HSTS Missing From HTTPS Server

SpiceDenver · September 25, 2020, 8:12pm

NethServer Version: 7.8.2003
Module: Base

Is there any way to alter the webserver(s) on Neth to enforce HSTS?

mrmarkuz · September 25, 2020, 9:56pm

Does it work if you set a stricter TLS Policy?

Elleni · September 25, 2020, 10:11pm

On my gentoo webserver I had to add those lines near the ssl configuration in the apache vhost config of the websites it’s serving, but I have to leave it to the nethserver pros to explain how this can be implemented with some e-smith template because I don’t know. Maybe they also decide to activate this option in the apache config?

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
Header set Content-Secure-Policy “default-src ‘self’;”

mrmarkuz · September 25, 2020, 11:01pm

It works with a custom template:

Create custom template dir:

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf.d/nethserver.conf

Create file /etc/e-smith/templates-custom/etc/httpd/conf.d/nethserver.conf/20hsts with following content:

Header always set Strict-Transport-Security "max-age=31536000"

Apply configuration:

signal-event nethserver-httpd-update

There’s a feature thread:

danb35 · September 25, 2020, 11:13pm

…and as I noted there, HSTS should not be enabled by default–there’s too much risk of locking visitors out of your site. But yes, Neth should include the option in the server manager.

SpiceDenver · September 25, 2020, 11:21pm

I’ve got that set and the security fault remains.

SpiceDenver · September 25, 2020, 11:23pm

Awesome. I’ll set this and keep my ear open in case anyone has problems. Thanks!

SpiceDenver · September 25, 2020, 11:34pm

Just to confirm: will this fix handle servers on all ports or is it targeted? I receive the security notification on 9090 and 443.

mrmarkuz · September 26, 2020, 12:09am

No, the custom template only covers the httpd port 443. For the other services more custom templates are needed.
As regards cockpit port 9090 I did not find a way to enable HSTS.

pike · September 26, 2020, 7:45am

Cockpit is not intended as “public available tool”… As advised into management interface, the IP should be restricted to a defined list for allowing connection.

IMVHO also for every other module which expose a “public applicaton”, like MatterMost o NextCloud.

SpiceDenver · September 28, 2020, 6:01pm

Thank you for trying.

stephdl · October 1, 2020, 1:39pm

Warning:Once enabled, HSTS disallows the user from overriding an invalid or self-signed certificate message. Your website will be inaccessible without a valid SSL.

mrmarkuz:

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf.d/nethserver.conf

Create file /etc/e-smith/templates-custom/etc/httpd/conf.d/nethserver.conf/20hsts with following content:
Header always set Strict-Transport-Security "max-age=31536000"
Apply configuration:

signal-event nethserver-httpd-update

This will enable for the whole apache, maybe we could have a solution adapted to each vhost

pike · October 1, 2020, 1:52pm

Now i get why it’s not exposed that kind of option on Cockpit…

stephdl · October 1, 2020, 1:54pm

However it brings a lot of good new security layer like the man in the middle

stephdl · October 1, 2020, 1:58pm

create a file /etc/e-smith/templates/httpd/vhost-extra/20HSTS

{
    if ($Port == 443) {
        $OUT .= q(
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
);
}

We can create a checkbox (default disabled) with a warning about selfsigned certificates (who use it nowadays). Obviously this will be only enabled per virtualhost

danb35 · October 1, 2020, 2:04pm

I think this is a good plan. I’d also add to the warning that if the certificate becomes invalid for any other reason, users will also be unable to connect. The most likely issue here would be that a cert fails to renew, and that problem isn’t recognized in time, HSTS will lock people out.

SpiceDenver · October 1, 2020, 7:43pm

If that’s the case, documentation to reverse the process, and set to default, from the cli would be helpful.

danb35 · October 1, 2020, 9:19pm

That’s the problem with HSTS–removing it won’t help you. Every time you connect, it sends the header that tells your browser to not connect insecurely to your FQDN (optionally including subdomains) for the next n seconds (generally for a period of one-two years), no matter what. By design, you can’t just override this in the browser by clicking “visit anyway”. And the fact that the server isn’t sending that header now doesn’t help, when it did send it last time. So disabling it from the command line is only part of the solution; the rest is that you must then visit from a different browser (one that’s never received the HSTS header from your server).

mrmarkuz · October 1, 2020, 9:32pm

It’s not that bad, you can clear it in the browsers:

Firefox:

Chrome/Safari:

https://really-simple-ssl.com/knowledge-base/clear-hsts-browser/

stephdl · October 9, 2020, 8:40am

We talked internally about HSTS feature and we are not sure it is good enough about the user experience. We think that it could bring some good things from a security perspective but also bad behaviors if you are not fully warned about the consequences.

In short for now we would like that people tries it without being exposed in the UI and this can be done simply by a .htaccess in the vhost itself, force obviously the https of your vhost

vim /var/lib/nethserver/vhost/64f1c94a95e24a9/.htaccess

drop in your .htaccess

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</IfModule>

reload httpd

systemctl reload httpd

test it by https://securityheaders.com/