[solved] HTTP Strict Transport Security (HSTS) Support

#1
#3
Just add the header in the context settings ("Extra Headers").
As mentioned in the initial thread yes it's trivial to add however I believe the point of the LSWS admin interface is to help less experienced users manage their website(s). As a result it would be a quick addition - it would also give HSTS more exposure in general which would be a good thing.
 

joe

Well-Known Member
#4
x2 this should be added as a feature.

So what exactly is the proper syntax for this? I see the extraheaders option under the VM context tab. This is the value which I've been fiddling with and so far no luck:

Strict-Transport-Security: max-age=31536000; includeSubDomains
 

mistwang

LiteSpeed Staff
#5
It should work by adding to "Extra Headers", please let us know the version of LSWS, type of resources pointed by the URL. static? dynamic? php?
 

joe

Well-Known Member
#8
Yeah still no dice. Basically every attempt is failing to pass over at https://www.ssllabs.com/ssltest/analyze.htm for the HSTS test.
btw: I was attempting to implement this only on the cgi type, not the statics or was that my mistake?

This is somewhat off topic, but will you be updating the TLS/SSL howto's soon? It would be great if you had a straight forward walk -thru of what it takes to score an"A" in litespeed speak although it isn't heard to figure out.
 

joe

Well-Known Member
#9
OK, I'm stuck on this. Perhaps its bugged in part, but the response above leads me to think it can work if properly configured.

So what I'm trying to do here is get this feature enabled on an established VM which already uses TLS. First I tried to add the parameter above to the Extra Headers filed of the existing CGI type & URI /cgi-bin/ which is setup by the default VM template. I ignored the three other default Static types. This didn't work with multiple syntax-es including the one above by Mistwang.

Next I created a new context of type: CGI URI: /html which has only this extra header setting defined. This is a Joomla webroot folder.

What am I missing here?
 

mistwang

LiteSpeed Staff
#10
I could not reproduce it, it works fine if I add it to the cgi-bin/ context.
Uploaded the latest 4.2.12 package for freebsd, you can force reinstall, then try again.
 

joe

Well-Known Member
#11
thanks, but no love yet.

I did re-install and I notice a small delta in the tarball file sizes on 4.2.12 but to no effect. Two things perhaps unless you can help rule them out. This vmhost is using a legacy php binary compiled using litespeed of 5.3.28 and this instance is running on FreeBSD10. I do compat6 libraries installed and the server is essentially functional in every other way since the recent upgrade so I would like to think its not the issue here. frankly idk.

No apparent debug info regarding this either. Before giving up for now, what else can I examine?

listed here is the vhconf.

-----------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<virtualHostConfig>
<docRoot>$VH_ROOT/html/</docRoot>
<adminEmails>administrator@mydomain.com</adminEmails>
<enableGzip>0</enableGzip>
<logging>
<log>
<useServer>0</useServer>
<fileName>$VH_ROOT/logs/error.log</fileName>
<logLevel>DEBUG</logLevel>
<rollingSize>10M</rollingSize>
</log>
<accessLog>
<useServer>0</useServer>
<fileName>$VH_ROOT/logs/access.log</fileName>
<rollingSize>10M</rollingSize>
<keepDays>30</keepDays>
<compressArchive>0</compressArchive>
</accessLog>
</logging>
<index>
<useServer>0</useServer>
<indexFiles>index.php</indexFiles>
<autoIndex>0</autoIndex>
<autoIndexURI>/_autoindex/default.php</autoIndexURI>
</index>
<customErrorPages>
<errorPage>
<errCode>404</errCode>
<url>/error.php</url>
</errorPage>
</customErrorPages>
<scriptHandlerList>
<scriptHandler>
<suffix>php</suffix>
<type>lsapi</type>
<handler>lsphp5.3.28-mydomain</handler>
<note></note>
</scriptHandler>
</scriptHandlerList>
<htAccess>
<allowOverride>4</allowOverride>
<accessFileName>.htaccess</accessFileName>
</htAccess>
<expires>
<enableExpires>1</enableExpires>
</expires>
<security>
<hotlinkCtrl>
<enableHotlinkCtrl>0</enableHotlinkCtrl>
<suffixes>gif, jpeg, jpg</suffixes>
<allowDirectAccess>1</allowDirectAccess>
<onlySelf>1</onlySelf>
</hotlinkCtrl>
<accessControl>
<allow>*</allow>
</accessControl>
<realmList>
<realm>
<type>file</type>
<name>SampleProtectedArea</name>
<userDB>
<location>$VH_ROOT/conf/htpasswd</location>
<maxCacheSize>200</maxCacheSize>
<cacheTimeout>60</cacheTimeout>
</userDB>
<groupDB>
<location>$VH_ROOT/conf/htgroup</location>
<maxCacheSize>200</maxCacheSize>
<cacheTimeout>60</cacheTimeout>
</groupDB>
</realm>
</realmList>
</security>
<extProcessorList>
<extProcessor>
<type>lsapi</type>
<name>lsphp5.3.28-mydomain</name>
<address>uds://tmp/lshttpd/lsphp5.3.28.sock</address>
<note>PHP_LSAPI_MAX_REQUESTS=500
PHP_LSAPI_CHILDREN=35</note>
<maxConns>35</maxConns>
<env>PHP_LSAPI_MAX_REQUESTS=500</env>
<env>PHP_LSAPI_CHILDREN=35</env>
<initTimeout>60</initTimeout>
<retryTimeout>0</retryTimeout>
<persistConn></persistConn>
<pcKeepAliveTimeout>200</pcKeepAliveTimeout>
<respBuffer>0</respBuffer>
<autoStart>1</autoStart>
<path>$SERVER_ROOT/fcgi-bin/lsphp-5.3.28</path>
<backlog>100</backlog>
<instances>1</instances>
<extUser></extUser>
<extGroup></extGroup>
<runOnStartUp></runOnStartUp>
<extMaxIdleTime></extMaxIdleTime>
<priority></priority>
<memSoftLimit></memSoftLimit>
<memHardLimit></memHardLimit>
<procSoftLimit></procSoftLimit>
<procHardLimit></procHardLimit>
</extProcessor>
</extProcessorList>
<contextList>
<context>
<type>NULL</type>
<uri>/docs/</uri>
<location>$SERVER_ROOT/docs/</location>
<allowBrowse>1</allowBrowse>
</context>
<context>
<type>NULL</type>
<uri>/protected/</uri>
<location>protected/</location>
<allowBrowse>1</allowBrowse>
<realm>SampleProtectedArea</realm>
<authName>Protected</authName>
<required>user test</required>
<accessControl>
<allow>*</allow>
</accessControl>
</context>
<context>
<type>NULL</type>
<uri>/blocked/</uri>
<location>blocked/</location>
<allowBrowse>0</allowBrowse>
</context>
<context>
<type>cgi</type>
<uri>/cgi-bin/</uri>
<location>$VH_ROOT/cgi-bin/</location>
<note></note>
<extraHeaders>Strict-Transport-Security: &quot;max-age=31536000; includeSubDomains&quot;</extraHeaders>
<allowSetUID></allowSetUID>
<allowOverride></allowOverride>
<realm></realm>
<authName></authName>
<required></required>
<accessControl>
<allow></allow>
<deny></deny>
</accessControl>
<authorizer></authorizer>
<addDefaultCharset>off</addDefaultCharset>
<defaultCharsetCustomized></defaultCharsetCustomized>
<rewrite>
<enable></enable>
<inherit></inherit>
<base></base>
<rules></rules>
</rewrite>
<apacheConf></apacheConf>
</context>
</contextList>
<rewrite>
<enable>0</enable>
<logLevel>9</logLevel>
<rules>RewriteCond %{HTTP_USER_AGENT} ^NameOfBadRobot
RewriteRule ^/nospider/ - [F]</rules>
</rewrite>
<frontPage>
<enable>0</enable>
<disableAdmin>0</disableAdmin>
</frontPage>
<awstats>
<updateMode>0</updateMode>
<workingDir>$VH_ROOT/awstats</workingDir>
<awstatsURI>/awstats/</awstatsURI>
<siteDomain>localhost</siteDomain>
<siteAliases>127.0.0.1 localhost</siteAliases>
<updateInterval>86400</updateInterval>
<updateOffset>0</updateOffset>
</awstats>
</virtualHostConfig>
 

joe

Well-Known Member
#13
I've been trying a similar curl test as well to verify, plus the ssllabs. It seems no values will take in extraheaders for me right now.

All of these lines are currently configured and there is no result with curl: curl -s -D- https://192.168.1.1 | grep Strict


Strict-Transport-Security: "max-age=31536000; includeSubDomains"
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Strict-Transport-Security "max-age=31536000, includeSubDomains"
Strict-Transport-Security max-age=31536000; includeSubDomains
 

joe

Well-Known Member
#15
BINGO!! :)

First try after creating a new context using the URI of "/" its working! Thank you so much!! I'd suggest adding this type of example to the docs for others.

You guys do rock!
 
Top