Tag Archives: Apache

How to configure HSTS on Apache

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.

Here is how to enable it on Apache2

1. Enable mod_headers

a2enmod headers

2. Add the additional header to the HTTPS VirtualHost directive. Max-age is measured in seconds. Put this into your VirtualHost *:443 section

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

apache | redirect from http to https

I found this guide to how to redirect http to https on the apache wiki

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

I use it within the virtualhost container like this

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

ServerAdmin webmaster@somesite.tld
ServerName somesite.tld
ServerAlias www.somesite.tld
DocumentRoot /home/somesite/public_html

ErrorLog /var/log/apache2/somesite.tld-error.log
CustomLog /var/log/apache2/somesite.tld-access.log combined

DocumentRoot /home/somesite/public_html

ErrorLog /var/log/apache2/somesite.tld-error.log
CustomLog /var/log/apache2/somesite.tld-access.log combined
</virtualhost>

Then you can have your ssl <virtualhost *:443> section

That ensure that if another application like wordpress wan’t to write something to .htacces then it will not we overwritten.

How To use Apache Bench for Simple Load Testing

If you wan’t to do a simple loadtesting of your site, then i will recommend using Apache Bench, it’ simple to install

Installing Apache Bench

sudo apt install apache2-utils

Suppose you wan’t to test if your site can handle 100 request with 10 concurrent users.

ab -n 100 -c 10 https://www.pvangsgaard.com/

I got this result…took only 6 sec to handle 100 requests