From 4fc1844d895cda3bb40ae2d90a3c510fa51cbac1 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Thu, 20 Jan 2022 15:10:26 -0800
Subject: [PATCH] apache: Don't set HSTS for .onion domain

Fixes: #2174.

When HSTS is set, there is no way to override the certificate warnings. LE does
not yet issue certificates for .onion domains. Certificate warnings are
certainly show there. Although browsers don't accept HSTS headers when the
certificate is invalid, it is best be safe and not set them for .onion domains.

Tests:

- Without the patch, on normal and .onion domains, HSTS is set only when using
HTTPS.

- With the patch, HSTS is set only when using HTTPS but only for normal domains
but not .onion domains.

- The patch works when tested with .onion and .ONION hosts.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 data/etc/apache2/conf-available/freedombox.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index a2feaf114..9a484e8e2 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -34,7 +34,9 @@
 ##
 ## Enable HSTS, even for subdomains.
 ##
-Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
+<If "%{HTTP_HOST} !~ /^.*\.onion$/i">
+    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
+</If>
 
 ##
 ## Redirect traffic on home to /plinth as part of turning the machine