Question HSTS and ssl.conf command

[OverWolf]

Hi,
I'm using Nginx as proxy for Apache but I have some questions about it's configuration and how it's work.

a) I've implemented ssl.conf with new command like :
- ssl_session_timeout 30m;
- ssl_session_cache shared:SSL:32m;

I've read that if Nginx is using should be a good thing to set ssl_session_tickets to off. Now, if I use Nginx as proxy, should I also configure it for session tickes off ?

b) I have add other command as header for Apache like :
- add_header X-Frame-Options SAMEORIGIN;
- add_header X-XSS-Protection "1; mode=block";
- add_header Strict-Transport-Security "max-age=15768000" always;

but it seems not to work. If I test my domain on ssllabs.com I cannot see that HSTS is enabled. In fact if I set these headers on Apache and nginx setting under the specific domain, on ssllabs.com result that HTTS is enable and working.
Why ?

Thank you

 

[SahinS]

Hello,

If you use Nginx as proxy, you should use it for conf., too. You can do this as pratical:

• Go to Plesk > Domains > example.com > Apache & Nginx Settings
• Find the Additional nginx directives and paste your header sets
  such as
  add_header 'Referrer-Policy' 'origin';
• and restart Nginx on Tools & Settings -> Services M. page.

 

[SahinS]

About HSTS,

You can use this header:

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload" always;

Note: But there is one more thing that the site should be redirected to https first and then www subdomain.

You can use this site: HSTS Preload List Submission for check HSTS.

Good works!

 

[OverWolf]

Hi SahinS,
thank you for your answer, but my problem that if I configure this command in ssl.conf remain. I must set in the the Apache directive to work.

 

[mr-wolf]

Somehow everyone is ignoring the RFC directive that the HSTS header SHOULD NOT be transmitted over http.
As most servers are also listening on port 80 there is a brief connection on http.
What the consequences are of doing this anyhow..... Well, I don't know.
But most people here are nitpicking and trying to apply high standards that most banks and other services aren't.
Why they are ignoring a direct RFC-directive is beyond me and doesn't follow the reasoning they use when trying to achieve their magic "A+"

I have posted the solution for this several times and here is it again....

In /etc/nginx/conf.d you should prep that HSTS-directive by adding this file:

cat /etc/nginx/conf.d/aa100_prep_hsts.conf

map $scheme $hsts_header {
    https   'max-age=15768000';
}

map $scheme $hsts_isd_header {
    https   'max-age=15768000; includeSubDomains; preload';
}

That conf merely creates 2 variables that only exist if the client is connecting with https
I chose to make 2 of them:

hsts_header ( 'max-age=15768000'; )
hsts_isd_header ( 'max-age=15768000; includeSubDomains; preload'; )​

The HSTS-header can the be activated inside the vhost by adding it to /var/www/vhosts/system/*/conf/vhost_nginx.conf using the Plesk interface.

grep Strict-Transport /var/www/vhosts/system/client.com/conf/vhost_nginx.conf

add_header Strict-Transport-Security $hsts_header always;

In this thread I published a cronjob that will give you the best of both worlds.
A central place to configure serwide nginx directives and the flexibility to have exceptions on that because you are still able to edit the individual client's vhost_nginx.conf (from Plesk interface).

Question - Where is the place to specify X-Content-Type-Options for Plesk?

 

[SahinS]

Somehow everyone is ignoring the RFC directive that the HSTS header SHOULD NOT be transmitted over http.
As most servers are also listening on port 80 there is a brief connection on http.
What the consequences are of doing this anyhow..... Well, I don't know.
But most people here are nitpicking and trying to apply high standards that most banks and other services aren't.
Why they are ignoring a direct RFC-directive is beyond me and doesn't follow the reasoning they use when trying to achieve their magic "A+"

I have posted the solution for this several times and here is it again....

In /etc/nginx/conf.d you should prep that HSTS-directive by adding this file:

cat /etc/nginx/conf.d/aa100_prep_hsts.conf

map $scheme $hsts_header {
    https   'max-age=15768000';
}

map $scheme $hsts_isd_header {
    https   'max-age=15768000; includeSubDomains; preload';
}

That conf merely creates 2 variables that only exist if the client is connecting with https
I chose to make 2 of them:

hsts_header ( 'max-age=15768000'; )
hsts_isd_header ( 'max-age=15768000; includeSubDomains; preload'; )​

The HSTS-header can the be activated inside the vhost by adding it to /var/www/vhosts/system/*/conf/nginx_vhost.conf using the Plesk interface.

grep Strict-Transport /var/www/vhosts/system/client.com/conf/vhost_nginx.conf

add_header Strict-Transport-Security $hsts_header always;

In this thread I published a cronjob that will give you the best of both worlds.
A central place to configure serwide nginx directives and the flexibility to have exceptions on that because you are still able to edit the individual client's vhost_nginx.conf (from Plesk interface).

Question - Where is the place to specify X-Content-Type-Options for Plesk?

Hello,

Thanks for your answer. I have a basic question:

For example, I want to set HSTS for just one site as basic. Should I use this post ? Is that enough? Satisfying? Because HSTS Preload List Submission gives notice. "`http:// domain . com` (HTTP) should immediately redirect to `https:// domain . com` (HTTPS) before adding the www subdomain." (and I want to overcome it.) Also, your direction and her direction seem diffrent.

or should we use just (yours) this ?

Maybe you can publish a static article about this subject.

 

[mr-wolf]

The author of the other post is obviously unaware of the RFC directive to prohibit the sending of the header over plain http.
It's therefore not covered at all.

RFC6797 says:

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

Because the directives we place in the Plesk interface are applied on both http and https we need to use that trick to stop sending the header over plain http.
This is also the case if we place the directive in a conf-file in /etc/nginx/conf.d/

Only if you place things yourself in a https section of a site you will have no need for this trick.

The immediate redirect to https is still recommended.
After a browser does this once it will always do this, even if no redirection is made.

 

[UFHH01]

Hi @mr-wolf,

comments at the bottom of each Plesk KB - article will send a notification to the Plesk Support - Team. You might consider to comment with your RFC - directive and ask for a possible change or work-around, to meet the standarts.

Regarding: => How to enable Strict-Transport-Security(HSTS) for domain?

 

[mr-wolf]

When using HSTS one should also consider rewriting a new key each week using a cronjob.
I wrote a script for this (was given the idea by @UFHH01).

If you somehow find yourself in a situation where you locked yourself out of a plain-http site because the browser has been fed with HSTS-info, you can correct the HSTS-header by removing the "includeSubdomains" part and then rewrite the hdparam key by using that same program.

After going to your none-subdomain https website you will be able to access the subdomain again using plain http.

Here's what you should have as a weekly cronjob

ln -s /usr/local/sbin/gen_dhparam /etc/cron.weekly/
cat /usr/local/sbin/gen_dhparam

#!/bin/bash

mkdir -p /etc/dhparam 2>/dev/null
FILE=`mktemp`

N=512
while [ $N -le 4096 ] ; do
  openssl dhparam $N -out $FILE && cat $FILE >/etc/dhparam/dhparam${N}.pem
  let N*=2
done

rm -f ${FILE}