Set “Secure Flag” on Cookies for Only One (of many) Virtual Host on Apache

apache-2.4cookieshttps

I'm hosting a number of sites on a single VPS (Debian Jessie, Apache 2.4). One of these sites forces HTTPS. On this and only this site, I would like to set the "Secure Flag" for cookies. I've found loads of resources explaining how to do this for all sites hosted on a server via the apache2.conf file, like this:

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

But I want Apache to apply this header rewrite only to the one HTTPS site. How do I do that?

Best Answer

Thanks to @JayMcTee's comments, I was able to stumble upon the answer.

To apply the settings to one specific virtual host, simply add the same lines you would to your apache2.conf file:

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

...to within your virtual host block. For example:

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerAdmin email@domain.com
  ServerName  domain.com
  ServerAlias www.domain.com

  DirectoryIndex index.html index.php
  DocumentRoot /var/www/domain.com/public_html

  ...

  LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

</VirtualHost>
</IfModule>

Then restart Apache (service apache2 restart).

Related Solutions

Apache 2.4 redirect within virtualhost

Above Listen 443 add (if it is not defined elsewhere)

NameVirtualHost *:443

Then before the virtualhost for webmail.dom2.com:443 add this virtualhost with redirect

<VirtualHost *:443>
    ServerName www.dom1.com
    ServerAlias dom1.com
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 443
    RewriteRule ^/(.*)$ http://www.dom1.com/$1 [R]
</VirtualHost>

Ssl – What apache VirtualHost configuration will serve one and only one domain over SSL

The errors you have posted indicate that you haven't included relevant necessary SSL configuration for your domains; for any domains/subdomains you wish to be accessible via SSL, you will need to provide relevant information for the certificate, etc, in the VirtualHost configuration(s) for the domains in question, eg:

<VirtualHost _default_:443>
    DocumentRoot /var/www/html/example1.com
    ServerName example1.com
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5:!DSS
        SSLHonorCipherOrder on

        SSLCertificateFile /etc/pki/tls/certs/example1certificate.crt
        SSLCertificateKeyFile /etc/pki/tls/private/example1privatekey.key
        SSLCertificateChainFile /etc/pki/tls/certs/certificatechainfile.pem
        SSLCACertificateFile /etc/pki/tls/certs/certificateauthority.pem
</VirtualHost>

You will then need to create appropriate VirtualHost segments for the rest of your domains, but in these you will of course only configure the listen port to be 80, with no SSL configuration options, eg:

<VirtualHost _default_:80>
    DocumentRoot /var/www/html/example2.com
    ServerName example2.com
</VirtualHost>

Hope this helps!

PS, the above configurations for SSLCipherSuite and SSLProtocol are good - you can use them to save you time researching other possible configurations if you wish.

Best Answer

Related Solutions

Apache 2.4 redirect within virtualhost

Ssl – What apache VirtualHost configuration will serve one and only one domain over SSL

Related Topic