• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved SSL It - HSTS appearing twice in headers

thinkingcap

thinkingcap

Basic Pleskian
Thought I would try the SSL iT extension - when I enable HSTS it appears twice in returned headers.
Code: 
strict-transport-security: max-age=15768000; includeSubDomains
strict-transport-security: max-age=15768000; includeSubDomains

Anyone else see same?

TIA
Dave
 
In config of my domain I see only following lines from SSLIt!

Code: 
#extension sslit begin

        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;

        #OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;

        #extension sslit end
 
Yes, i can confirm that it sends double headers.

If the response comes from Nginx directly there is only one Strict-Transport-Security header (correct behaviour).
If Nginx acts as a proxy for a response coming from Apache then a second "Strict-Transport-Security" is added.

In the Apache config file i can see the following line:
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

By running a test on SSL Labs i get the following errors:
"Server sent invalid HSTS policy. See below for further information."
"Strict Transport Security (HSTS) Invalid - Server provided more than one HSTS header"

Nginx is always involved to a response (proxy mode or not), so it should be the only one sending the Strict-Transport-Security header.

Examples:
----------------------------------------
XXXXXXXXX:~ xxxxxx$ curl -I https://xxxxxxxxxx.tld/test.jpg
HTTP/2 200
server: nginx
date: Sat, 01 Jun 2019 02:07:36 GMT
content-type: image/jpeg
content-length: 241765
last-modified: Fri, 23 Sep 2016 20:36:41 GMT
etag: "57e59259-3b065"
strict-transport-security: max-age=15768000; includeSubDomains
x-powered-by: PleskLin
accept-ranges: bytes
----------------------------------------
XXXXXXXXX:~ xxxxxx$ curl -I https://xxxxxxxxxx.tld/
HTTP/2 200
server: nginx
date: Sat, 01 Jun 2019 02:07:41 GMT
content-type: text/html
content-length: 3465
strict-transport-security: max-age=15768000; includeSubDomains
last-modified: Wed, 13 Feb 2019 22:40:23 GMT
etag: "d89-581ce3a382177"
accept-ranges: bytes
vary: Accept-Encoding
strict-transport-security: max-age=15768000; includeSubDomains
x-powered-by: PleskLin
----------------------------------------
 
Thank you for the information!
Yep, we confirm this as a bug. It will be fixed in one of the next releases of SSLit extension. Please refer to the following bug's ID: EXTSSLIT-462
 
zanuda said:
Thank you for the information!
Yep, we confirm this as a bug. It will be fixed in one of the next releases of SSLit extension. Please refer to the following bug's ID: EXTSSLIT-462
Click to expand...
Any update on this?
Also, where do we track Plesk bugs?
 
Hello, thank you for your patience! This bug is not resolved yet, but it is planned to be fixed in one of the next releases.
 
Great that this is now resolved - at least in Obsidian.
You can remove HSTS config from nginx config and just use the extension.
 
thx but here is not possible 1 year :( because the hstspreload.org say;

The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15768000.
Click to expand...
 
kiwinho said:
I still have the same error, any solution?
Click to expand...
Do you mean problem with double HSTS headers? This bug was fixed in SSLit! version 1.1.2. Could you please check which version of SSLit extension is installed on your server?
 
zanuda said:
Do you mean problem with double HSTS headers? This bug was fixed in SSLit! version 1.1.2. Could you please check which version of SSLit extension is installed on your server?
Click to expand...

Hello everyone!

My Strict-Transport-Security it's always "max-age=0; includeSubDomains; preload"

It doesn't matter what change you make in the HTST configuration in plesk or what lines you add to the nginx configuration, max-age it's always 0.

I've also tried different combinations of headers in the nginx config, like:

add_header Strict-Transport-Security "max-age=2592000;includeSubDomains;preload" always;

But no changes. Any idea?

Thanks!

1621982678758.png1621982702117.png
 
You must log in or register to reply here.

Similar threads

P
Resolved Nginx HTTP3 cause invalid redirect on WordPress
Replies
2
Views
3K
Paulo_o
P
M
Resolved Domain name issue -- certificate for a domain uses server domain. But can't see how or why
Replies
9
Views
5K
MHC_1
M
F
Issue OCSP for Plesk-Panel does not work
Replies
5
Views
2K
Peter Debik
P
L
Input SSL It and HSTS Options
Replies
2
Views
5K
Brapion
B
J.Wick
Let's Encrypt Directives Left Over in NGINX.conf when moving to other SSL options.
Replies
6
Views
2K
scsa20
scsa20
Back
Top