Caddy: common dynamic redirects - www, bare domain, https

HSTS is just adding a header.

nowww:

www.example.com {
    redir https://example.com
}

yeswww:

example.com {
   redir http://www.example.com
}

There's an HSTS header, but you are also required to redirect http to https. The header doesn't do that for you (except in some browsers that are HSTS aware and choose to be forgiving of your forgetfulness).

Are you showing that if I omit the http/https prefix that it will auto redirect to https when http is encountered?

Still no way to handle domains en masse on the yeswww nowww though?

Hmmm... I keep running into this issue of needing blanket configuration using a hostname template rather than individual entries on a domain-by-domain basis.

My particular use case at the moment is redirect-www.org. I was going to switch to hosting it with caddy, but I can't yet.

Are you showing that if I omit the http/https prefix that it will auto redirect to https when http is encountered?

If you use 0.8 beta's managed SSL, you don't have to set up redirects at all. It does it for you. In which case you just set the HSTS header yourself -- though perhaps some security middleware could help with that; #312)...

Matt and I chatted on slack about this and the hsts header did work. SSL Labs recognized the additional header.

Care to document what that (typical) header configuration line was exactly please?

@kaihendry I haven't tried it myself yet but in theory it should simply be the standard HSTS header which I think looks like this.

header / Strict-Transport-Security "max-age=31536000"

Which would set it to 365 days.