Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HSTS header is being suppressed #24

Closed
joewiz opened this issue May 27, 2016 · 3 comments
Closed

HSTS header is being suppressed #24

joewiz opened this issue May 27, 2016 · 3 comments
Assignees
@tasmo

Comments

@joewiz
Copy link
Member

joewiz commented May 27, 2016
edited
Loading

@tasmo (cc: @wolfgangmm) Could you please look into why the HSTS header is not being passed to clients? The Strict-Transport-Security header should be appearing; see the nginx configurations for both servers:

$ curl -I https://history.state.gov
HTTP/1.1 200 OK
Cache-Control: max-age=300
Cache-control: no-cache="set-cookie"
Content-Length: 23062
Content-Type: text/html;charset=UTF-8
Created: Thu, 26 May 2016 15:49:57 GMT
Date: Fri, 27 May 2016 11:45:25 GMT
Expires: Fri, 27 May 2016 11:50:25 GMT
Last-Modified: Thu, 26 May 2016 15:49:57 GMT
Server: nginx/1.8.1
Set-Cookie: JSESSIONID=1awavjfcnah5o4ynki5ufos0h;Path=/exist;Secure
Set-Cookie: AWSELB=DF3DF3131A3B5A346363EB1AB82654160644E8227C298C9EE89549313D0D91DE903E91ED1DA192BECC93A380DCC30525256BA2F6416763ADC2F553BFD3E4B5750299775BB7;PATH=/
X-Proxy-Cache: HIT
X-XQuery-Cached: true
Connection: keep-alive

$ curl -I https://1861.history.state.gov
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 27 May 2016 11:49:30 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 23062
Connection: keep-alive
Set-Cookie: JSESSIONID=1awavjfcnah5o4ynki5ufos0h;Path=/exist;Secure
Expires: Fri, 27 May 2016 11:54:30 GMT
Last-Modified: Thu, 26 May 2016 15:49:57 GMT
Created: Thu, 26 May 2016 15:49:57 GMT
X-XQuery-Cached: true
Cache-Control: max-age=300
X-Proxy-Cache: HIT

$ curl -I https://1991.history.state.gov
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 27 May 2016 11:50:03 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 23062
Connection: keep-alive
Set-Cookie: JSESSIONID=nja2c36zolzarear6gcay5e8;Path=/exist;Secure
Expires: Fri, 27 May 2016 11:55:03 GMT
Last-Modified: Thu, 26 May 2016 15:50:31 GMT
Created: Thu, 26 May 2016 15:50:31 GMT
X-XQuery-Cached: true
Cache-Control: max-age=300
X-Proxy-Cache: EXPIRED
@joewiz
Copy link
Member Author

joewiz commented May 27, 2016

It doesn't seem that AWS ELB is blocking the header; articles likehttp://blog.danielhlockard.com/implementing-perfect-forward-secrecy-on-amazon-elb/ seem to show it's possible. (My google search: https://www.google.com/#q=%22strict-transport-security%22+header+elb+aws.)

@tasmo
Copy link
Contributor

tasmo commented Jun 6, 2016

Found the solution in https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ described as following:

if a block includes an add_header directive itself, it does not inherit headers from enclosing blocks, and you need to redeclare all add_header directives

@tasmo tasmo closed this as completed Jun 6, 2016
@joewiz
Copy link
Member Author

joewiz commented Jun 9, 2016

@tasmo Many thanks for finding the solution!

For the record, your commit with the fix was 496e9d2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tasmo tasmo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joewiz @tasmo