DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th April 2021
apfelgluck apfelgluck is offline
Port Guard
 
Join Date: Sep 2016
Location: France
Posts: 14
Default relayd and HSTS

Hello,

To set up a web site for personal use, I want to get a good grade to some tests like securityheaders.com.

I initially configured my httpd.conf with TLS and HSTS and it worked fine but it had no protection for Content-Security-Policy, X-Frame-Options, etc.

So I switched to the couple relayd + httpd.
TLS still work fine and I got better grade to the test (I still need to understand all the settings and to tweak the config file) but HSTS does not work anymore.

May you point out my mystake ?


httpd.conf :
Code:
#====================================================
#       Macros.
#====================================================

LOCAL_IP = "127.0.0.1"

#====================================================
#       Types.
#====================================================

# Include additional MIME types.
types {
    include "/usr/share/misc/mime.types"
}

#====================================================
#       Servers.
#====================================================

# mx1.mydomain.tld
# Let's Encrypt certificate
#----------------------------------
server "mx1.mydomain.tld" {
    listen on $LOCAL_IP port http
    log style forwarded
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
    location * {
        block
    }
}

# mydomain.tld
# Let's Encrypt certificate
# and https redirection
#----------------------------------
server "mydomain.tld" {
    alias "www.mydomain.tld"
    listen on $LOCAL_IP port http
    log style forwarded
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
    location * {
        block return 301 "https://$SERVER_NAME$REQUEST_URI"
    }
}

# mydomain.tld
# https service
#----------------------------------
server "mydomain.tld" {
    alias "www.mydomain.tld"
    listen on $LOCAL_IP port https
    log style forwarded
    root "/htdocs/mydomain.tld"
    hsts {
        max-age 16000000
        preload
        subdomains
    }
}

# mta-sts.mydomain.tld
# Let's Encrypt certificate
#----------------------------------
server "mta-sts.mydomain.tld" {
    listen on $LOCAL_IP port http
    log style forwarded
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
    location * {
        block
    }
}

# mta-sts.mydomain.tld
# https service
#----------------------------------
server "mta-sts.mydomain.tld" {
    listen on $LOCAL_IP port https
    log style forwarded
    location "/.well-known/mta-sts.txt" {
        root "/mta-sts"
        request strip 1
    }
    location * {
        block
    }
}

#====================================================
#       End of File.
#====================================================
relayd.conf
Code:
EXT_IP = "egress"
LOCAL_IP= "127.0.0.1"
CIPHERS_LIST ="AEAD-AES256-GCM-SHA384:AEAD-AES128-GCM-SHA256:AEAD-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305"

http protocol "http" {
    match request header set "X-Forwarded-By"   value "$SERVER_ADDR:$SERVER_PORT"
    match request header set "X-Forwarded-For"  value "$REMOTE_ADDR"

    match request header remove "Proxy"

    match response header set "Cache-Control"           value "max-age=1814400"
    match response header set "Content-Security-Policy" value "upgrade-insecure-requests; default-src https: 'self'"
    match response header set "Permissions-Policy"      value "fullscreen=(), geolocation=(), microphone()"
    match response header set "Frame-Options"           value "SAMEORIGIN"
    match response header set "Referrer-Policy"         value "strict-origin"
    match response header set "Server"                  value "OpenBSD Relayd+httpd"

    match response header set "X-Content-Type-Options" value "nosniff"
    match response header set "X-Download-Options"     value "noopen"
    match response header set "X-Frame-Options"        value "SAMEORIGIN"
    match response header set "X-Powered-By"           value "!"
    match response header set "X-Robots-Tag"           value "index, nofollow"
    match response header set "X-Xss-Protection"       value "1; mode=block"

    tcp { nodelay, sack, socket buffer 65536, backlog 100 }

    return error
    pass
}

http protocol "https" {
    match request header set "X-Forwarded-By"   value "$SERVER_ADDR:$SERVER_PORT"
    match request header set "X-Forwarded-For"  value "$REMOTE_ADDR"

    match request header remove "Proxy"

    match response header set "Cache-Control"           value "max-age=1814400"
    match response header set "Content-Security-Policy" value "upgrade-insecure-requests; default-src https: 'self'"
    match response header set "Permissions-Policy"      value "fullscreen=(), geolocation=(), microphone()"
    match response header set "Frame-Options"           value "SAMEORIGIN"
    match response header set "Referrer-Policy"         value "strict-origin"
    match response header set "Server"                  value "OpenBSD Relayd+httpd"

    match response header set "X-Content-Type-Options" value "nosniff"
    match response header set "X-Download-Options"     value "noopen"
    match response header set "X-Frame-Options"        value "SAMEORIGIN"
    match response header set "X-Powered-By"           value "!"
    match response header set "X-Robots-Tag"           value "index, nofollow"
    match response header set "X-Xss-Protection"       value "1; mode=block"

    tcp { nodelay, sack, socket buffer 65536, backlog 100 }

    return error
    pass

    tls ciphers $CIPHERS_LIST
    tls keypair mydomain.tld
    tls keypair mta-sts.mydomain.tld
}

relay "www" {
    listen on $EXT_IP port http
    protocol "http"
    forward to $LOCAL_IP port http
}

relay "www-tls" {
    listen on $EXT_IP port https tls
    protocol "https"
    forward to $LOCAL_IP port https
}

Regard.
Reply With Quote
  #2   (View Single Post)  
Old 9th April 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Wikipedia states that HSTS uses an HTTPS response header field named "Strict-Transport-Security".
Reply With Quote
  #3   (View Single Post)  
Old 9th April 2021
apfelgluck apfelgluck is offline
Port Guard
 
Join Date: Sep 2016
Location: France
Posts: 14
Default

Hello jggimi,


Thanks for the tip.

Adding the following line in relayd.conf make HSTS work correctly :
Code:
match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
And also remove the hsts section in httpd.conf.


Regards.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Understanding relayd sleepyjoe OpenBSD Security 2 26th April 2020 05:30 AM
relayd which interface? calanon OpenBSD General 3 5th November 2019 07:45 PM
Security HSTS becomes IETF proposed standard J65nko News 0 3rd October 2012 09:26 PM
relayd gpatrick OpenBSD General 0 8th May 2012 10:10 PM
relayd gpatrick OpenBSD General 1 16th January 2010 12:19 AM


All times are GMT. The time now is 11:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick