Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

HTTP HSTS protocol and nginx

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

HTTP HSTS protocol and nginx

Netcraft recently released its study of testing SSL/TLS sites and pointed out that only 5% of users correctly implement HTTP strict transport security HSTS. This article describes how nginx configures HSTS.

What is HSTS?

HTTPS (SSL and TLS) ensures secure communication between users and websites, making it difficult for attackers to intercept, modify, and impersonate. When a user enters a domain name or http:// link manually, the first request for the site is unencrypted, using a normal http. The most secure Web site immediately sends back a redirect to direct the user to the https connection; however, a man-in-the-middle attacker may attack to intercept the initial http request, thereby controlling the user's subsequent reply.

Naturally, HSTS came into being to solve this potential security problem. As soon as the user enters the domain name or http connection, the browser will strictly upgrade to the https connection.

How does HSTS work

The HSTS policy is published from the HTTP response header sent from a secure HTTPS site.

1Strict-Transport-Security: max-age = 31536000

When the browser sees this header from the HTTPS site, it knows that the domain name can only be accessed through HTTPS (SSL or TLS). And cache this information to 31536000, that is, 1 year.

The optional parameter includeSubDomains tells the browser that the policy applies to all subdomains under the current domain.

1Strict-Transport-Security: max-age = 31536000; includeSubDomainsnginx configuration HSTS

Set the HSTS response header on the nginx configuration file.

1add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always

The always parameter ensures that all responses set the header, including internally generated error responses. The nginx version prior to 1.7.5 does not support the always parameter and the internally generated error response does not set the header information.

Add_header instruction inheritance rules:

The nginx configuration block inherits the wrapper block where the add_header instruction resides, so you only need to place the add_header instruction in the top-level server block. With another important exception, if a block contains the add_header instruction itself, it will not inherit the header from the encapsulation block, and you need to redefine all add_header instructions.

12 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18server {listen 443 ssl; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # This' location' block inherits the STS header location / {root / usr / share / nginx / html;} # Because this' location' block contains another 'add_header' directive, # we must redeclare the STS header location / servlet {add_header X-Served-By "My Servlet Handler"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always Proxy_pass http: / / localhost:8080;}}

Test HTTP strict transport security:

Once the user proposes the HSTS policy, its cache information period is specified by max-age. In the meantime, the browser will deny access to the web service through an unencrypted HTTP and deny an exception certificate error (if the site previously submitted a valid and trusted certificate). If an includeSubDomanis parameter is specified, these restrictions also apply to all subdomains under the current domain.

When you test HSTS, set the max-age time to be shorter.

Whether each HTTPS response needs to have a STS header:

Our goal is to render the HSTS policy as soon as possible when the user starts a HTTPS reply. If they receive a HSTS policy during a reply, they are still vulnerable to HTTP hijacking attacks. The browser only needs to look at the STS header once, so it is not strictly necessary to add it to every location block and every response. However, just adding it to the home page or landing page may not be enough, if you only add the response to the cache, the client may not be able to see it. Make sure to cover your URL as much as possible, paying special attention to dynamic content.

HTTP and HTTPS are parallel

Sometimes websites need to run under HTTP and HTTPS at the same time

1 2 3 4 5server {listen 80; listen 443 ssl; . . }

Sometimes you need to redirect http requests to https

12 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18server {listen 80 default_server; listen [:]: 80 default_server; server_name _; # Discourage deep links by using a permanent redirect to home page of HTTPS site return 301 https: / / $host; # Alternatively, redirect all HTTP links to the matching HTTPS page # return 301 https://$host$request_uri;} server {listen 443 ssl; server_name www. Ttlsa. Com; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;} strengthen HSTS

Protects the client from the HTTP intercept, from the time it sees the STS header to the declared max-age. However, HSTS is not the perfect solution for HTTP reply hijacking. Users are still vulnerable if they visit a website protected by HSTS through HTTP:

Never visited the site before, recently reinstalled its operating system, recently reinstalled its browser, switched to a new browser, switched to a new device such as a mobile phone, deleted the browser's cache, did not access the site recently, and the max-age expired.

To solve this problem, google insisted on maintaining a "HSTS preload list" site domain name and subdomain name, and submitted its domain name through https://hstspreload.appspot.com/. The list of domain names is distributed and hard-coded to mainstream web browsers. Client access to the domain name in this list will actively use HTTPS and refuse to use HTTP to access the site.

Once the STS header is set or your domain name is submitted to the HSTS preload list, it is impossible to delete it. This is an one-way decision to make your domain name available through HTTPS.

Global trusted CA institutions

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report