Apache HSTS exception for some virtual hosts
11,597
Solution 1
If you only include the IfModule directive in a VirtualHost Directive for x.x.x.x:443, then it will only apply to that VirtualHost, and there only apply to the https protocol.
You could try the directive
<If "%{HTTP_HOST} = 'www.dev.domain.com'"> <IfModule mod_headers.c> Header unset Strict-Transport-Security Header always set Strict-Transport-Security "max-age=0;includeSubDomains" </IfModule> </If>
Solution 2
In Apache 2.2 you can probably play with something like bellow.
Set an env to identify general case and exclude specific case:
SetEnvIf HTTPS do_work_on_headers SetEnvIf Host "^www.myexcludedhostname.tld$" !do_work_on_headers
then conditionnally set headers:
<IfModule mod_headers.c> Header add Strict-Transport-Security "max-age=15768000;includeSubDomains" env=do_work_on_headers </IfModule>
Comments
-
Gaia over 1 year
In the global config section for Apache 2.2.15, I have the following (per recommendation)
<IfModule mod_headers.c> Header add Strict-Transport-Security "max-age=15768000;includeSubDomains" env=HTTPS </IfModule>
I would like to add this header only when the request is NOT for a specific host (dev.host.com). Which directive do I use to make header add occur only when not for a specific host?
PS: The second part of this question has been moved.
-
Gaia over 9 yearsI could also only set the header for all hosts minus the one I don't want to set it for. I will check into this and report back.
-
Gaia over 9 yearsI dont think it's possible to use
<If "%{HTTP_HOST} = 'www.dev.domain.com'">
in httpd.conf -
alxgomz over 9 yearsIt is valid... only in apache 2.4
-
Gaia over 9 yearsThanks, but the OP states it is Apache 2.2
-
alxgomz over 9 yearsThis one should work for apache 2.2