[solved] HTTP Strict Transport Security (HSTS) Support

Discussion in 'Feedback/Feature Requests' started by CodyRo, Mar 31, 2011.

  1. CodyRo

    CodyRo New Member

  2. andreas

    andreas Well-Known Member

    Just add the header in the context settings ("Extra Headers").
  3. CodyRo

    CodyRo New Member

    As mentioned in the initial thread yes it's trivial to add however I believe the point of the LSWS admin interface is to help less experienced users manage their website(s). As a result it would be a quick addition - it would also give HSTS more exposure in general which would be a good thing.
  4. joe

    joe Well-Known Member

    x2 this should be added as a feature.

    So what exactly is the proper syntax for this? I see the extraheaders option under the VM context tab. This is the value which I've been fiddling with and so far no luck:

    Strict-Transport-Security: max-age=31536000; includeSubDomains
  5. mistwang

    mistwang LiteSpeed Staff

    It should work by adding to "Extra Headers", please let us know the version of LSWS, type of resources pointed by the URL. static? dynamic? php?
  6. joe

    joe Well-Known Member

    Running the latest version of std on freebsd 10 with mainly dynamic php, joomla.
  7. mistwang

    mistwang LiteSpeed Staff

    tested it, the header was added but truncated due to a bug, you can work around it with

    it will be fixed in next release.
  8. joe

    joe Well-Known Member

    Yeah still no dice. Basically every attempt is failing to pass over at https://www.ssllabs.com/ssltest/analyze.htm for the HSTS test.
    btw: I was attempting to implement this only on the cgi type, not the statics or was that my mistake?

    This is somewhat off topic, but will you be updating the TLS/SSL howto's soon? It would be great if you had a straight forward walk -thru of what it takes to score an"A" in litespeed speak although it isn't heard to figure out.
  9. joe

    joe Well-Known Member

    OK, I'm stuck on this. Perhaps its bugged in part, but the response above leads me to think it can work if properly configured.

    So what I'm trying to do here is get this feature enabled on an established VM which already uses TLS. First I tried to add the parameter above to the Extra Headers filed of the existing CGI type & URI /cgi-bin/ which is setup by the default VM template. I ignored the three other default Static types. This didn't work with multiple syntax-es including the one above by Mistwang.

    Next I created a new context of type: CGI URI: /html which has only this extra header setting defined. This is a Joomla webroot folder.

    What am I missing here?
  10. mistwang

    mistwang LiteSpeed Staff

    I could not reproduce it, it works fine if I add it to the cgi-bin/ context.
    Uploaded the latest 4.2.12 package for freebsd, you can force reinstall, then try again.
  11. joe

    joe Well-Known Member

    thanks, but no love yet.

    I did re-install and I notice a small delta in the tarball file sizes on 4.2.12 but to no effect. Two things perhaps unless you can help rule them out. This vmhost is using a legacy php binary compiled using litespeed of 5.3.28 and this instance is running on FreeBSD10. I do compat6 libraries installed and the server is essentially functional in every other way since the recent upgrade so I would like to think its not the issue here. frankly idk.

    No apparent debug info regarding this either. Before giving up for now, what else can I examine?

    listed here is the vhconf.

    <?xml version="1.0" encoding="UTF-8"?>
    <suffixes>gif, jpeg, jpg</suffixes>
    <required>user test</required>
    <extraHeaders>Strict-Transport-Security: &quot;max-age=31536000; includeSubDomains&quot;</extraHeaders>
    <rules>RewriteCond %{HTTP_USER_AGENT} ^NameOfBadRobot
    RewriteRule ^/nospider/ - [F]</rules>
    <siteAliases> localhost</siteAliases>
  12. mistwang

    mistwang LiteSpeed Staff

  13. joe

    joe Well-Known Member

    I've been trying a similar curl test as well to verify, plus the ssllabs. It seems no values will take in extraheaders for me right now.

    All of these lines are currently configured and there is no result with curl: curl -s -D- | grep Strict

    Strict-Transport-Security: "max-age=31536000; includeSubDomains"
    Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Strict-Transport-Security "max-age=31536000, includeSubDomains"
    Strict-Transport-Security max-age=31536000; includeSubDomains
  14. mistwang

    mistwang LiteSpeed Staff

  15. joe

    joe Well-Known Member

    BINGO!! :)

    First try after creating a new context using the URI of "/" its working! Thank you so much!! I'd suggest adding this type of example to the docs for others.

    You guys do rock!

Share This Page