force redirect is not secure yet for HSTS

S

Stegink Hosting & E-mail

Verified User
Joined
May 29, 2019
Messages
8
Location
Arnhem
The recent functionality in DirectAdmin to force redirect to subdomain www. or without, is still unstable.

According to mail exchange with internet.nl:

- The HSTS header is detected at the first contact over HTTPS.
- When redirecting to another subdomain, the HSTS header must therefore be present on both subdomains.
- A redirect order applies to ensure that HSTS functions properly:
First from HTTP to HTTPS for the same subdomain;
Secondly over HTTPS, from one subdomain to the other;
Browsers do save the HSTS header per subdomain.
 
I do this in custom template / virtualmin host, can't explain 123 but this works.

The redirects of more control panels has problems with that parts.
 
ikkeben said:
I do this in custom template / virtualmin host, can't explain 123 but this works.

The redirects of more control panels has problems with that parts.
Click to expand...
We add the security headers in the Custom HTTPD rules on Admin Level, this works but for user level users this is not enough.

While a HSTS can be set through a .htaccess file also ;)

And o, what a dutch people thread :D
 
Thanks for your workarounds and new insights. The problem is not purely HSTS related.

The rewrite to HTTPS, I think, works correctly in DirectAdmin, before security headers are reached in .htaccess, httpd (or nginx directive).

I have understood from internet.nl that security headers in a web browser only work with the first domain name under HTTPS.

This is how eg control panel Plesk works with a redirect after security headers being put somewhere:
'Select the URL (either with or without the www. prefix) to which site visitors will be redirected via a SEO-safe HTTP 301 redirect.''
 
Last edited:
You can do several things as in virtualhost / template.

Or let PUBLIC and Privat both directory stay on the server for apache then you can put there the .htaccess redir rules and HSTS as the spec HSTS needed.
Take care of the order how you redirect! ( you need certs for all domain/subdomains then that you are redirecting from i guess)

First from whatever domain / subdomain to the https version of exactly the same with a HSTS in it to, and only after that to the https site you want to.
So needed for such non https then 2 redirects less good for Speed and SEO but only then within the specs for HSTS.

The/some redirects in GUI Directadmin doesn't aply the specs HSTS!

There are more topics on this here in forum
 
Last edited:
ikkeben said:
You can do several things as in virtualhost / template.

Or let PUBLIC and Privat both directory stay on the server for apache then you can put there the .htaccess redir rules and HSTS as the spec HSTS needed.
Take care of the order how you redirect! ( you need certs for all domain/subdomains then that you are redirecting from i guess)

First from whatever domain / subdomain to the https version of exactly the same with a HSTS in it to, and only after that to the https site you want to.
So needed for such non https then 2 redirects less good for Speed and SEO but only then within the specs for HSTS.

The/some redirects in GUI Directadmin doesn't aply the specs HSTS!

There are more topics on this here in forum
Click to expand...
------------------
We agree that this force redirect is a design issue in control panels.
I do not want my own code if GUI DirectAdmin 'guarantees' a way to do the same.
Security headers, like HSTS, in a web browser only work with the first domain name via HTTPS.
So the design by DirectAdmin using the rewrite to HTTPS is totally wrong.
This, I think, is the proper order to be supported, catching many scenarios:
1. rewrite to https by GUI DirectAdmin
2a. security headers in .htaccess
2b. and / or security headers in httpd / on webserver level
3. 301 redirect by GUI DirectAdmin (with or without www.) after any security header on webserver level
Would you agree?
 
i do 2a and 2b.
2b for the security headers needed everywhere or with an if ... domain in the custom also some rewrites i'm not sure out of my head now, and for the more dynamic some more often changing parts then in htaccess.

For the parts where i don't mind hsts then in GUI DA , domain redirects for "parked" securing other getting same domains with ---- .

It is some time ago almost a year i had same problem when looking and did tests for the hsts specs.
The first workarround i did / started was leaving the domains and the private and public directorys intact, and using htaccess for al redir , hsts and security headers. ( so not using GUI and custom ..) Now i do with if domain rules...
 
Erm Since when is a hobby site from holland "GOD" when it comes to internet standards ? Seriously.
Sure go for HTSP it's a good thing but please do it out of common sense and because you think it's safe, Not because someone made a website that ranks its test users. Since when are we turning serverhosting into a game ?

Besides it gives a huge false sense of "security".

IF you want to be in the hall of fame apply this:
access.redhat.com

Security Guide Red Hat Enterprise Linux 7 | Red Hat Customer Portal

This book assists users and administrators in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Red Hat Enterprise Linux but detailing concepts and techniques valid for all Linux...
access.redhat.com access.redhat.com
.
 
spacecabbie said:
Erm Since when is a hobby site from holland "GOD" when it comes to internet standards ? Seriously.
Sure go for HTSP it's a good thing but please do it out of common sense and because you think it's safe, Not because someone made a website that ranks its test users. Since when are we turning serverhosting into a game ?
Besides it gives a huge false sense of "security".

IF you want to be in the hall of fame apply this:
access.redhat.com

Security Guide Red Hat Enterprise Linux 7 | Red Hat Customer Portal

This book assists users and administrators in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Red Hat Enterprise Linux but detailing concepts and techniques valid for all Linux...
access.redhat.com access.redhat.com
.
Click to expand...


Hi you mean this to me? is ok only asking.


It is more yup this helps a bit to https://cisofy.com/lynis/

BUT simple to be compliant with more modern standards , then you have to know and do more also take care of more , together with that all it is more "automaticly" better not?

I mean with this example: if standards like still using rc4 are forgotten to handle, mostly much more is wrong with so a box.

Also none is 100% secure , better to know the weak points , monitor them with care , sometimes yup older stuff has to work / run longer then good for "better" security , then you know the points for some extra attention.

The test online tests and available monitoring tools could still be very helpfull , everybody can forget or think i did that, but wrong way arround.

Spacecabie you know Dyslectic, i have a kind of to the problem to know 0<>1 start<>end left<>right red light<>green light so need extra energy and concentration in life.

If scores for such test how simple or ... is better then having bad scores where some could think if see that hey do they updates intime...

OK is late and bit offtopic sorry, maybe i delete this later...

Webstandards are good , security standards to , but not all makes enough sense for every case, or needed for more simple sites / servers.
I dislike DNSsec for example while very "to" old and to complex way to achieve better dns security (leider) ofcourse some is more secure with ,

i also dislike hsts preload and co.

Alle things where you or someone could doing something wrong / make faults ( while this is HUMAN) and then having sites much to long not reachable because of such are in my view worse tools / standards / procedures. example given dnssec and also preload hsts
 
ikkeben said:
Hi you mean this to me? is ok only asking.

It is more yup this helps a bit to https://cisofy.com/lynis/

BUT simple to be compliant with more modern standards , then you have to know and do more also take care of more , together with that all it is more "automaticly" better not?
I mean with this example: if standards like still using rc4 are forgotten to handle, mostly much more is wrong with so a box.
Click to expand...
No not to you more in general was having a bad day still I stand behind what I said but could have been a bit more lets say.. Diplomatic Yes lets go with that :)
Any Tool to find harden en secure I applaud and is goed. Its just that i have now seen 3 posts atleast refering to (youknowwhatsite.nl) claiming that directadmin is out of date or incorrect for not having a option that is recommended.

Also none is 100% secure , better to know the weak points , monitor them with care , sometimes yup older stuff has to work / run longer then good for "better" security , then you know the points for some extra attention.

The test online tests and available monitoring tools could still be very helpfull , everybody can forget or think i did that, but wrong way arround.
Click to expand...
Exactly use the tools but judge what is needed google the info why its recommended and then decide if this is needed.

Spacecabie you know Dyslectic, i have a kind of to the problem to know 0<>1 start<>end left<>right red light<>green light so need extra energy and concentration in life.

If scores for such test how simple or ... is better then having bad scores where some could think if see that hey do they updates intime...

OK is late and bit offtopic sorry, maybe i delete this later...
Click to expand...
Gotya like ocd/autism? (I am borderline in both cases actually)
It's one more reason I hate Dislike sites that use that kind of scoring (most of them do)
I get severely conflicted with it for example: HTTP compression off Is secure on is speed.

Webstandards are good , security standards to , but not all makes enough sense for every case, or needed for more simple sites / servers.
I dislike DNSsec for example while very "to" old and to complex way to achieve better dns security (leider) of course some is more secure with ,

i also dislike hsts preload and co.
Alle things where you or someone could doing something wrong / make faults ( while this is HUMAN) and then having sites much to long not reachable because of such are in my view worse tools / standards / procedures. example given dnssec and also preload hsts
Click to expand...
Agreed.

To conclude sure improve security ask how you can implement this or that. But please don't go We all need to <insert what ever> because this xxxx site said so. And especially when that site is government sponsert by a government who has been inept and incompetent to even manage basic IT infrastructure. I know cause i used to work them.

"It is possible to commit no mistakes and still lose. That is not a weakness. That is life"
Click to expand...
 
spacecabbie said:
And especially when that site is government sponsert by a government who has been inept and incompetent to even manage basic IT infrastructure. I know cause i used to work them.
Click to expand...

YUP METOO about Government working for and,, also as custommer , and worse some shouting with compliant tests / cerst from PWC and co who are failing very badly ....

UH Germany for those government and co are way behind.

It is also seemly normal that government and co hospitals and co are hacked by some because lack of not only knowledge but also real enough people knowing what they do, the good guys BURNOUT or worse there.

Still for offtopic it gives a overview and with that very handy, i try to score there above 70 then depending for what those sites / server / mail are to a 100 % for setting up newer servers , why the try to get near 100% with newer simple you have to do some work setting up stuff then better do it as much compliant from the start and not later when needed safe some hours.

Also then the HSTS redirects and SSL and Alliases has to be ok if configs and setup and control panel and and are good then you all safe some time if someone want that part compliant to some specs. SPECS ..

For all here on this FORUM and Directadmin CP it is important where to find all those settings with some HOWTO's , and CP parts should not interfering with "good" settings/confs


For compressing you can use BROTLI .

I did had some phone and mail contacts with these guys, they are trying todo a good job there, but if some government themselves decide to have bad security it is hmmmm https://english.ncsc.nl/publication...y-guidelines-for-transport-layer-security-tls

Such guidelines are important as they have in Germany (BSI) and USA (NIST) to . Decide which parts are needed depending on the stuff you or client does. ( HEALTH related DATA from persone should be so secure as possible! for example)

one fits all is wrong aproach, but if choosen 100% safest and compliant ok you mostly don't do anything wrong, if not you have to keep in mind is it needed for that purpose...

BAD is to score a A or APLUS at SSLLAB , but forcing with server settings clients first to the weak key's encryption so wrong order in server config, then still keep saying everything is 100% and we are Certified by .... , not reading any real results and guidelines as they suposed to be fore.

It took more then 6 Months to have such ......... for those guys and some are even don't want to have server order right for that , so a example how this part is so wrong of SSLlabs score overview.
 
Last edited:
Update on 'early rewrite' versus 'late redirect':

The ‘Force Redirect‘ for www. or not, needs a change to work until after security headers. The old choice can be correctly included in this way:
– None (default) / With www / Without www;
– Early rewrite (old) / Late 301 redirect / Late 302 redirect;
For the longstanding redirect being put at the bottom of .htaccess, consider to put them after httpd.
Current explanation by DirectAdmin:
https://www.directadmin.com/features.php?id=2365
(https://www.directadmin.com/features.php?id=2234)

Response from Support on September 17, 2020

We've got the official support for upcoming HSTS implementation listed here: https://www.directadmin.com/features.php?id=2602
it should solve any incorrect order issues once implemented.

Defect text:

Browse http://www.webhostingtech.nl
The changes are: http://www.webhostingtech.nl >>> https://www.webhostingtech.nl >>> https://webhostingtech.nl.

Security headers, such as HSTS, are required to work with the first domain name over HTTPS. So the rewriting called “Force Redirect” combined with the early rewriting to HTTPS has to be built in differently.

100%: https://internet.nl/site/webhostingtech.nl/973637/
97%: https://internet.nl/site/www.webhostingtech.nl/973636/

Please redesign the order; I think many scenarios are catched this way:
step 1. rewrite from HTTP to HTTPS by GUI DirectAdmin (works before reaching .htaccess)
step 2a. security headers in .htaccess
step 2b. and / or security headers on webserver / httpd level
step 3. 301 / 302 redirect by GUI DirectAdmin in order to achieve with or without www.
(after any security header on webserver / httpd level)

Notes:
– Own code is unnecessary if GUI DirectAdmin guarantees to do the same;
– Reported to internet.nl: ‘Note that we consider HTTPS as a requirement for these security options.’ is incorrect for the reported situation. Textual proposal: ‘Security options work with the first domain name via HTTPS.’
 
@JWST
Wen i tested this on fresh newer server With DA

THE FORCE SSL REDIRECT in DA PANEL is set on
The redirect to non www in Panel is set to
With public and private html

This looks like not solved in DA panel wen testing.

IS IT?


DA VERSION 1.62.5


i did tested and this is result for a in DA GUI panel forced ssl and redirect to non www, (with private and public html in private the site)


https://www.example.shop/ 1
301 Missing HSTS-Header
B https://www.example.shop/
Missing HSTS-Header
B https://www.example.shop/404.shtml
301 Missing HSTS-Header
Click to expand...
 
Last edited:
DA redirect (www, non-www and http-https) should indeed be done before .htaccess is called otherwise this problem won't be fixed.
Same here, without www the hsts in .htaccess is not seen and with www it is seen.

It might need a ticket or a suggestion in the new feedback forum to get this fixed.
 
Richard G said:
DA redirect (www, non-www and http-https) should indeed be done before .htaccess is called otherwise this problem won't be fixed.
Same here, without www the hsts in .htaccess is not seen and with www it is seen.

It might need a ticket or a suggestion in the new feedback forum to get this fixed.
Click to expand...
I think your analysis differs from my proposed 'early rewrite' versus 'late redirect'.
A security header is formally respected for the first domain name over HTTPS.

Analysis and fixing by DA require specialistic knowledge.
My defect input, was reported to DA by hostingprovider 'TransIP B.V.' on 14th September 2020.
In the past, DA support didn't really come to analysis.

A relatively large number of questions arise at [email protected].
 
JWST said:
I think your analysis differs from my proposed 'early rewrite' versus 'late redirect'.
A security header is formally respected for the first domain name over HTTPS.

Analysis and fixing by DA require specialistic knowledge.
Click to expand...
If no DA specialistic knowledge:
Example that should work but this is getting extra some delay while 2 redirects ( if also www or the non www has to be done) and those in htaccess gives some extra delay to.
Then use no force redirect https in DA Panel , also use public and private as real location.
Then in apache you can handle it in the htaccess in both Directory's
For none https then in public the rewrite redirect to www. or non www to none https first.
Then after that the rewrite to https in the private directory where also the hsts in htaccess exist
 
JWST said:
I think your analysis differs from my proposed 'early rewrite' versus 'late redirect'.
Click to expand...
In which way? I don't think it's very different or I'm misunderstanding something.
In DA I have the automatic rewrite (isn't that the early rewrite?) set to domain with www.
My .htaccess has a HSTS in it. But I call my domain without www via the internet.nl test I get the same results as you. Missing HSTS header, and when I call my domain with www in internet.nl I don't get a HSTS missing.
Seems the same analysis to me. Except it's the main domain, not a subdomain.

ikkeben said:
Then use no force redirect https in DA Panel
Click to expand...
That might indeed work, but if DA provides kind of the same via the panel, it should not mess up things, so still should be fixed.
 
You must log in or register to reply here.
Back
Top