rejetto forum

Send HSTS header

0 Members and 1 Guest are viewing this topic.

Offline aokvilla

  • Occasional poster
  • *
    • Posts: 7
    • View Profile
Hello,
I am using HFS 2.3k and stunnel 5.41 to enable HTTPS on my site. Is there any way for HFS to send a HSTS header (this: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload) to enable HSTS on my website?


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2040
    • View Profile
Hfs handling only the http protocol, it is for this that we add Stunnel

But stunnel does not allow to intervene on the headers, the applicable solution is the redirection using two distinct servers

http://www.rejetto.com/forum/router-port-problems/redirect-from-80-(http)-to-443-(https)/

In the example of a restricted template for port 80 without the redirect url, you can add a macro to add the header required to transmit the HSTS mode to the browser, something like

{.add header|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.}

It is very likely that it should be added to all the web pages created by the main server to force the browser to use only the https protocol

This method has never been tested but can be a good solution to force the passage through stunnel

After a few tests, I was unable to make the idea work
« Last Edit: June 29, 2017, 03:52:25 PM by Mars »


Offline aokvilla

  • Occasional poster
  • *
    • Posts: 7
    • View Profile
I do have 2 servers, 1 is apache on a raspberry pi which just hosts 1 html page to redirect to https, and the HFS on a computer which serves the https requests. Where in HFS would I put {.add header|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.}, would it go in the HTML template or somewhere else?


Offline aokvilla

  • Occasional poster
  • *
    • Posts: 7
    • View Profile
I have looked at this further and I have found that I possibly need to put this in the html template:
[special:begin]
{.add header|Strict-Transport-Security: max-age=63072000; includeSubDomains;
preload.}
or this:
[special:begin]
{.add header|{:Strict-Transport-Security: max-age=63072000; includeSubDomains;
preload:}.}
I have tried inserting these into the hfs.tpl at the end or between [+special:strings] and [], and neither worked.

Edit:

I have also tried adding this:
[special:begin]
{.add to log|{.add header|{Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.}HSTS header sent.}
to the diff template for /, and 'HSTS header sent' appears in the log,  but the header is not sent.
« Last Edit: July 02, 2017, 11:09:14 AM by aokvilla »


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2040
    • View Profile
have a look to
http://www.rejetto.com/wiki/index.php?title=HFS:_Event_scripts

I don't have better idea actually

If you want to check the headers that are transmitted, under firefox it is possible to add the following module

https://code.google.com/archive/p/httpfox/
« Last Edit: July 02, 2017, 11:03:18 AM by Mars »


Offline aokvilla

  • Occasional poster
  • *
    • Posts: 7
    • View Profile
I have just managed to get HFS to send the header. I put this in the diff template for root /
[special:begin]
{.add header|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.}


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2040
    • View Profile
I do not understand why the header is not taken into account by the browser but it is actually received by it


Offline aokvilla

  • Occasional poster
  • *
    • Posts: 7
    • View Profile
It looks like you are missing a space between includeSubDomanis; and preload.
If that doesn't work try typing your site into ssllabs.com/ssltest/index.html and see if you get a green box that says HSTS deployed.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2040
    • View Profile
It seems that everything works with your server, I get a redirection in https with firefox
http://adam ....uk:80/  -->>   https://adam ....uk/
, you will recognize this image


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13309
    • View Profile
i think the correct event is [request]
try that


Offline aokvilla

  • Occasional poster
  • *
    • Posts: 7
    • View Profile
I have just tried and [request] does work, thank you.
I use a .html file for the root of my site, is there any way to put macros in a .html file and have HFS run them instead of displaying them as text in the web browser? I have also put the [request] and macro in the diff template for / and that didn't work.
Alternatively is there any way to set a diff template for / (containing the html for my root page), and not have all other pages inherit it as that breaks the rest of the pages.
« Last Edit: July 16, 2017, 06:26:01 PM by aokvilla »


Offline aokvilla

  • Occasional poster
  • *
    • Posts: 7
    • View Profile
I have now found a different way to solve this. Because whenever the main hfs template is used, the header is sent, but when my .html file is used it isn't, I have moved my home page to /index.html, removed it from / and made / non browsable. This means that visiting the root of my website returns a 403 error. I then put a html redirect in the hfs template to my /index.html file.
This is probably a really bad way of doing this, but as long as I don't get 403 errors for any other reason it should work.