Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

[Tutorial] - HTTP Strict Transport Security setup on Apache, NGINX and Lighttpd

[Tutorial] - HTTP Strict Transport Security setup on Apache, NGINX and Lighttpd

RaymiiRaymii Member
edited April 2013 in Tutorials

HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. This tutorial will show you how to set up HSTS in Apache2, NGINX and Lighttpd. It is tested with all mentioned webservers, NGINX 1.1.19, Lighttpd 1.4.28 and Apache 2.2.22 on Ubuntu 12.04, Debian 6 & 7 and CentOS 6.It should work on other distro's however, these are just reference values.

What is HTTP Strict Transport Security?

If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com.

This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.

The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

An example scenario:

You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

Set up HSTS in Apache2

Edit your apache configuration file (/etc/apache2/sites-enabled/website.conf and /etc/apache2/httpd.conf for example) and add the following to your VirtualHost:

# Optionally load the headers module:
LoadModule headers_module modules/mod_headers.so

<VirtualHost 67.89.123.45:443>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</VirtualHost>

Thats it. Now your website will set the header every time someone visits, with an expiration date of two years (in seconds). It sets it at every visit. So tomorrow, it will say two years again.
You do have to set it on the HTTPS vhost only. It cannot be in the http vhost.

To redirect your visitors to the HTTPS version of your website, use the mod_rewrite:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

And don't forget to restart Apache.

Read on here: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

Quis custodiet ipsos custodes?
https://raymii.org - https://cipherli.st
Tagged:

Comments

  • Dankjewel @Raymii

    Happy to be alive and kicking!

  • @vRozenSch00n said: Dankjewel

    Hoi

  • jcalebjcaleb Moderator

    @Raymii bless you for being generous with knowledge

    Need Help Writing an Essay? My Friends over Essay Resources can help you.

  • @Raymii : Thanks a lot for giving this tutorial. Maybe you can make more? Or you have a blog about security knowledge? I'm focusing my study to it and need a lot of tutorial. :)

    "I Always Happy ! The Secret Is, When Something Bad Happens, I Always Yell : Eeee... Macarena !!" :D

  • @Rikimaru90 said: @Raymii : Thanks a lot for giving this tutorial. Maybe you can make more? Or you have a blog about security knowledge? I'm focusing my study to it and need a lot of tutorial. :)

    https://raymii.org

    @vRozenSch00n said: Dankjewel @Raymii

    Medelander! Zit vol met hollanders hier, @Freek, @taronyu, @joepie91 en volgens mij nog een paar...

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • @Raymii said: en volgens mij nog een paar...

    Ik ook jonguh xD

  • Ja, een bos van slimme en gelukkig volk ;)

    Happy to be alive and kicking!

  • laten we LET overnemen :P

  • :P

    Happy to be alive and kicking!

  • You should move this to the tutorials category.

    You could keep reading this on a site infamous for its ties to (ahem) one particular organization, or you could check out vpsBoard, which has no such ties and tolerates no bullshit. Your choice.

  • Interesting.

  • @DStrout said: You should move this to the tutorials category.

    @Liam or @Infinity please?

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • bobbybobby Member

    Nice, thanks for sharing.

  • InfinityInfinity Member, Provider

    @Raymii said: @Liam or @Infinity please?

    Done, and great stuff. :-)

  • FreekFreek Member

    @Raymii said: @Freek,

    Klopt als een bus English translation: Knocks like a bus

    Linux noob willing to learn.

  • @Raymii said: includeSubDomains

    I'm not sure this is a good idea if it does what I think it does. I'm sure very few of us have wildcard SSL certs.

    You could keep reading this on a site infamous for its ties to (ahem) one particular organization, or you could check out vpsBoard, which has no such ties and tolerates no bullshit. Your choice.

  • yomeroyomero Member
    edited April 2013

    I still don't understand this.

    So, the first time you visit the non SSL version right? And the next ones will go directly to the SSL version. I am right?

    Also, all the browsers support this behavior?

  • @yomero said: So, the first time you visit the non SSL version right? And the next ones will go directly to the SSL version. I am right?

    Correct.

    @yomero said: Also, all the browsers support this behavior?

    The fairly recent ones do.

    You could keep reading this on a site infamous for its ties to (ahem) one particular organization, or you could check out vpsBoard, which has no such ties and tolerates no bullshit. Your choice.

Sign In or Register to comment.