On Tue, Oct 7, 2014 at 9:22 AM, Eddie B <ed...@mattermedia.com> wrote:
> I set HSTS for HTTPS only, using this directive at the beginning of > httpd.conf (apache 2.2) > > > > <IfModule mod_headers.c> > > Header add Strict-Transport-Security "max-age=15768000;includeSubDomains" > env=HTTPS > > </IfModule> > > > > How can I tell Apache to not set HSTS for specific virtual hosts (using > some type of IF statement) using one global directive (instead of unsetting > inside the specific vhost’s conf)? > > > > Thanks > Try the following untested though: SetEnvIF Host "domain1.*|domain2.*|domain[6-8].*" AllowDomain SetEnvIF AllowDomain HTTPS HEADER_PROCESSING=1 <IfModule mod_headers.c> Header add Strict-Transport-Security "max-age=15768000;includeSubDomains" env=HEADER_PROCESSING </IfModule> It's based on the fact that SetEnvIF[NoCase] can set|unset variables based on the value of previously processed variables by SetEnvIF[NoCase] command(s) in the same directives scope. Having said that maybe the HTTPS needs to be replaced with another env var set by SetEnvIF[NoCase] command too instead of the built in Apache env var that I used in the example.