我正在设置一个网络服务器,并一直在用 SSLLabs 和 Chrome 31 检查它,以确保安全性达到标准。然而,Chrome 和 SSLLabs 似乎都不认为该域已启用严格传输安全性。我似乎无法弄清楚原因。以下是访问网站时来自 curl 的响应标头。
$curl -I ********.com
HTTP/1.1 301 Moved Permanently
Server: Apache
Date: Sat, 14 Dec 2013 22:58:27 GMT
Location: https://********.com/
Content-Type: text/html; charset=iso-8859-1
$curl -kI https://********.com
HTTP/1.1 200 OK
Server: Apache
Date: Sat, 14 Dec 2013 22:59:26 GMT
Last-Modified: Mon, 09 Dec 2013 04:58:41 GMT
ETag: "422-4ed12d98c43d3"
Accept-Ranges: bytes
Content-Length: 1058
Vary: Accept-Encoding
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Type: text/html
我的 Apache 配置,如报告所述mod_info
Module Name: mod_headers.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Post-Read Request, Fixups, Insert Filters, Insert Errors
Module Directives:
Header - an optional condition, an action, header and value followed by optional env clause
RequestHeader - an action, header and value followed by optional env clause
Current Configuration:
In file: /etc/apache2/sites-enabled/100-********-ssl.conf
2: <VirtualHost _default_:443>
30: Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
: </VirtualHost>