "upgrade-insecure-requests"
 
     #########################################################
     # SSL configuration below ###############################