Can strict transport security be enforced generally? - Nginx - PhpOut

tmighty
April 15, 2021
85 views
0 votes
2 Answers

I would like to prevent users accessing my website using http.
Instead, I want to enforce the use of https.

Usually, I have my websites hosted at providers who simply have a checkbox "Enforce https".

In this case, I have my own Ubuntu (nginx) server.

I would like to know if I can also enforce https server wide, or do I have to work with a preload flag in the HSTS header?

Can anybody point me to a document that describes how to resolve this issue with my configuration?

Thank you!

Tags: hsts https nginx security ubuntu

Answers

- IvanShatsky
- April 15, 2021 at 8:35 pm
- 0 votes
0
Usually you need two server blocks where the one that listen on plain HTTP port redirect all requests to HTTPS:
```
server {
    listen               80;
    server_name          example.com;
    return               301 https://example.com$request_uri;
}

server {
    listen               443 ssl;
    server_name          example.com;
    ssl_certificate      /path/to/certificate;
    ssl_certificate_key  /path/to/privatekey;
    add_header           Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    # all the other configuration
}
```
If you also need to redirect all non-www domain name requests to www one (or vise versa), check this answer.
Login or Signup to reply.

- MaxIvanov
- April 16, 2021 at 12:59 am
- 0 votes
0
The answer by @IvanShatsky shows how to implement HSTS in Nginx (and I believe that’s what you need).

Just to add some context to the answer:
- You want to have both HTTP → HTTPS redirect and HSTS header.
- To prevent all vulnerable scenarios you want HSTS header to include preload attribute (unless your TLD is HSTS-enabled, like .dev or .app).
- In order to add a domain to the preload list, you still need to submit it at https://hstspreload.org.
Since enabling preload is pretty much a one-way ticket, safe rollout plan make look like this:

The idea is to start small and gradually increment the expiration time and inclusion criteria.
- Find out all subdomains you have (consult DNS CNAME entries). Those may be served by your servers or 3rd party services
- Make sure the root domain and all subdomains can serve traffic over SSL/TLS (accessible via HTTPS)
- Ensure HTTP → HTTPS redirect is configured
- Set small expiration time, e.g. max-age=600 (10 minutes), make sure all systems operational
- Add includeSubDomains directive
- Make incremental changes to max-age. Aim for the value of 2 years
- Add preload directive and submit the domain to the HSTS preload list
Ultimate guide to HTTP Strict Transport Security (HSTS).
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.