[solved] HTTP Strict Transport Security (HSTS) Support

[CodyRo]

Would it be possible to get support for HSTS as more browsers are starting to support it (Chrome, et all)? It's a simple header addition similar to expires.

https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security#Limitations

The particular part of interest is the implementation portion.

Although it's trivial to add it to your application I think it would be nice to add a simple checkbox in the SSL listener page / an area to set the max-age.

 

[andreas]

Just add the header in the context settings ("Extra Headers").

 

[CodyRo]

Just add the header in the context settings ("Extra Headers").

As mentioned in the initial thread yes it's trivial to add however I believe the point of the LSWS admin interface is to help less experienced users manage their website(s). As a result it would be a quick addition - it would also give HSTS more exposure in general which would be a good thing.

 

[joe]

x2 this should be added as a feature.

So what exactly is the proper syntax for this? I see the extraheaders option under the VM context tab. This is the value which I've been fiddling with and so far no luck:

Strict-Transport-Security: max-age=31536000; includeSubDomains

 

[mistwang]

It should work by adding to "Extra Headers", please let us know the version of LSWS, type of resources pointed by the URL. static? dynamic? php?

 

[joe]

Running the latest version of std on freebsd 10 with mainly dynamic php, joomla.

 

[mistwang]

tested it, the header was added but truncated due to a bug, you can work around it with

Strict-Transport-Security: "max-age=31536000; includeSubDomains"

it will be fixed in next release.

 

[joe]

Yeah still no dice. Basically every attempt is failing to pass over at https://www.ssllabs.com/ssltest/analyze.htm for the HSTS test.
btw: I was attempting to implement this only on the cgi type, not the statics or was that my mistake?

This is somewhat off topic, but will you be updating the TLS/SSL howto's soon? It would be great if you had a straight forward walk -thru of what it takes to score an"A" in litespeed speak although it isn't heard to figure out.

 

[joe]

OK, I'm stuck on this. Perhaps its bugged in part, but the response above leads me to think it can work if properly configured.

So what I'm trying to do here is get this feature enabled on an established VM which already uses TLS. First I tried to add the parameter above to the Extra Headers filed of the existing CGI type & URI /cgi-bin/ which is setup by the default VM template. I ignored the three other default Static types. This didn't work with multiple syntax-es including the one above by Mistwang.

Next I created a new context of type: CGI URI: /html which has only this extra header setting defined. This is a Joomla webroot folder.

What am I missing here?

 

[mistwang]

I could not reproduce it, it works fine if I add it to the cgi-bin/ context.
Uploaded the latest 4.2.12 package for freebsd, you can force reinstall, then try again.

 

[joe]

thanks, but no love yet.

I did re-install and I notice a small delta in the tarball file sizes on 4.2.12 but to no effect. Two things perhaps unless you can help rule them out. This vmhost is using a legacy php binary compiled using litespeed of 5.3.28 and this instance is running on FreeBSD10. I do compat6 libraries installed and the server is essentially functional in every other way since the recent upgrade so I would like to think its not the issue here. frankly idk.

No apparent debug info regarding this either. Before giving up for now, what else can I examine?

listed here is the vhconf.

-----------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<virtualHostConfig>
<docRoot>$VH_ROOT/html/</docRoot>
<adminEmails>administrator@mydomain.com</adminEmails>
<enableGzip>0</enableGzip>
<logging>
<log>
<useServer>0</useServer>
<fileName>$VH_ROOT/logs/error.log</fileName>
<logLevel>DEBUG</logLevel>
<rollingSize>10M</rollingSize>
</log>
<accessLog>
<useServer>0</useServer>
<fileName>$VH_ROOT/logs/access.log</fileName>
<rollingSize>10M</rollingSize>
<keepDays>30</keepDays>
<compressArchive>0</compressArchive>
</accessLog>
</logging>
<index>
<useServer>0</useServer>
<indexFiles>index.php</indexFiles>
<autoIndex>0</autoIndex>
<autoIndexURI>/_autoindex/default.php</autoIndexURI>
</index>
<customErrorPages>
<errorPage>
<errCode>404</errCode>
<url>/error.php</url>
</errorPage>
</customErrorPages>
<scriptHandlerList>
<scriptHandler>
<suffix>php</suffix>
<type>lsapi</type>
<handler>lsphp5.3.28-mydomain</handler>
<note></note>
</scriptHandler>
</scriptHandlerList>
<htAccess>
<allowOverride>4</allowOverride>
<accessFileName>.htaccess</accessFileName>
</htAccess>
<expires>
<enableExpires>1</enableExpires>
</expires>
<security>
<hotlinkCtrl>
<enableHotlinkCtrl>0</enableHotlinkCtrl>
<suffixes>gif, jpeg, jpg</suffixes>
<allowDirectAccess>1</allowDirectAccess>
<onlySelf>1</onlySelf>
</hotlinkCtrl>
<accessControl>
<allow>*</allow>
</accessControl>
<realmList>
<realm>
<type>file</type>
<name>SampleProtectedArea</name>
<userDB>
<location>$VH_ROOT/conf/htpasswd</location>
<maxCacheSize>200</maxCacheSize>
<cacheTimeout>60</cacheTimeout>
</userDB>
<groupDB>
<location>$VH_ROOT/conf/htgroup</location>
<maxCacheSize>200</maxCacheSize>
<cacheTimeout>60</cacheTimeout>
</groupDB>
</realm>
</realmList>
</security>
<extProcessorList>
<extProcessor>
<type>lsapi</type>
<name>lsphp5.3.28-mydomain</name>
<address>uds://tmp/lshttpd/lsphp5.3.28.sock</address>
<note>PHP_LSAPI_MAX_REQUESTS=500
PHP_LSAPI_CHILDREN=35</note>
<maxConns>35</maxConns>
<env>PHP_LSAPI_MAX_REQUESTS=500</env>
<env>PHP_LSAPI_CHILDREN=35</env>
<initTimeout>60</initTimeout>
<retryTimeout>0</retryTimeout>
<persistConn></persistConn>
<pcKeepAliveTimeout>200</pcKeepAliveTimeout>
<respBuffer>0</respBuffer>
<autoStart>1</autoStart>
<path>$SERVER_ROOT/fcgi-bin/lsphp-5.3.28</path>
<backlog>100</backlog>
<instances>1</instances>
<extUser></extUser>
<extGroup></extGroup>
<runOnStartUp></runOnStartUp>
<extMaxIdleTime></extMaxIdleTime>
<priority></priority>
<memSoftLimit></memSoftLimit>
<memHardLimit></memHardLimit>
<procSoftLimit></procSoftLimit>
<procHardLimit></procHardLimit>
</extProcessor>
</extProcessorList>
<contextList>
<context>
<type>NULL</type>
<uri>/docs/</uri>
<location>$SERVER_ROOT/docs/</location>
<allowBrowse>1</allowBrowse>
</context>
<context>
<type>NULL</type>
<uri>/protected/</uri>
<location>protected/</location>
<allowBrowse>1</allowBrowse>
<realm>SampleProtectedArea</realm>
<authName>Protected</authName>
<required>user test</required>
<accessControl>
<allow>*</allow>
</accessControl>
</context>
<context>
<type>NULL</type>
<uri>/blocked/</uri>
<location>blocked/</location>
<allowBrowse>0</allowBrowse>
</context>
<context>
<type>cgi</type>
<uri>/cgi-bin/</uri>
<location>$VH_ROOT/cgi-bin/</location>
<note></note>
<extraHeaders>Strict-Transport-Security: &quot;max-age=31536000; includeSubDomains&quot;</extraHeaders>
<allowSetUID></allowSetUID>
<allowOverride></allowOverride>
<realm></realm>
<authName></authName>
<required></required>
<accessControl>
<allow></allow>
<deny></deny>
</accessControl>
<authorizer></authorizer>
<addDefaultCharset>off</addDefaultCharset>
<defaultCharsetCustomized></defaultCharsetCustomized>
<rewrite>
<enable></enable>
<inherit></inherit>
<base></base>
<rules></rules>
</rewrite>
<apacheConf></apacheConf>
</context>
</contextList>
<rewrite>
<enable>0</enable>
<logLevel>9</logLevel>
<rules>RewriteCond %{HTTP_USER_AGENT} ^NameOfBadRobot
RewriteRule ^/nospider/ - [F]</rules>
</rewrite>
<frontPage>
<enable>0</enable>
<disableAdmin>0</disableAdmin>
</frontPage>
<awstats>
<updateMode>0</updateMode>
<workingDir>$VH_ROOT/awstats</workingDir>
<awstatsURI>/awstats/</awstatsURI>
<siteDomain>localhost</siteDomain>
<siteAliases>127.0.0.1 localhost</siteAliases>
<updateInterval>86400</updateInterval>
<updateOffset>0</updateOffset>
</awstats>
</virtualHostConfig>

 

[mistwang]

My setup is similar, I uses curl to test it
curl -i http://localhost:8088/cgi-bin/helloworld

and the "hsts" header is there.

 

[joe]

I've been trying a similar curl test as well to verify, plus the ssllabs. It seems no values will take in extraheaders for me right now.

All of these lines are currently configured and there is no result with curl: curl -s -D- https://192.168.1.1 | grep Strict


Strict-Transport-Security: "max-age=31536000; includeSubDomains"
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Strict-Transport-Security "max-age=31536000, includeSubDomains"
Strict-Transport-Security max-age=31536000; includeSubDomains

 

[mistwang]

since the extra header configuration is in "/cgi-bin/" context, you have to access https://192.168.1.1/cgi-bin/helloworld
if you want to add those headers to https://192.168.1.1/ , you need to create a "/" context.

 

[joe]

BINGO!!

First try after creating a new context using the URI of "/" its working! Thank you so much!! I'd suggest adding this type of example to the docs for others.

You guys do rock!