Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

www.-instance not 100% - missing HSTS #1210

Closed
bwbroersma opened this issue Dec 13, 2023 · 1 comment · Fixed by #1211
Closed

www.-instance not 100% - missing HSTS #1210

bwbroersma opened this issue Dec 13, 2023 · 1 comment · Fixed by #1211
Assignees
@mxsasha @aequitas
Labels
bug Unexpected or unwanted behaviour of current implementations
Milestone
v1.8

Comments

@bwbroersma
Copy link
Collaborator

See the current score of www.internet.nl, thanks @mxsasha for noticing.

The www.-variant is defined here:

Internet.nl/docker/webserver/nginx_templates/app.conf.template

Lines 115 to 140 in 894aa04

# No-www.org Class B compliance, see https://www.no-www.org/faq.php
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.${INTERNETNL_DOMAINNAME} ~(nl|en|conn)\.www.${INTERNETNL_DOMAINNAME} ${REDIRECT_DOMAINS_LIST};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_certificate /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/privkey.pem;
# letsencrypt/ACME
location /.well-known/acme-challenge/ {
# basic auth should not apply to this path
auth_basic off;
# IP allowlist should also not apply
allow all;
}
# redirect to no-www domainname
location ~ /(.*) {
return 301 https://${INTERNETNL_DOMAINNAME}$request_uri;
}
}

only serving the default headers, which don't include a HSTS header (because plain HTTP should not have a HSTS):

Internet.nl/docker/webserver/nginx_templates/app.conf.template

Lines 16 to 21 in 894aa04

# default headers added to all responses
add_header 'X-Frame-Options' 'SAMEORIGIN' always;
add_header 'X-Content-Type-Options' 'nosniff' always;
add_header 'X-Clacks-Overhead' 'GNU Terry Pratchett' always;
add_header 'Referrer-Policy' 'same-origin' always;
add_header 'X-XSS-Protection' '1; mode=block' always;

So

  • Short term solution: add all default + HSTS + CSP headers in the server block
  • Long term: cleanup the nginx file and make use of files to include default headers, so the same defaults are not repeated all over the file.
bwbroersma added a commit to bwbroersma/Internet.nl that referenced this issue Dec 13, 2023
@bwbroersma
Fix headers for www-hostname
9dc0b40 
Fixes internetstandards#1210.

Signed-off-by: Benjamin W. Broersma <bw@broersma.com>
@bwbroersma bwbroersma mentioned this issue Dec 13, 2023
Merged
@baknu baknu added this to the v1.8 milestone Dec 13, 2023
@baknu baknu added the bug Unexpected or unwanted behaviour of current implementations label Dec 13, 2023
mxsasha pushed a commit that referenced this issue Dec 13, 2023
@bwbroersma @mxsasha
Fix headers for www-hostname
f15c239 
Fixes #1210.

Signed-off-by: Benjamin W. Broersma <bw@broersma.com>
mxsasha pushed a commit that referenced this issue Dec 13, 2023
@bwbroersma @mxsasha
[1.8.x] Fix headers for www-hostname
4daa340 
Fixes #1210.

Signed-off-by: Benjamin W. Broersma <bw@broersma.com>
(cherry picked from commit f15c239)
@bwbroersma
Copy link
Collaborator Author

🎉 The test of www.internet.nl is 💯% again.

@bwbroersma bwbroersma mentioned this issue Dec 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mxsasha mxsasha

@aequitas aequitas

Labels
bug Unexpected or unwanted behaviour of current implementations
Milestone
v1.8
Development

Successfully merging a pull request may close this issue.

Fix headers for www-hostname bwbroersma/Internet.nl
4 participants
@mxsasha @aequitas @bwbroersma @baknu