You can specify HTTP Strict Transport Security (HSTS) in response headers so that your
server advertises to clients that it accepts only HTTPS requests. You can redirect any non-HTTPS
requests to SSL enabled virtual hosts.
Procedure
- Enable the modification of response headers.
Uncomment the following Load Module directive for the mod_headers module in the
httpd.conf
file:
LoadModule headers_module modules/mod_headers.so
- Define the HSTS policy for clients.
Make the following updates in the httpd.conf file:
- Code the Header directive.
The following example Header specifies useful options for defining your HSTS policy. The
directive specifies that the server always requires HTTPS connections. The HTTPS connections apply
to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS
domains for a maximum of one year (31536000 seconds).
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload"
- Add the Header directive to each virtual host section, <virtualhost>,
that is enabled for Secure Sockets Layer (SSL).
- Redirect requests from virtual hosts that are not enabled for SSL to virtual hosts that are
enabled.
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
- Add the stanza once to each virtual host section in the httpd.conf
file.
- Add the stanza once to the global httpd.conf file, but outside the virtual
host sections.
Results
You set up IBM® HTTP Server so that it tells clients to
connect to the specified domains and subdomains only over HTTPS. To ensure that your IBM HTTP Server does not process non-HTTPS requests over non-SSL,
you set the server up to redirect these requests to SSL-enabled virtual hosts.
What to do next
Add your server as a front end to your application server environment so that connections
between your application server and a client are over HTTPS.