/ Register

Discover Centmin Mod today
Register Now

SSL Enabling HSTS for SSL ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Nov 6, 2016.

Tags:
Previous Thread Next Thread
Loading...
Page 1 of 2
  1. Nov 6, 2016 #1
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Thanks :)

    Code:
    https://cryptoreport.geotrust.com/checker/views/certCheck.jsp
    reports:
    Code:
    Strict Transport Security (HSTS):UNKNOWN
    Is this normal?

    And this one:

    [​IMG]

    Also after enabling HSTS i didn't get an A plus :(

    [​IMG]
     
    Last edited: Nov 6, 2016
  2. Nov 6, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    use ssllabs test instead for HSTS SSL Server Test (Powered by Qualys SSL Labs)

    as to BEAST read SSL - ssl beast vulnerability | Centmin Mod Community and best to discuss there as that is not server side it's client side vulnerability so nothing to do with server.
     
  3. Nov 6, 2016 #3
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
  4. Nov 6, 2016 #4
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  5. Nov 6, 2016 #5
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    I am not behind Cloudflare at all .....

    ssllab report:

    Code:
    Strict Transport Security (HSTS)     No
    but i already enable it about 20 minutes ago .....

    Code:
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    and restart a few times Nginx and Phpfpm....
     
  6. Nov 6, 2016 #6
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    could be an issue with ssllabs itself

    even mozilla report HSTS no

    but curl headers sho HSTS

    i.e.
    Code (Text):
    curl -Is https://mozilla.com | grep Strict
Strict-Transport-Security: max-age=31536000

    Code (Text):
    curl -Is https://community.centminmod.com | grep Strict
Strict-Transport-Security: max-age=31536000; includeSubdomains
     
  7. Nov 6, 2016 #7
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  8. Nov 6, 2016 #8
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    ?
     
  9. Nov 6, 2016 #9
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  10. Nov 6, 2016 #10
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Ok but this one doesn't report anything:

    Code:
    curl -Is https://mydomain.com | grep Strict
     
  11. Nov 6, 2016 #11
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    The generated ssl conf file has inside two times this line:

    Code:
    include /usr/local/nginx/conf/staticfiles.conf;
    on top:

    Code:
     
return 302 https://$server_name$request_uri;
   include /usr/local/nginx/conf/staticfiles.conf;
 }
    and at the bottom also:
    Code:
    include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/php.conf;
    Is this needed?

    I already comment the one at the bottom and replace the one on top with this one:

    Code:
    include /usr/local/nginx/conf/staticfiles-hsts.conf;
     
  12. Nov 6, 2016 #12
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. Nov 6, 2016 #13
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Yes !
     
  14. Nov 6, 2016 #14
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    then you most of misconfigured it somewhere :)
     
  15. Nov 6, 2016 #15
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    optionally replace both with staticfiles-hsts.conf though shouldn't matter if you are directly accessing https version of site or even http as it redirects to https

    the one at bottom is the problematic one as it's needed for https version of site one at top is http
     
  16. Nov 6, 2016 #16
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
  17. Nov 6, 2016 #17
    dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    8:00 PM
    latest
    latest
    here's mine

    [​IMG]

    we have the same include /usr/local/nginx/conf/staticfiles-hsts.conf

    as for the domain.com.ssl.conf

    mine is

    Code (Text):
    server {
   
   server_name domain.com www.domain.com;
   return 301 https://www.$server_name$request_uri;
   include /usr/local/nginx/conf/staticfiles.conf;
 }


    Mine's not commented out

    Code (Text):
     include /usr/local/nginx/conf/503include-main.conf;


    Code (Text):
     include /usr/local/nginx/conf/503include-only.conf;


    and

    Code (Text):
    #include /usr/local/nginx/conf/block.conf;
     
  18. Nov 6, 2016 #18
    eva2000

    eva2000 Administrator Staff Member

    55,182
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    10:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  19. Nov 6, 2016 #19
    pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    3:00 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Don't know then why it doesn't work :(

    Anyway not big deal ....
     
  20. Nov 7, 2016 #20
    dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    8:00 PM
    latest
    latest
    The plus sign beside the A looks so nice :D

    Do you have it? LOL.
     
Previous Thread Next Thread
Loading...
Page 1 of 2

.