On 2014/12/25 01:10, Carlin Bingham wrote: > On Wed, 24 Dec 2014, at 11:03 PM, Stuart Henderson wrote: > > On 2014/12/24 06:44, Carlin Bingham wrote: > > > ngninx and apache support url rewriting, letting you redirect from > > > arbitrary urls with pattern matching. In my experience the primary > > > uses for this are to redirect from http to https or to remove/add www > > > in the hostname, so I thought it might be useful to have options making > > > these specific uses possible and simple to do. > > > > [...] > > > > For https redirects, a better option would be to add support for > > adding the Strict-Transport-Security header to responses (HSTS, > > RFC 6797), it's safer than issuing a redirect. > > > > For HSTS to work you first need to redirect to https and issue the > header over https.
Ah, right ... "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport." > My plan was to propose a way to set the HSTS header if this proposal was > well received, since there isn't much point having a built-in way to set > the header if you're still having to use FCGI anyway to do the > redirects. I think there is still point in that; even if you need FCGI for redirects, that would only be needed on the HTTP side, and there's little point in requiring FCGI to deliver a static html file plus HSTS header. Also you might not want to do redirects at all, just hand out an HTTPS URL to users and give them security against an HTTPS->HTTP downgrade attack. (Technically you could use relayd to set HSTS headers and proxy to httpd, but having a combination of the two adds fragility and spreads configuration between more places..)
