|
|||
relayd and HSTS
Hello,
To set up a web site for personal use, I want to get a good grade to some tests like securityheaders.com. I initially configured my httpd.conf with TLS and HSTS and it worked fine but it had no protection for Content-Security-Policy, X-Frame-Options, etc. So I switched to the couple relayd + httpd. TLS still work fine and I got better grade to the test (I still need to understand all the settings and to tweak the config file) but HSTS does not work anymore. May you point out my mystake ? httpd.conf : Code:
#==================================================== # Macros. #==================================================== LOCAL_IP = "127.0.0.1" #==================================================== # Types. #==================================================== # Include additional MIME types. types { include "/usr/share/misc/mime.types" } #==================================================== # Servers. #==================================================== # mx1.mydomain.tld # Let's Encrypt certificate #---------------------------------- server "mx1.mydomain.tld" { listen on $LOCAL_IP port http log style forwarded location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block } } # mydomain.tld # Let's Encrypt certificate # and https redirection #---------------------------------- server "mydomain.tld" { alias "www.mydomain.tld" listen on $LOCAL_IP port http log style forwarded location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 301 "https://$SERVER_NAME$REQUEST_URI" } } # mydomain.tld # https service #---------------------------------- server "mydomain.tld" { alias "www.mydomain.tld" listen on $LOCAL_IP port https log style forwarded root "/htdocs/mydomain.tld" hsts { max-age 16000000 preload subdomains } } # mta-sts.mydomain.tld # Let's Encrypt certificate #---------------------------------- server "mta-sts.mydomain.tld" { listen on $LOCAL_IP port http log style forwarded location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block } } # mta-sts.mydomain.tld # https service #---------------------------------- server "mta-sts.mydomain.tld" { listen on $LOCAL_IP port https log style forwarded location "/.well-known/mta-sts.txt" { root "/mta-sts" request strip 1 } location * { block } } #==================================================== # End of File. #==================================================== Code:
EXT_IP = "egress" LOCAL_IP= "127.0.0.1" CIPHERS_LIST ="AEAD-AES256-GCM-SHA384:AEAD-AES128-GCM-SHA256:AEAD-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305" http protocol "http" { match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header remove "Proxy" match response header set "Cache-Control" value "max-age=1814400" match response header set "Content-Security-Policy" value "upgrade-insecure-requests; default-src https: 'self'" match response header set "Permissions-Policy" value "fullscreen=(), geolocation=(), microphone()" match response header set "Frame-Options" value "SAMEORIGIN" match response header set "Referrer-Policy" value "strict-origin" match response header set "Server" value "OpenBSD Relayd+httpd" match response header set "X-Content-Type-Options" value "nosniff" match response header set "X-Download-Options" value "noopen" match response header set "X-Frame-Options" value "SAMEORIGIN" match response header set "X-Powered-By" value "!" match response header set "X-Robots-Tag" value "index, nofollow" match response header set "X-Xss-Protection" value "1; mode=block" tcp { nodelay, sack, socket buffer 65536, backlog 100 } return error pass } http protocol "https" { match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header remove "Proxy" match response header set "Cache-Control" value "max-age=1814400" match response header set "Content-Security-Policy" value "upgrade-insecure-requests; default-src https: 'self'" match response header set "Permissions-Policy" value "fullscreen=(), geolocation=(), microphone()" match response header set "Frame-Options" value "SAMEORIGIN" match response header set "Referrer-Policy" value "strict-origin" match response header set "Server" value "OpenBSD Relayd+httpd" match response header set "X-Content-Type-Options" value "nosniff" match response header set "X-Download-Options" value "noopen" match response header set "X-Frame-Options" value "SAMEORIGIN" match response header set "X-Powered-By" value "!" match response header set "X-Robots-Tag" value "index, nofollow" match response header set "X-Xss-Protection" value "1; mode=block" tcp { nodelay, sack, socket buffer 65536, backlog 100 } return error pass tls ciphers $CIPHERS_LIST tls keypair mydomain.tld tls keypair mta-sts.mydomain.tld } relay "www" { listen on $EXT_IP port http protocol "http" forward to $LOCAL_IP port http } relay "www-tls" { listen on $EXT_IP port https tls protocol "https" forward to $LOCAL_IP port https } Regard. |
|
||||
Wikipedia states that HSTS uses an HTTPS response header field named "Strict-Transport-Security".
|
|
|||
Hello jggimi,
Thanks for the tip. Adding the following line in relayd.conf make HSTS work correctly : Code:
match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload" Regards. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Understanding relayd | sleepyjoe | OpenBSD Security | 2 | 26th April 2020 05:30 AM |
relayd which interface? | calanon | OpenBSD General | 3 | 5th November 2019 07:45 PM |
Security HSTS becomes IETF proposed standard | J65nko | News | 0 | 3rd October 2012 09:26 PM |
relayd | gpatrick | OpenBSD General | 0 | 8th May 2012 10:10 PM |
relayd | gpatrick | OpenBSD General | 1 | 16th January 2010 12:19 AM |