Resolved SSL It - HSTS appearing twice in headers

[thinkingcap]

Thought I would try the SSL iT extension - when I enable HSTS it appears twice in returned headers.

strict-transport-security: max-age=15768000; includeSubDomains
strict-transport-security: max-age=15768000; includeSubDomains

Anyone else see same?

TIA
Dave

 

[IgorG]

In config of my domain I see only following lines from SSLIt!

#extension sslit begin

        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;

        #OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;

        #extension sslit end

 

[KonstantinosP]

Yes, i can confirm that it sends double headers.

If the response comes from Nginx directly there is only one Strict-Transport-Security header (correct behaviour).
If Nginx acts as a proxy for a response coming from Apache then a second "Strict-Transport-Security" is added.

In the Apache config file i can see the following line:
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

By running a test on SSL Labs i get the following errors:
"Server sent invalid HSTS policy. See below for further information."
"Strict Transport Security (HSTS) Invalid - Server provided more than one HSTS header"

Nginx is always involved to a response (proxy mode or not), so it should be the only one sending the Strict-Transport-Security header.

Examples:
----------------------------------------
XXXXXXXXX:~ xxxxxx$ curl -I https://xxxxxxxxxx.tld/test.jpg
HTTP/2 200
server: nginx
date: Sat, 01 Jun 2019 02:07:36 GMT
content-type: image/jpeg
content-length: 241765
last-modified: Fri, 23 Sep 2016 20:36:41 GMT
etag: "57e59259-3b065"
strict-transport-security: max-age=15768000; includeSubDomains
x-powered-by: PleskLin
accept-ranges: bytes
----------------------------------------
XXXXXXXXX:~ xxxxxx$ curl -I https://xxxxxxxxxx.tld/
HTTP/2 200
server: nginx
date: Sat, 01 Jun 2019 02:07:41 GMT
content-type: text/html
content-length: 3465
strict-transport-security: max-age=15768000; includeSubDomains
last-modified: Wed, 13 Feb 2019 22:40:23 GMT
etag: "d89-581ce3a382177"
accept-ranges: bytes
vary: Accept-Encoding
strict-transport-security: max-age=15768000; includeSubDomains
x-powered-by: PleskLin
----------------------------------------

 

[zanuda]

Thank you for the information!
Yep, we confirm this as a bug. It will be fixed in one of the next releases of SSLit extension. Please refer to the following bug's ID: EXTSSLIT-462

 

[thinkingcap]

Thank you for the information!
Yep, we confirm this as a bug. It will be fixed in one of the next releases of SSLit extension. Please refer to the following bug's ID: EXTSSLIT-462

Any update on this?
Also, where do we track Plesk bugs?

 

[Katya]

Hello,

Also, where do we track Plesk bugs?

Fixed bugs are mentioned in Plesk changelog. This bug is not resolved yet.

 

[Ankebut]

what is the current standing?

 

[zanuda]

Hello, thank you for your patience! This bug is not resolved yet, but it is planned to be fixed in one of the next releases.

 

[zanuda]

I've raised priority of this bug, so hope to see it soon

 

[thinkingcap]

Great that this is now resolved - at least in Obsidian.
You can remove HSTS config from nginx config and just use the extension.

 

[Ankebut]

I still have an error message

 

[thinkingcap]

I still have an error message
View attachment 16037

That appears to be the preload list which isnt relevant to this fix.

 

[Ankebut]

and were i can change the max-age=15768000. time?

 

[thinkingcap]

Beside the HSTS toggle is a configure link.

 

[Ankebut]

thx but here is not possible 1 year because the hstspreload.org say;

The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15768000.

 

[thinkingcap]

"at least" - doesnt it allow 2 years in the drop down?

 

[Ankebut]

yes 2 years i can but i think that is not recommend, or?

 

[kiwinho]

I still have the same error, any solution?

 

[zanuda]

I still have the same error, any solution?

Do you mean problem with double HSTS headers? This bug was fixed in SSLit! version 1.1.2. Could you please check which version of SSLit extension is installed on your server?

 

[z72diego]

Do you mean problem with double HSTS headers? This bug was fixed in SSLit! version 1.1.2. Could you please check which version of SSLit extension is installed on your server?

Hello everyone!

My Strict-Transport-Security it's always "max-age=0; includeSubDomains; preload"

It doesn't matter what change you make in the HTST configuration in plesk or what lines you add to the nginx configuration, max-age it's always 0.

I've also tried different combinations of headers in the nginx config, like:

add_header Strict-Transport-Security "max-age=2592000;includeSubDomains;preload" always;

But no changes. Any idea?

Thanks!