Results 1 to 5 of 5

Thread: What does the directadmin.conf HSTS parameter do?

  1. #1
    Join Date
    Sep 2014
    Posts
    18

    What does the directadmin.conf HSTS parameter do?

    In my attempt to roll out HSTS for all clients, I have been searching around and found a lot of customizations in the vhosts templates. Though I have no doubt that will work, I also came across the HSTS header: HTTP Strict Transport Security feature that was added with DA 1.49.

    When reading the feature page it is not entirely clear if this is supposed to work for clients, or only for the 2222 pages. Also the Release Candidate post was not clear to me; All traffic to the control panel, or also individual domains?
    HSTS Header - ability to redirect all http traffic to https before any client connection (careful: affects apache with same host).
    So eventually I just tried it by adding 'hsts=5184000' to directadmin.conf, ran './build rewrite_confs' (not documented, but I assumed it would make sense to rewrite the vhosts), but no avail. Nor my client's sites, nor the example.com:2222 page shows the HSTS header.

    What is 'hsts=5184000' supposed to do?

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,601
    Hello,

    The article "HSTS header: HTTP Strict Transport Security" https://www.directadmin.com/features.php?id=1776 says:

    1. it will only be added to the login page, and not any other page.
    2. See "IMPORTANT" below

    Then section "IMPORTANT" gives even more insights.

    It comes very clear that the feature is used only for Directadmin (not for apache/nginx). Enabling the feature won't add the HSTS header in Nginx/Apache.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  3. #3
    Join Date
    Sep 2014
    Posts
    18
    Hi Alex,

    I read that page multiple times yesterday, yet I did not see that line. It is indeed pretty clear to me now.
    I asked here because the header also did not show on any DA page (including the login page). Now, after knowing where to look, it appeared after restarting the directadmin service.

    Thanks for helping me out. I'll use the custom vhosts templates then.

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,601
    How did you check the header? It won't be added into HTML code.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  5. #5
    Join Date
    Sep 2014
    Posts
    18
    I used my browsers development tools and telerik fiddler. But like I said, it worked after restarting directadmin

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •