Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how nginx opens HSTS to force browsers to redirect HTTPS access". The content is easy to understand and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "how nginx opens HSTS to force browsers to redirect HTTPS access".

The effect is as follows:

But if we use http to access it now, we can't. As shown in the following figure:

So the first thing I need to do now is to use nginx configuration to redirect to https when a user enters a http request in a browser. So now we need to do a simple nginx redirection function.

Therefore, we need to add the following redirection configuration to our nginx:

Server {listen xxx.abc.com; server_name xxx.abc.com; rewrite ^ / (. *) $https://$host$1 permanent;}

Therefore, the main configuration code for nginx is as follows:

Server {listen xxx.abc.com; server_name xxx.abc.com; rewrite ^ / (. *) $https://$host$1 permanent;} server {listen 443 ssl; server_name xxx.abc.com; ssl_certificate cert/server.crt; ssl_certificate_key cert/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers High Vuitton; ssl_prefer_server_ciphers on; location / {proxy_pass http://localhost:3001;}}

After the above configuration, we need to restart the nginx to take effect. After we enter the domain name http://xxx.abc.com under the browser, we will automatically redirect to https://xxx.abc.com/. Let's take a look at the two requests on our network, as shown below:

As you can see from the above request, the browser first initiates an http request to the website (after http://xxx.abc.com), gets a redirect response, it initiates a https request and gets the final response content. For users, its operation is transparent and the user experience is good, but there will be a plaintext http request and redirection before the https link. Then the attacker can hijack the http request as a middleman. To carry out subsequent attacks. Like eavesdropping on data. Tamper with requests or responses, jump to phishing sites, and so on. Therefore, http requests are not secure enough, so in recent years all websites have to be visited by https.

Then take hijacking the http request and jumping to the phishing website class as the column, let's take a look at the general hijacking process as follows.

The steps are as follows:

1. The browser initiates a http request (such as http://xxx.abc.com).) After the request is made, the attacker hijacks the http request as a middleman.

two。 After hijacking the http request, the attacker forwards the current request to a phishing site (such as http://xxx.yyy.com)).

3. Phishing sites will return fake web content.

4. Finally, the attacker returns the fake web page content to the browser.

As shown above, the http request is not redirected to the https website at all, but the attacker hijacked the http request directly and finally returned the phishing site to the browser. Therefore, if you directly http redirect, there will be a http request plaintext problem, so it is not safe to use http redirection directly, so there is a HSTS to solve this problem. Let's meet HSTS.

two。 Meet HSTS.

As mentioned above, there is a security problem in redirecting http to https, because there will be a request for http plaintext before redirecting https, so it is easy for the attacker to hijack the http request, so now we want to convert the browser directly to the https request when the user's browser initiates the http request. The page is then requested through https, which makes it generally difficult for attackers to attack. We can take a look at the following diagram, as shown below:

The steps can be understood as follows:

1. When the user enters http://xxx.abc.com in the browser, the browser knows that the domain name needs to use https to communicate.

two。 So browsers make https requests directly to websites (such as https://xxx.abc.com)).

3. The site returns the content of the response.

So the question now is, how do browsers know that the domain name needs to use https? So at this time we have HSTS.

What is HSTS?

The full name of HSTS is HTTP Strict-Transport-Security. It is an Internet security policy mechanism issued by the Internet engineering organization IETF. Sites with HSTS policies will ensure that browsers always link to the https encrypted version of the site. There is no need for users to manually enter encrypted addresses in the URI address bar to reduce the risk of session hijacking.

The basic syntax of HSTS is as follows:

Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]

Max-age is a required parameter, it is a value in seconds, it represents the expiration time of HSTS Header, generally set to 1 year, that is, 31536000 seconds.

IncludeSubDomains is an optional parameter. If this parameter is set, it means that HSTS protection is enabled for the current domain name and its subdomains.

Preload is an optional parameter that you need to use only if you apply to add your domain name to the browser's built-in list.

Let's first take a look at Baidu's handling in this way. We first enter http://www.baidu.com/ in the browser URI and enter, and the browser will automatically translate into requests like https://www.baidu.com/. However, if we use the chrome browser to look at the requests under the network, we can see that two requests will be sent as follows, as shown below:

The second time is a https request, as shown below:

As we can see above, the status code of the first request is 307, and the request header is marked "Provisional headers are shown", which means that the browser intercepted the request and the request was not sent. So the browser found that the domain name needed to be requested using https, so it sent a second https request.

Configure HSTS under nginx

Set the HSTS response header on the nginx configuration file as follows:

Add_header Strict-Transport-Security "max-age=172800; includeSubDomains"

Therefore, the configuration of nginx is as follows:

Server {listen xxx.abc.com; server_name xxx.abc.com; rewrite ^ / (. *) $https://$host$1 permanent;} server {listen 443 ssl; server_name xxx.abc.com; add_header Strict-Transport-Security "max-age=172800; includeSubDomains"; ssl_certificate cert/server.crt; ssl_certificate_key cert/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers High Location / {proxy_pass http://localhost:3001;}}

Then the nginx configuration is saved and then restarted.

When I restart and use https to visit my website for the first time, nginx will tell the client browser that if the user enters http, I also want the browser to access my nginx server as https, as follows:

However, if you use http to access nginx for the first time after restarting, although you jump, you don't use HSTS, because you have to jump to https before you use HSTS. But when I type http again, there will be a 307 status code with a prompt like "Provisional headers are shown".

Understand HSTS Preload List

Although HSTS can solve the downgrade attack of HTTPS, for the first http request before HSTS takes effect, it is still impossible to avoid the problem of http request being hijacked. For example, if our browser clears the cache for the first time, and then uses http request for the first time, the first http is also transmitted in clear text. When you jump to https, you will use HSTS. In the future, as long as the browser cache is not cleared and nginx is not restarted, HSTS protection will be used. Therefore, in order to solve the problem of the first http request, browser manufacturers put forward the solution of HSTS Preload List, which includes a table that can be updated periodically, and the domain name in the list will be requested by https protocol even if the user has not visited it before.

Currently this Preload List is maintained by Google Chrome and is used by Chrome, Firefox, Safari, IE 11, and Microsoft Edge. If you want to add your domain name to this list, you first need to meet the following conditions:

1. Have a legal certificate (if you use a SHA-1 certificate, the expiration date must be earlier than 2016)

two。 Redirect all HTTP traffic to HTTPS

3. Ensure that all subdomains have HTTPS enabled

4. Output HSTS response header:

5. Max-age cannot be less than 18 weeks (10886400 seconds)

6. The includeSubdomains parameter must be specified

7. The preload parameter must be specified

Even if all the above conditions are met, you may not be able to enter HSTS Preload List. More information can be found at https://hstspreload.org/.

Through Chrome's chrome://net-internals/#hsts tool, you can query whether a website is in PreloadList or manually add a domain name to the native PreloadList.

Shortcomings of HSTS

HSTS is not the perfect solution for HTTP session hijacking. Users who visit a website for the first time are not protected by HSTS. This is because the browser has not yet received the HSTS on the first visit, so it is still possible to access it through plaintext HTTP.

If a user accesses a HSTS-protected website through HTTP, the following situations may result in degraded hijacking:

1. I have never visited the site before.

two。 Its operating system has recently been reinstalled.

3. Recently reinstalled its browser.

4. Switch to a new browser.

5. Delete the browser's cache.

6. I haven't visited the site recently and the max-age has expired.

Then the solution to this problem can use the HSTS Preload List method described above.

Support for HSTS browsers

At present, mainstream browsers already support HSTS features. For more information, please see the following list:

Google Chrome 4 and above

Firefox 4 and above

Opera 12 and above

Safari starts from OS X Mavericks

Internet Explorer and above

The above is all the contents of the article "how nginx opens HSTS to force browsers to redirect HTTPS access". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.