Effort to setup HSTS

Discussion in 'General' started by neumann, May 11, 2020.

  1. neumann

    neumann Member

    I have been trying to hardening my domain even better.

    I started setting it up in vhost (/etc/Apache2/sites-enabled/site_in_question) with: Header always set Strict-Transport-Security "max-age=10886400; includeSubdomains; preload" set in the <VirtualHost:443> block.

    It worked fine, but then I had to make a new subdomain, and discovered that the addition of the Header vanished.

    So I decided to put it directly in ISPConfig's Apache directive for the domain.
    Bad decision, it seems.
    Now I'm completely unable to get in touch with any of my domains on the server including ISPConfig.

    How can I revert to a point where I can get in touch with my ISPConfig again.
    Is it possible somehow to get into the database and delete that Header directive? And how?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    No, that works fine. I have done that, and set via apache config snippets.

    Check error logs, eg. is apache failing to start? To temporarily undo your change, you can just edit the vhost file and delete the custom directive line(s). Once apache is running again, you can edit the vhost in ISPConfig to remove or change those.
     
  3. neumann

    neumann Member

    Yes apache failed to reload. Thank you
    Now I learned something new (again :) ).
    If I make a snippet code, or just include code in the directive box, the code appears both in the http and the https section. But for redirecting from http to https, it doesn't make sense (according to https://hstspreload.org/?domain=mydomain.tld) to put it in http section, only in https section. But it seems that this is not an option as snippets or directive inputs in ispc. Is there a way to put cone in just https section of vhost?
     
  4. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    You can create a custom vhost config for ISPConfig and resync the sites, or put this line in the directive:
    Code:
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    You should start with a shorter age, like 60 (seconds), test if it works, and then make it longer.
     
  5. neumann

    neumann Member

    Thanks for your suggestion. I found out about that in another thread, but in relation to disable TLSv1.0 and TLSv1.1, which seems to be outdated now. I found out to copy the template /usr/local/ispconfig/server/conf/vhost.conf.master to /usr/local/ispconfig/server/conf-custom/vhost.conf.master and do the changes there. pretty awesome.

    But for the time being, I just set up the HSTS header as a code snippet, which I can then choose to implement on a domain basis by adding it to the directives of the domain.

    The more I work with ISPC, the more I love it. :)
    By the way, I found this page from the Netherlands for help in hardening ones domains, and it is a pretty nice tool: https://internet.nl
     
  6. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    I'm familiar with it :) If you need any extra help with the hardening, I'm glad to help. I have several Hall of Fame notations on internet.nl :)
     
  7. neumann

    neumann Member

    Good to hear. Well I know you are all very gifted in here. In comparison I'm a novice, but eager to learn. :)
    I have been able to get an 81%, my only 2 remaining problems left are IPv6 not present, which I am trying to figure out with my ISP. And my DANE validity seems not to pass. Other than that I'm happy. :)
     
  8. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    If DANE doesn't pass, your website could be inaccessible for some users. I would suggest not to use it unless you completely know what you are doing. If you want to use it and have a let's encrypt certificate, this DNS record is valid for all certificates signed with the LE X3 Root cert:
    Code:
    le-ca TLSA 2 0 1 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d[code]
     
  9. neumann

    neumann Member

    Just found out that my ISP doesn't provide IPv6.
    And now my DANE is none existent, and thus not validated. I cant seem to make your suggestion work, but neither is my own:
    Record: TLSA
    Host: _443._tcp.bnjpro.dk
    Data: fda82506a205df8f1e027c2974992d748766b16bc61f0c475d8d36d620fae7eb
    Usage: 3
    Selector: 1
    Matching: 1
    TTL: 30
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Code:
    <If "%{HTTPS} == 'on'">
        <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
            Header always set Content-Security-Policy: upgrade-insecure-requests
        </IfModule>
    </If>
    
     
    Th0m likes this.
  11. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    It's hard to keep this updated every 60 days manually... I would just leave this out, for sure for web.
     

Share This Page