HSTS centos 7

Discussion in 'Installation/Configuration' started by brody182, Mar 9, 2016.

  1. brody182

    brody182 Member

  2. ztk.me

    ztk.me Active Member

    HSTS is not mandatory - except you feel that you really need to send everything over https per default which:
    - increases server load due to https use
    - requires valid certificates if you don't want users to leave because they don't like to add custom signed certs, even they can be more secure than anything a 3rd party offers
    - may cause issues for certain applications like if you need to send a referer to your advertising partner

    But if you really want that, you just need to follow some easy instructions for your webserver.
    If you use Apache for example:
    -You need to $a2enmod headers after you installed ssl certificates and made sure it's working
    -Add the following entry to your additional vhost entries list:
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    You may also check your ssl config to protect your server against some common attack vectors to old protocols
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256
    SSLHonorCipherOrder on
    Fore more informations on the syntax check the corresponding RFC 6797

    For your Mail-Authentification you may need to adjust your postfix and dovecot services.
    For Postfix check this entry.
    Also don't use old protocols:

    Dovecot don't use old protocls, in /etc/dovecot.conf

    ssl_protocols = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2:SSLv3

    And for TLS enforcement check
    Dovecot configuration page.

    This is by no means a complete howto, I think I'm missing some changes in postfix master.cf ( after reading linked pages )

    But I don't know how much help you need to do what you intended, so if there are any further questions, please feel free to reply :)
  3. brody182

    brody182 Member

    a2enmod headers is not available on cents

    and where in ispconfig do i paste the Header script?
  4. brody182

    brody182 Member

    ok got it, I added to directive snippets then admit to individual sites
  5. brody182

    brody182 Member

    the only one I was missing was:
  6. ztk.me

    ztk.me Active Member

    ok great, was just about to write that :)
  7. brody182

    brody182 Member

    when I include the following header in apache directive I still get " strict transfer security (HSTS ) = NO in ssllabs.com
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
  8. ztk.me

    ztk.me Active Member

    Sorry, my fault - the Header is for SSL vhost configuration only, you have to permanent redirect non http requests to https.
    For the SSL options and the HSTS header you could modify your template file
    just look for the starting condition:
    <tmpl_if name='ssl_enabled'>
    and adjust it to your needs. However this change will affect every domain then.
    I haven't checked wether there is an issue sending the hsts header to non https-connections, if it's working you probably don't need to modify the template.

    You can use ISPConfig redirect settings or htaccess/httpd option:
      <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    And in addition to that you can also use htaccess/httpd option to set the header for https only:

    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

    I'm not sure about the ssl options, would need to look up the docs or let you try :D
    Last edited: Mar 9, 2016

Share This Page