apache: Don't set HSTS for .onion domain

Fixes: #2174. When HSTS is set, there is no way to override the certificate warnings. LE does not yet issue certificates for .onion domains. Certificate warnings are certainly show there. Although browsers don't accept HSTS headers when the certificate is invalid, it is best be safe and not set them for .onion domains. Tests: - Without the patch, on normal and .onion domains, HSTS is set only when using HTTPS. - With the patch, HSTS is set only when using HTTPS but only for normal domains but not .onion domains. - The patch works when tested with .onion and .ONION hosts. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-01-21 07:55:00 +00:00 · 2022-01-20 15:10:26 -08:00 · 2022-01-20 15:10:26 -08:00 · 4fc1844d89
commit 4fc1844d89
parent 5e4a0f0a38
1 changed files with 3 additions and 1 deletions
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@ -34,7 +34,9 @@
 ##
 ## Enable HSTS, even for subdomains.
 ##
-Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
+<If "%{HTTP_HOST} !~ /^.*\.onion$/i">
+    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
+</If>

 ##
 ## Redirect traffic on home to /plinth as part of turning the machine