X-Git-Url: https://git.ralfj.de/ansible.git/blobdiff_plain/d110535ffae3ecde454db40f4914c9afe564adfc..34cf4db2749cb9993eb062f6f4a32c1f4067a6b3:/roles/apache/templates/ssl.conf?ds=inline diff --git a/roles/apache/templates/ssl.conf b/roles/apache/templates/ssl.conf index fd99e1f..6a0b99f 100644 --- a/roles/apache/templates/ssl.conf +++ b/roles/apache/templates/ssl.conf @@ -6,7 +6,14 @@ ServerName $domain - Redirect permanent / https://$domain/ + # Apparently you need the rewrite engine to implement + # a simple "redirect all except for..." policy. Amazing. + RewriteEngine on + # Do *not* redirect the acme-challenge dir to https, since otherwise the + # challenge cannot be fetched when there is no certificate yet for this domain. + RewriteRule ^/\.well-known/acme-challenge/(.*) /srv/acme-challenge/$1 [L] + # Make the upgrade to HTTPS a "permanent" redirect. + RewriteRule ^/(.*) https://$domain/$1 [R=301,L] @@ -17,7 +24,7 @@ Header unset Strict-Transport-Security Header set Strict-Transport-Security "max-age=864000" # Make sure we load everything via HTTPS - Header set Content-Security-Policy "upgrade-insecure-requests" + Header add Content-Security-Policy "upgrade-insecure-requests" ######################################################### # SSL configuration below ###############################