force redirect is not secure yet for HSTS

[JWST]

Force redirect to the www subdomain or without www can be chosen.
Documented on https://www.directadmin.com/features.php?id=2365

Why is coding in Direct Admin not yet sufficient for HSTS and security headers on internet.nl?
I think the coding must be in two steps in order to be secure.

Note: In Plesk identical functionality works correctly.

Eg:
97%: https://internet.nl/site/www.webtechsolutions.nl/539788/
100%: https://internet.nl/site/webtechsolutions.nl/539790/

 

[JWST]

The recent functionality in DirectAdmin to force redirect to subdomain www. or without, is still unstable.

According to mail exchange with internet.nl:

- The HSTS header is detected at the first contact over HTTPS.
- When redirecting to another subdomain, the HSTS header must therefore be present on both subdomains.
- A redirect order applies to ensure that HSTS functions properly:
First from HTTP to HTTPS for the same subdomain;
Secondly over HTTPS, from one subdomain to the other;
Browsers do save the HSTS header per subdomain.

 

[Imtek]

HSTS is not really a part of that feature, i suggest you contact support with a ticket or open a feature request on the forum (https://forum.directadmin.com/forums/feedback-feature-requests.8/) or support ticket for including HSTS.

I feel this is still to complex/too much options for security headers in DirectAdmin there are too much options for these security headers for the interface to handle.

 

[ikkeben]

I do this in custom template / virtualmin host, can't explain 123 but this works.

The redirects of more control panels has problems with that parts.

 

[Imtek]

I do this in custom template / virtualmin host, can't explain 123 but this works.

The redirects of more control panels has problems with that parts.

We add the security headers in the Custom HTTPD rules on Admin Level, this works but for user level users this is not enough.

While a HSTS can be set through a .htaccess file also

And o, what a dutch people thread

 

[JWST]

Thanks for your workarounds and new insights. The problem is not purely HSTS related.

The rewrite to HTTPS, I think, works correctly in DirectAdmin, before security headers are reached in .htaccess, httpd (or nginx directive).

I have understood from internet.nl that security headers in a web browser only work with the first domain name under HTTPS.

This is how eg control panel Plesk works with a redirect after security headers being put somewhere:
'Select the URL (either with or without the www. prefix) to which site visitors will be redirected via a SEO-safe HTTP 301 redirect.''

 

[ikkeben]

You can do several things as in virtualhost / template.

Or let PUBLIC and Privat both directory stay on the server for apache then you can put there the .htaccess redir rules and HSTS as the spec HSTS needed.
Take care of the order how you redirect! ( you need certs for all domain/subdomains then that you are redirecting from i guess)

First from whatever domain / subdomain to the https version of exactly the same with a HSTS in it to, and only after that to the https site you want to.
So needed for such non https then 2 redirects less good for Speed and SEO but only then within the specs for HSTS.

The/some redirects in GUI Directadmin doesn't aply the specs HSTS!

There are more topics on this here in forum

 

[JWST]

You can do several things as in virtualhost / template.

Or let PUBLIC and Privat both directory stay on the server for apache then you can put there the .htaccess redir rules and HSTS as the spec HSTS needed.
Take care of the order how you redirect! ( you need certs for all domain/subdomains then that you are redirecting from i guess)

First from whatever domain / subdomain to the https version of exactly the same with a HSTS in it to, and only after that to the https site you want to.
So needed for such non https then 2 redirects less good for Speed and SEO but only then within the specs for HSTS.

The/some redirects in GUI Directadmin doesn't aply the specs HSTS!

There are more topics on this here in forum

------------------
We agree that this force redirect is a design issue in control panels.
I do not want my own code if GUI DirectAdmin 'guarantees' a way to do the same.
Security headers, like HSTS, in a web browser only work with the first domain name via HTTPS.
So the design by DirectAdmin using the rewrite to HTTPS is totally wrong.
This, I think, is the proper order to be supported, catching many scenarios:
1. rewrite to https by GUI DirectAdmin
2a. security headers in .htaccess
2b. and / or security headers in httpd / on webserver level
3. 301 redirect by GUI DirectAdmin (with or without www.) after any security header on webserver level
Would you agree?

 

[ikkeben]

i do 2a and 2b.
2b for the security headers needed everywhere or with an if ... domain in the custom also some rewrites i'm not sure out of my head now, and for the more dynamic some more often changing parts then in htaccess.

For the parts where i don't mind hsts then in GUI DA , domain redirects for "parked" securing other getting same domains with ---- .

It is some time ago almost a year i had same problem when looking and did tests for the hsts specs.
The first workarround i did / started was leaving the domains and the private and public directorys intact, and using htaccess for al redir , hsts and security headers. ( so not using GUI and custom ..) Now i do with if domain rules...