Best method to enable HSTS in Custom HTTPD Configurations?

zmippie · Feb 22, 2016

I have this in the first block of my (nginx) "Custom HTTPD Configurations" for the hostname domain:

Code:

|*if SSL_TEMPLATE="0"|
	# # # # # # # # # # # # # # # # # # # #
	listen xxx.xxx.xxx.xxx:80;
	return 301 https://$server_name$request_uri;
	# # # # # # # # # # # # # # # # # # # #
|*endif|

It is to redirect all traffic on port 80 to 443/https. This worked exactly as expected until yesterday, when I upgraded DA to 1.5 and enabled LetsEncrypt. I now get the following error:

Code:

nginx: [emerg] a duplicate listen xxx.xxx.xxx.xxx:80 in 
/usr/local/directadmin/data/users/admin1/nginx.conf:16

So I removed the "listen" line, and all is well. I see that there's a "server" block in nginx-vhosts.conf which matches the same conditions. So I'm wondering: was it there before 1.5, or is this new? What *is* the best way to redirect to https in a HSTS setup in DirectAdmin? (I have the require HSTS options added through CUSTOM3 using |*if SSL_TEMPLATE="1"|).

zEitEr · Feb 22, 2016

Hello,

Code:

 add_header                 Strict-Transport-Security 'max-age=15768000; includeSubdomains; preload';

+ Global custom include templates for apache/nginx
http://directadmin.com/features.php?id=1816

smtalk · Feb 22, 2016

It's not new. To enable HSTS you need an additional line in headers too, so the following should be enough:

Code:

|*if SSL_TEMPLATE="0"|
	return 301 https://$server_name$request_uri;
|*else|
	add_header Strict-Transport-Security max-age=15768000;
|*endif|

zmippie · Feb 22, 2016

Thanks guys. Yes, I have the headers and a number of related options for perfect forward secrecy. I was just wondering if this is the right way to do it. But judging from your examples, I guess it is. Thanks!

Still not sure why the "listen:80" error suddenly crops up now.

Erulezz · Feb 23, 2016

You don't have to include the listen:80 part. I used the top box (CUSTOM) and entered this;

Code:

|*if SSL_TEMPLATE="0"|
        ##########################################
	# Redirect everything to HTTPS           #
	##########################################
        location / {
		return 301 https://$server_name$request_uri;
        }
|*endif|

And it works perfectly. I use the CUSTOM3 box for custom ssl settings;

Code:

|*if SSL_TEMPLATE="1"|
        ##########################################
	# Custom SSL Configuration               #
	##########################################
        include /etc/nginx/custom_settings/custom_ssl_settings.conf;
|*endif|

zmippie · Feb 23, 2016

That's indeed a neat way to reuse your config for multiple domains. Thanks!

zmippie · Feb 24, 2016

On a related note: I searched the web thoroughly, but I couldn't find a way to dump the entire nginx contexts configuration with all includes expanded. Is this at all possible?

Wanabo · Apr 12, 2016

I found this tread and HTTP Strict Transport Security ( HSTS )
I'm trying to combine them and use Global custom include templates for apache/nginx.

So my /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.post looks like this:

|*if SSL_TEMPLATE="1"|
##########################################
# Custom HSTS Configuration #
##########################################
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
|*endif|

But when I rewrite configs, nothing is added.

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d
/etc/init.d/httpd restart

I must be doing something wrong.

Note: Indeed my A rating goes to A+ on SSL labs, when I add hsts manually.

zEitEr · Apr 14, 2016

Did you upgrade Directadmin to 1.5 version?

Wanabo · Apr 14, 2016

zEitEr said:
Did you upgrade Directadmin to 1.5 version?

If this remark is meant for me, then yes my version is DirectAdmin 1.50.0

zEitEr · Apr 14, 2016

OK, I see. Just tested on my end:

1. created not empty:

/usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.1.post
/usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.1.pre
/usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.post
/usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.pre

2. regenerated virtualhosts with

./build rewrite_confs

No line from the cust_httpd.CUSTOM* were added.
No line was shown on CMD_CUSTOM_HTTPD page in Directadmin.

So I guess either the help page is missing something or the feature is not working at all.

Wanabo · Apr 14, 2016

Ok thanks for testing. Perhaps the DA developers can solve this.

zEitEr · Apr 17, 2016

Fixed by John in 1.501 http://directadmin.com/features.php?id=1848

Pre-release binaries are uploading now.

Wanabo · Apr 21, 2016

Great that there is a fix, but my DA version is still 1.50.0

Server Version 1.50.0
Current Available Version 1.500000

zEitEr · Apr 24, 2016

Go and download a pre-release binary from the client area if you bought a license from Directadmin directly, or wait for a official release.

Wanabo · Apr 24, 2016

Ok, it seems I have to wait for the official release then. I have a lifetime license, but bought from my webhoster.

NocRoom · Nov 28, 2016

Hello i try to use this in custom3 and did not redirect, please advise

|*if SSL_TEMPLATE="0"|
##########################################
# Redirect everything to HTTPS #
##########################################
location / {
return 301 https://$server_name$request_uri;
}
|*endif|

firfin · Jul 17, 2018

nginx or apache?

Make sure you are using nginx for the command you are using.
If you are using apache the following lines work for me (in CUSTOM3):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

NocRoom said:
Hello i try to use this in custom3 and did not redirect, please advise

|*if SSL_TEMPLATE="0"|
##########################################
# Redirect everything to HTTPS #
##########################################
location / {
return 301 https://$server_name$request_uri;
}
|*endif|

Zhenyapan · Oct 28, 2020

smtalk said:
It's not new. To enable HSTS you need an additional line in headers too, so the following should be enough:

Code:

|*if SSL_TEMPLATE="0"| return 301 https://$server_name$request_uri; |*else| add_header Strict-Transport-Security max-age=15768000; |*endif|

Sorry for old-post up, but where I need to add it? if I have nginx_apache php-fpm ?

MaXi32 · Sep 12, 2021

Zhenyapan said:
Sorry for old-post up, but where I need to add it? if I have nginx_apache php-fpm ?

I know that was an old question.. to help others, If you use nginx, you can see this (only need to copy paste): https://docs.directadmin.com/webser...tml#how-to-install-the-pagespeed-nginx-module

Then you can run ./build rewrite_confs

For apache, it is different that you need to use .htaccess: https://docs.directadmin.com/webser...to-force-redirecting-to-https-for-all-domains

For nginx_apache reverse proxy, I use the nginx block and it works (found the header)

To test your website whether it has security header, use the following code:

Code:

curl -s -D- https://domaion.com | grep -i Strict

It should output the following hsts header (if not something is wrong)

Code:

strict-transport-security: max-age=31536000

Best method to enable HSTS in Custom HTTPD Configurations?

Verified User

Super Moderator

Administrator

Verified User

Verified User

Verified User

Verified User

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Verified User

Verified User

Verified User

Verified User