- if $ssl; then
- a2enmod headers
- https_arg=" https"
- common_ssl_conf=/etc/apache2/common-ssl.conf
- cat >>$vhost_file <<EOF
- SSLCertificateFile $cert_dir/fullchain.pem
- SSLCertificateKeyFile $cert_dir/privkey.pem
- Include $common_ssl_conf
- # From cerbot generated config example, taken 4/2017,
- # should be rechecked once a year or so.
- Header always set Strict-Transport-Security "max-age=31536000"
- SSLUseStapling on
- Header always set Content-Security-Policy upgrade-insecure-requests
+ if $ssl; then
+ a2enmod -q headers
+ https_arg=" https"
+ common_ssl_conf=/etc/apache2/common-ssl.conf
+ cat >>$vhost_file <<EOF
+SSLCertificateFile $cert_dir/fullchain.pem
+SSLCertificateKeyFile $cert_dir/privkey.pem
+Include $common_ssl_conf
+# From cerbot generated config example, taken 4/2017,
+# should be rechecked once a year or so.
+Header always set Strict-Transport-Security "max-age=31536000"
+SSLUseStapling on
+Header always set Content-Security-Policy upgrade-insecure-requests
+EOF
+
+ if (( port == 443 )); then
+ echo "$0: creating $redir_file"
+
+ # note, alternatively:
+ cat >/dev/null <<'EOF'
+#https://webmasters.stackexchange.com/questions/124635/apache-redirect-http-to-https-without-preventing-http
+<If "%{req:Upgrade-Insecure-Requests} == '1'">
+Redirect permanent "/" "https://mydomain.ltd/"
+</If>
+# or, with generic rewrite, we use this on gnu.org
+RewriteEngine on
+RewriteCond %{HTTP:Upgrade-Insecure-Requests} "^1$"
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=307]