Problem with SSL on Hostname and DA and HSTS with other aplications on other ports!

I

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,552
Location
Netherlands Germany
Problem with SSL on Hostname and DA and HSTS with other aplications on other ports!

If you have DA redir to sl, a ssl LEcert on hostname and HSTS.

Then if you also managed in this combi to have port 443 done the right way?

hostname is not domain. so "vps.exampledomain.com"

There you have done this for LE cert https://help.directadmin.com/item.php?id=645 then for Directadmin on port (2222) only ssl and hsts

And on same host / server added domain exampledomain.com there the Letsencrypt in orer to have on https://vps.exampledomain.com:443 a cert and hsts

You have a (BIGGER) problem if you have aplications running on hostname on others ports and have to acces them via Browser for example EDGE.

Testet with Cockpit for example that is port 9090 , vps.exampledomain.com:9090 then not working while hsts not alowed!

So a howto needed for other ports/apps en Letsencrypt cert on hostname itself and hsts ?

AND NO not the MANUAL howto change in Registry for MS EDGE browser. ;)
 
ikkeben said:
Problem with SSL on Hostname and DA and HSTS with other aplications on other ports!

If you have DA redir to sl, a ssl LEcert on hostname and HSTS.

Then if you also managed in this combi to have port 443 done the right way?

hostname is not domain. so "vps.exampledomain.com"

There you have done this for LE cert https://help.directadmin.com/item.php?id=645 then for Directadmin on port (2222) only ssl and hsts

And on same host / server added domain exampledomain.com there the Letsencrypt in orer to have on https://vps.exampledomain.com:443 a cert and hsts

You have a (BIGGER) problem if you have aplications running on hostname on others ports and have to acces them via Browser for example EDGE.

Testet with Cockpit for example that is port 9090 , vps.exampledomain.com:9090 then not working while hsts not alowed!

So a howto needed for other ports/apps en Letsencrypt cert on hostname itself and hsts ?

AND NO not the MANUAL howto change in Registry for MS EDGE browser. ;)
Click to expand...

Do you mean in brief that we cannot enable HSTS using other port .
 
UH problem is hostname on port 2222 and 443 has cert
With the DA letsencrypt ( multiple..) script for hostname on command line

Other ports have no ssl cert for hostname, so hsts also not working .
If looking at le cert in edge browser you see it is on hostname but for the port 9090 for example not enough information message.

So if browser is / should follow hsts rules then problems.
 
Last edited:
@DirectAdmin Support

Please provide a manual howto for example to get good working hsts for hostname (port 443, 2222 and for example 9090), domains, and other ports

Please provide a howto manual fo ocsp stapling

Apache and ...

And such stays after updates to.

Or make those default while .... switch of ...?
SSL http2 is long standard and there it should be a standard to use for most.
 
Currently the hsts option described here https://www.directadmin.com/features.php?id=1776 only work with the login port. So by default the port 2222 or if you have custom login port, it should have the hsts header. But I notice the other port like 443 doesn't contain the hsts header. This is reproducible like this:

So after I enable hsts like this:

Code: 
/usr/local/directadmin/directadmin set hsts 5184000 restart

/usr/local/directadmin/custombuild/ ./build rewrite_confs (my habit)


I check the header for my custom port 60001

Code: 
curl -s -D- https://sun.sofibox.com:60001 | grep strict
strict-transport-security: max-age=31536000

Great, header found! :)


Code: 
So, I check the header with port 443

curl -s -D- https://sun.sofibox.com:443 | grep strict


Ouch, no header is found. :cry:


Using nginx_apache here.
 
Your site domain not hostname has this also on firstcall in browser url without https without www no cert found unsafe and no redirect.
If you put https on url before manually onetime then every call is after that with redirect in browser tried with edge herenoredirectfirstcall.jpg
 
ikkeben said:
Your site domain not hostname has this also on firstcall in browser url without https without www no cert found unsafe and no redirect.
If you put https on url before manually onetime then every call is after that with redirect in browser tried with edge here
Click to expand...

You are right about this, I tried my site on

HSTS Preload List Submission

hstspreload.org hstspreload.org

preload_site_failed.JPG


It has problem with redirect there? So this is definitely a bug on hsts ? @smtalk what do you think about this?

If you ask, how did I enable this feature on domain. I enabled this feature exactly as documented in here for nginx: https://docs.directadmin.com/webser....html#adding-security-headers-to-get-a-rating


Does the error mean, we need to manually redirect from http to https first? I'm not sure how this hsts work with directadmin because does the hsts need manual redirection.

HSTS for domain.com is working fine (I got A+ rating in ssl test) but the first time redirect is not working.
 
Last edited:
I think I solved the above issue. I added the redirection manually.

EDIT:

For hsts on domain.com if using nginx or apache_nginx, I put this extra condition redirection at the bottom:

nano /usr/local/directadmin/data/templates/custom/cust_nginx.CUSTOM.post

Code: 
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1";
add_header X-Download-Options "noopen";
add_header X-Permitted-Cross-Domain-Policies "master-only";
add_header X-DNS-Prefetch-Control "on";
add_header Referrer-Policy "no-referrer-when-downgrade";

|*if SSL_TEMPLATE="1"|
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|*endif|

add_header Content-Security-Policy "block-all-mixed-content";
add_header Permissions-Policy 'geolocation=*, midi=(), sync-xhr=(self "https://|DOMAIN|" "https://www.|DOMAIN|"), microphone=(), camera=(), magnetometer=(), gyroscope=(), payment=(), fullscreen=(self "https://|DOMAIN|" "https://www.|DOMAIN|" )';

# This is the extra condition:

|*if SSL_TEMPLATE="0"|
       return 301 https://$host$request_uri;
|*endif|

For apache is the same, as in /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.post but just need to change the syntax above to apache style including the redirection syntax above. This is the guide for apache: https://docs.directadmin.com/webser...ml#adding-security-headers-to-get-an-a-rating
 
Last edited:

How to enable HSTS​

For added security, you can tell all clients to always use https, even if there is an http link from somewhere. HSTS will silently change the request to use https without needing to be asked, so at no point is http ever used (except on the first attempt, where the browser is given the header, then never asks again). To set up HSTS, add this to your public_html/.htaccess file:
Click to expand...

Could be .. then is ok is guess , but we don't need the doc for the htaccess while then the order is wrong if using in GUI forced redirect and to www or non www redirect.

We need the doc manual howto where in the newer custom httpd with th en newer forced redirect evo button and so on.

also if needed hsts for other ports a howto?
 
ikkeben said:
Yup something like that was working before but can't find my old notes for howto in custom also there are chages are de forced evo button...
Click to expand...

@ikkeben

I updated the post to include the solution. So the website hsts preload is now accepted my domain to preload list. I think once this domain is submitted and verified by them, then we can safely remove that redirection because this preload site (owned by Chrome) will be used by all major browsers such as Firefox and others. So, next time we do not worry about not having this first time redirection. So best to send this here because hsts redirection is based on user agent.

You see now its is ready to be submitted:

preload_success.JPG

The only problem now is the hostname port other than login port for hsts, which I don't know why the 443 port does not contain hsts header.
 
You must log in or register to reply here.
Back
Top