Ispconfig 3.1.13 Nginx HSTS not working

Discussion in 'Installation/Configuration' started by ktownmods, May 24, 2019.

  1. ktownmods

    ktownmods Member HowtoForge Supporter

    Hey, i use Ubuntu 18.04 with Ispconfig (newest) and Nginx.
    I insert
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    in the Options tab on my domain under additional nginx directives, but if i test it on hstspreload.org it tells me

    Code:
    The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=0. If you are trying to remove this domain from the preload list, please visit https://hstspreload.org/removal/
    but i set it to max-age=31536000?

    Can anyone help me?
     
  2. ahrasis

    ahrasis Well-Known Member

    You need preload. Try:
    Code:
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    Restart nginx if necessary.
     
  3. ktownmods

    ktownmods Member HowtoForge Supporter

    Not work

    Code:
    Error: Max-age is 0
    The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=0. If you are trying to remove this domain from the preload list, please visit https://hstspreload.org/removal/
    Warning: Unnecessary HSTS header over HTTP
    The HTTP page at http://example.de sends an HSTS header. This has no effect over HTTP, and should be removed
    I Think i do anything wrong
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the generated vhost file if the line is present there. If the site contains a cms, then it might also be that the cms overrides the header .
     
  5. ktownmods

    ktownmods Member HowtoForge Supporter

    The Line is in the vhost in /etc/nginx/sites-available
    And yeah i use a cms, how Can i Check what in the CMS overrides the nginx value
     
  6. ktownmods

    ktownmods Member HowtoForge Supporter

    Hey, i asked the author of the cms i use, and he answerd me the cms dont override the HSTS Value
     
  7. ktownmods

    ktownmods Member HowtoForge Supporter

    I figured it out, it was cloudflare
    It override my value
     

Share This Page