What does the directadmin.conf HSTS parameter do?

Neograph734

Verified User
Joined
Sep 17, 2014
Messages
18
In my attempt to roll out HSTS for all clients, I have been searching around and found a lot of customizations in the vhosts templates. Though I have no doubt that will work, I also came across the HSTS header: HTTP Strict Transport Security feature that was added with DA 1.49.

When reading the feature page it is not entirely clear if this is supposed to work for clients, or only for the 2222 pages. Also the Release Candidate post was not clear to me; All traffic to the control panel, or also individual domains?
HSTS Header - ability to redirect all http traffic to https before any client connection (careful: affects apache with same host).
So eventually I just tried it by adding 'hsts=5184000' to directadmin.conf, ran './build rewrite_confs' (not documented, but I assumed it would make sense to rewrite the vhosts), but no avail. Nor my client's sites, nor the example.com:2222 page shows the HSTS header.

What is 'hsts=5184000' supposed to do?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,159
Location
GMT +7.00
Hello,

The article "HSTS header: HTTP Strict Transport Security" https://www.directadmin.com/features.php?id=1776 says:

1. it will only be added to the login page, and not any other page.
2. See "IMPORTANT" below

Then section "IMPORTANT" gives even more insights.

It comes very clear that the feature is used only for Directadmin (not for apache/nginx). Enabling the feature won't add the HSTS header in Nginx/Apache.
 

Neograph734

Verified User
Joined
Sep 17, 2014
Messages
18
Hi Alex,

I read that page multiple times yesterday, yet I did not see that line. It is indeed pretty clear to me now.
I asked here because the header also did not show on any DA page (including the login page). Now, after knowing where to look, it appeared after restarting the directadmin service.

Thanks for helping me out. I'll use the custom vhosts templates then.
 

Neograph734

Verified User
Joined
Sep 17, 2014
Messages
18
I used my browsers development tools and telerik fiddler. But like I said, it worked after restarting directadmin
 
Top