No HSTS header of Whole Registered Domain

[AfterInfinity]

Hey there,

The domain in question is being redirected from "example.com" to "www.example.com"
This is expected behaviour. That's how I want it to be.
But when following this guide from docs, only www has the header.
Meaning the domain cannot be submitted in the HSTS preload list.
Ideally everything should include the HSTS header even "example.com".
Does anyone know how to achieve this?

Kind Regards

 

[ikkeben]

I did know it in the past but can't find my notes.

IN custom while THIS is LONG time a DA BUG.

If you search forum maby you can find topics about it from me and someone else about this https://forum.directadmin.com/threads/force-redirect-is-not-secure-yet-for-hsts.57949/#post-334496

While the redirect order is wrong sofar i remember

A with www. should first redirect to https://www and after that to https:without www for example

So wen you do a force redirect in DA to ssl and also the redirect to non www it goes wrong , also to solve this in custom templates you need sofar i know both privat and public

Here for hostname DA port and other app/ports also problem:

Problem with SSL on Hostname and DA and HSTS with other aplications on other ports!

Problem with SSL on Hostname and DA and HSTS with other aplications on other ports! If you have DA redir to sl, a ssl LEcert on hostname and HSTS. Then if you also managed in this combi to have port 443 done the right way? hostname is not domain. so "vps.exampledomain.com" There you have...

forum.directadmin.com

These are some old notes so a newer in custom should work don't forget cron task was also a problem before inn the past

If you find out please post here while i didn't solved it on new box

​ https://www.directadmin.com/features.php?id=756 https://help.directadmin.com/item.php?id=3 https://help.directadmin.com/item.php?id=2 https://help.directadmin.com/item.php?id=351 https://forum.directadmin.com/showthread.php?t=53147&p=272761 f you need for all domains: - Using a custom VirtualHost template http://help.directadmin.com/item.php?id=2 If you need need for selected domains: Code: |*if SSL_TEMPLATE="0"| Redirect "/" "https://www.example.com/" |*else| Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" |*endif| echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue The command will be added the the task queue which is checked once per minute, so it may be a few minutes before all httpd.conf files have been rewritten. *Note: the main /etc/httpd/conf/httpd.conf is never overwritten (unless DirectAdmin is reinstalled) so any changes you make will be safe. Note, that you can also use if-then-else statements if you don't want all settings to be global. Example, say you want a custom item added, only for 1 domain: |*if DOMAIN="domain.com"| #custom item for just this domain |*endif| See the if-then-else link for more info on what else you can do with this basic scripting tool. You can also run actual scripts with database queries, etc... if you wanted using the script portion of the templates. More info on that here: http://www.directadmin.com/features.php?id=756 Using a custom VirtualHost template Last Modified: Oct 13, 2010, 10:29 am​ If you wish to change the setup of the VirtualHosts for all domains, you can do so by creating your own custom templates. cd /usr/local/directadmin/data/templates cp virtual_host2*.conf custom cd custom Once you've copied the 4 VirtualHost files (or just the ones you want) to the custom directory, you can then edit the new files you've just copied. DirectAdmin will always check for the custom file before going to the default ones. Failure to copy the virtual_host2*.conf files to the custom directory before modifying them will result in a loss of all changes when DirectAdmin updates itself (the files are overwritten). Note that there are actually 8 virtual_host files, but you only need to worry about the 4 that apply to you. The files with the 2 in them are for apache 2.x. The ones without the 2 in them are for apache 1.3. Inside the virtual_host*.conf files, you'll find code that is similar to httpd.conf code, but contains what are known as tokens. These tokens are what will be replaces with specific user data for each domain created.

 

[ikkeben]

THE BUG is still on unfinished but in version 1.62.8 who knows i hope they will sove this problem then to you mention and exist for long time now the wrong order for redirect and hsts settings

Changelog | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

At the moment, to enable HSTS on your website, you'd simply create an .htaccess file in your private_html folder, eg: https://help.directadmin.com/item.php?id=624 This feature will give a simple checkbox to turn on this functionality in the User's httpd.conf instead. Will only be added to the 443 VirtualHosts. More information to come. ---- T24603 T29063

 

[ikkeben]

Kind of workaround that worked in the past was using private and public html

Then in both a htaccess.
In public the redirect only to https , then in private the redirect to www or non www but put this after the hsts rules in that htaccess.

But then the force redirect and redirect in DA admin GUI makes no sense and give you probably kind of loop .

 

[AfterInfinity]

Hello Ikkeben!

Thank you for your indepth explanation! At least I have a workaround now!
It's sad to hear that DirectAdmin has this bug, this is a feature that should be supported from the getgo.
I hope this gets fixed in the new update.

Kind Regards