<div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 25 Aug. 2017 18:51, "John Salter" <<a href="mailto:J.Salter@leeds.ac.uk">J.Salter@leeds.ac.uk</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-GB" link="blue" vlink="purple">
<div class="m_-7636239221360670640WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi Tomasz,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">In the non-secure virtual host, the following line will redirect all traffic.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">This will redirect clients that don't honour the HSTS headers, as well as pointing clients in the right direction in the first place.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Whilst testing, you might want to leave out the 'permanent' part.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><VirtualHost *:80><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">...<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> Redirect permanent / <a href="https://your.repo/" target="_blank">https://your.repo/</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""></VirtualHost><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Matthew,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I'm guesing you have something similar somewhere in you :80 vhost?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">If not, and the HSTS headers are only sent for the :443 vhost, how does the initial redirect work?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Cheers,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">John</span></p></div></div></blockquote></div><br></div></div><div class="gmail_extra" dir="auto">I've intentionally allowed existing http requests to continue the old fashioned way, mostly because I don't trust that all the robots that interact with the site would be able to cope with a redirect. 😒</div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto">For first-time human traffic we mostly rely on good links -- Google prefers to serve up https links, and most (all?) of the links in the site itself ought to be to https urls. Actually, I believe that the stylesheet and image srcs are also https. So while you might be able to fetch a http page once, it'd be very hard to do so a second time if your browser honours HSTS. </div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto">Cheers</div><div class="gmail_extra" dir="auto">-- </div><div class="gmail_extra" dir="auto">Matthew Kerwin</div></div>