rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: aokvilla on June 29, 2017, 02:06:16 PM

Title: Send HSTS header
Post by: aokvilla on June 29, 2017, 02:06:16 PM
Hello,
I am using HFS 2.3k and stunnel 5.41 to enable HTTPS on my site. Is there any way for HFS to send a HSTS header (this: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload) to enable HSTS on my website?
Title: Re: Send HSTS header
Post by: Mars on June 29, 2017, 03:36:54 PM
Hfs handling only the http protocol, it is for this that we add Stunnel

But stunnel does not allow to intervene on the headers, the applicable solution is the redirection using two distinct servers

http://www.rejetto.com/forum/router-port-problems/redirect-from-80-(http)-to-443-(https)/

In the example of a restricted template for port 80 without the redirect url, you can add a macro to add the header required to transmit the HSTS mode to the browser, something like

{.add header|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.}

It is very likely that it should be added to all the web pages created by the main server to force the browser to use only the https protocol

This method has never been tested but can be a good solution to force the passage through stunnel

After a few tests, I was unable to make the idea work
Title: Re: Send HSTS header
Post by: aokvilla on June 29, 2017, 05:39:52 PM
I do have 2 servers, 1 is apache on a raspberry pi which just hosts 1 html page to redirect to https, and the HFS on a computer which serves the https requests. Where in HFS would I put {.add header|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.}, would it go in the HTML template or somewhere else?
Title: Re: Send HSTS header
Post by: aokvilla on July 02, 2017, 10:39:53 AM
I have looked at this further and I have found that I possibly need to put this in the html template:
[special:begin]
{.add header|Strict-Transport-Security: max-age=63072000; includeSubDomains;
preload.}
or this:
[special:begin]
{.add header|{:Strict-Transport-Security: max-age=63072000; includeSubDomains;
preload:}.}
I have tried inserting these into the hfs.tpl at the end or between [+special:strings] and [], and neither worked.

Edit:

I have also tried adding this:
[special:begin]
{.add to log|{.add header|{Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.}HSTS header sent.}
to the diff template for /, and 'HSTS header sent' appears in the log,  but the header is not sent.
Title: Re: Send HSTS header
Post by: Mars on July 02, 2017, 10:48:10 AM
have a look to
http://www.rejetto.com/wiki/index.php?title=HFS:_Event_scripts

I don't have better idea actually

If you want to check the headers that are transmitted, under firefox it is possible to add the following module

https://code.google.com/archive/p/httpfox/
Title: Re: Send HSTS header
Post by: aokvilla on July 02, 2017, 11:15:01 AM
I have just managed to get HFS to send the header. I put this in the diff template for root /
[special:begin]
{.add header|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.}
Title: Re: Send HSTS header
Post by: Mars on July 02, 2017, 11:31:16 AM
I do not understand why the header is not taken into account by the browser but it is actually received by it
Title: Re: Send HSTS header
Post by: aokvilla on July 02, 2017, 12:09:40 PM
It looks like you are missing a space between includeSubDomanis; and preload.
If that doesn't work try typing your site into ssllabs.com/ssltest/index.html and see if you get a green box that says HSTS deployed.
Title: Re: Send HSTS header
Post by: Mars on July 02, 2017, 02:17:11 PM
It seems that everything works with your server, I get a redirection in https with firefox
http://adam ....uk:80/  -->>   https://adam ....uk/
, you will recognize this image
Title: Re: Send HSTS header
Post by: rejetto on July 15, 2017, 06:04:21 PM
i think the correct event is [request]
try that
Title: Re: Send HSTS header
Post by: aokvilla on July 15, 2017, 08:37:36 PM
I have just tried and [request] does work, thank you.
I use a .html file for the root of my site, is there any way to put macros in a .html file and have HFS run them instead of displaying them as text in the web browser? I have also put the [request] and macro in the diff template for / and that didn't work.
Alternatively is there any way to set a diff template for / (containing the html for my root page), and not have all other pages inherit it as that breaks the rest of the pages.
Title: Re: Send HSTS header
Post by: aokvilla on July 16, 2017, 07:06:14 PM
I have now found a different way to solve this. Because whenever the main hfs template is used, the header is sent, but when my .html file is used it isn't, I have moved my home page to /index.html, removed it from / and made / non browsable. This means that visiting the root of my website returns a 403 error. I then put a html redirect in the hfs template to my /index.html file.
This is probably a really bad way of doing this, but as long as I don't get 403 errors for any other reason it should work.