Welcome to Centmin Mod Community
Register Now

SSL Enabling HSTS for SSL ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Nov 6, 2016.

  1. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Thanks :)

    Code:
    https://cryptoreport.geotrust.com/checker/views/certCheck.jsp
    reports:
    Code:
    Strict Transport Security (HSTS):UNKNOWN
    Is this normal?

    And this one:

    [​IMG]

    Also after enabling HSTS i didn't get an A plus :(

    [​IMG]
     
    Last edited: Nov 6, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    use ssllabs test instead for HSTS SSL Server Test (Powered by Qualys SSL Labs)

    as to BEAST read SSL - ssl beast vulnerability | Centmin Mod Community and best to discuss there as that is not server side it's client side vulnerability so nothing to do with server.
     
  3. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
  4. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
  5. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I am not behind Cloudflare at all .....

    ssllab report:

    Code:
    Strict Transport Security (HSTS)     No
    but i already enable it about 20 minutes ago .....

    Code:
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    and restart a few times Nginx and Phpfpm....
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    could be an issue with ssllabs itself

    even mozilla report HSTS no

    but curl headers sho HSTS

    i.e.
    Code (Text):
    curl -Is https://mozilla.com | grep Strict
    Strict-Transport-Security: max-age=31536000
    

    Code (Text):
    curl -Is https://community.centminmod.com | grep Strict
    Strict-Transport-Security: max-age=31536000; includeSubdomains
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
  8. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    ?
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
  10. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok but this one doesn't report anything:

    Code:
    curl -Is https://mydomain.com | grep Strict
     
  11. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    The generated ssl conf file has inside two times this line:

    Code:
    include /usr/local/nginx/conf/staticfiles.conf;
    on top:

    Code:
     
    return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    and at the bottom also:
    Code:
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    
    Is this needed?

    I already comment the one at the bottom and replace the one on top with this one:

    Code:
    include /usr/local/nginx/conf/staticfiles-hsts.conf;
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
  13. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Yes !
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    then you most of misconfigured it somewhere :)
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    optionally replace both with staticfiles-hsts.conf though shouldn't matter if you are directly accessing https version of site or even http as it redirects to https

    the one at bottom is the problematic one as it's needed for https version of site one at top is http
     
  16. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
  17. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:26 PM
    latest
    latest
    here's mine

    [​IMG]

    we have the same include /usr/local/nginx/conf/staticfiles-hsts.conf

    as for the domain.com.ssl.conf

    mine is

    Code (Text):
    server {
       
       server_name domain.com www.domain.com;
       return 301 https://www.$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }


    Mine's not commented out

    Code (Text):
     include /usr/local/nginx/conf/503include-main.conf;


    Code (Text):
     include /usr/local/nginx/conf/503include-only.conf;


    and

    Code (Text):
    #include /usr/local/nginx/conf/block.conf;
     
    • Like Like x 2
  18. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
  19. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    7:26 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Don't know then why it doesn't work :(

    Anyway not big deal ....
     
  20. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    1:26 PM
    latest
    latest
    The plus sign beside the A looks so nice :D

    Do you have it? LOL.
     
    • Funny Funny x 2