• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved SSL It - HSTS appearing twice in headers

thinkingcap

thinkingcap

Basic Pleskian
Thought I would try the SSL iT extension - when I enable HSTS it appears twice in returned headers.
Code: 
strict-transport-security: max-age=15768000; includeSubDomains
strict-transport-security: max-age=15768000; includeSubDomains

Anyone else see same?

TIA
Dave
 
In config of my domain I see only following lines from SSLIt!

Code: 
#extension sslit begin

        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;

        #OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;

        #extension sslit end
 
Yes, i can confirm that it sends double headers.

If the response comes from Nginx directly there is only one Strict-Transport-Security header (correct behaviour).
If Nginx acts as a proxy for a response coming from Apache then a second "Strict-Transport-Security" is added.

In the Apache config file i can see the following line:
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

By running a test on SSL Labs i get the following errors:
"Server sent invalid HSTS policy. See below for further information."
"Strict Transport Security (HSTS) Invalid - Server provided more than one HSTS header"

Nginx is always involved to a response (proxy mode or not), so it should be the only one sending the Strict-Transport-Security header.

Examples:
----------------------------------------
XXXXXXXXX:~ xxxxxx$ curl -I https://xxxxxxxxxx.tld/test.jpg
HTTP/2 200
server: nginx
date: Sat, 01 Jun 2019 02:07:36 GMT
content-type: image/jpeg
content-length: 241765
last-modified: Fri, 23 Sep 2016 20:36:41 GMT
etag: "57e59259-3b065"
strict-transport-security: max-age=15768000; includeSubDomains
x-powered-by: PleskLin
accept-ranges: bytes
----------------------------------------
XXXXXXXXX:~ xxxxxx$ curl -I https://xxxxxxxxxx.tld/
HTTP/2 200
server: nginx
date: Sat, 01 Jun 2019 02:07:41 GMT
content-type: text/html
content-length: 3465
strict-transport-security: max-age=15768000; includeSubDomains
last-modified: Wed, 13 Feb 2019 22:40:23 GMT
etag: "d89-581ce3a382177"
accept-ranges: bytes
vary: Accept-Encoding
strict-transport-security: max-age=15768000; includeSubDomains
x-powered-by: PleskLin
----------------------------------------
 
Thank you for the information!
Yep, we confirm this as a bug. It will be fixed in one of the next releases of SSLit extension. Please refer to the following bug's ID: EXTSSLIT-462
 
zanuda said:
Thank you for the information!
Yep, we confirm this as a bug. It will be fixed in one of the next releases of SSLit extension. Please refer to the following bug's ID: EXTSSLIT-462
Click to expand...
Any update on this?
Also, where do we track Plesk bugs?
 
Hello, thank you for your patience! This bug is not resolved yet, but it is planned to be fixed in one of the next releases.
 
Great that this is now resolved - at least in Obsidian.
You can remove HSTS config from nginx config and just use the extension.
 
thx but here is not possible 1 year :( because the hstspreload.org say;

The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15768000.
Click to expand...
 
kiwinho said:
I still have the same error, any solution?
Click to expand...
Do you mean problem with double HSTS headers? This bug was fixed in SSLit! version 1.1.2. Could you please check which version of SSLit extension is installed on your server?
 
zanuda said:
Do you mean problem with double HSTS headers? This bug was fixed in SSLit! version 1.1.2. Could you please check which version of SSLit extension is installed on your server?
Click to expand...

Hello everyone!

My Strict-Transport-Security it's always "max-age=0; includeSubDomains; preload"

It doesn't matter what change you make in the HTST configuration in plesk or what lines you add to the nginx configuration, max-age it's always 0.

I've also tried different combinations of headers in the nginx config, like:

add_header Strict-Transport-Security "max-age=2592000;includeSubDomains;preload" always;

But no changes. Any idea?

Thanks!

1621982678758.png1621982702117.png
 
You must log in or register to reply here.

Similar threads

P
Resolved Nginx HTTP3 cause invalid redirect on WordPress
Replies
2
Views
3K
Paulo_o
P
M
Resolved Domain name issue -- certificate for a domain uses server domain. But can't see how or why
Replies
9
Views
5K
MHC_1
M
F
Issue OCSP for Plesk-Panel does not work
Replies
5
Views
2K
Peter Debik
P
L
Input SSL It and HSTS Options
Replies
2
Views
5K
Brapion
B
J.Wick
Let's Encrypt Directives Left Over in NGINX.conf when moving to other SSL options.
Replies
6
Views
2K
scsa20
scsa20
Back
Top