HSTS (was: Add support for adding headers)

[mrijkeboer]

Is it planned to add support for adding custom headers to httpd? For instance the Strict-Transport-Security header or should relayd be used for this?

[reyk]

It is currently not planned to add generic such header modifications that could be done in relayd.

But support for HSTS is actually nice and wanted. So we might want to go for it or add an explicit HSTS options.

[reyk]

It is currently not planned to add generic such header modifications that could be done in relayd.

But support for HSTS is actually nice and wanted. So we might want to go for it or add an explicit HSTS options.

[sysfu]

If the current thinking is that manipulation of http headers is best left to relayd, are there any downsides to running relayd and httpd on the same host? I'd like to add HSTS headers along with headers for enforcing content policies that prevent cross site scripting attacks.

It feels a bit overkill and convoluted however to configure relayd on the same host just to add headers for a basic web site with one server.

[sysfu]

If the current thinking is that manipulation of http headers is best left to relayd, are there any downsides to running relayd and httpd on the same host? I'd like to add HSTS headers along with headers for enforcing content policies that prevent cross site scripting attacks.

It feels a bit overkill and convoluted however to configure relayd on the same host just to add headers for a basic web site with one server.

[reyk]

Running relayd is not convoluted ;-)

Florian added HSTS as a specific option in the server context, preload will follow.

[reyk]

Running relayd is not convoluted ;-)

Florian added HSTS as a specific option in the server context, preload will follow.

[larryhynes]

I'm tempted to agree with @sysfu - my modest website doesn't really warrant a relayd component. I can live without a CORS header, I've just disabled my cdn for the site on httpd. I'm really missing expires headers though, or have I missed an option on httpd for 5.7 release? Or is this something that you would suggest relayd handle?

[larryhynes]

I'm tempted to agree with @sysfu - my modest website doesn't really warrant a relayd component. I can live without a CORS header, I've just disabled my cdn for the site on httpd. I'm really missing expires headers though, or have I missed an option on httpd for 5.7 release? Or is this something that you would suggest relayd handle?

[larryhynes]

OK, I see from the wiki entry on running Owncloud you recommend adding expires headers with relayd. I'll attempt to get a simple relayd instance running and forwarding to httpd on the same machine and see how I get on!

[larryhynes]

OK, I see from the wiki entry on running Owncloud you recommend adding expires headers with relayd. I'll attempt to get a simple relayd instance running and forwarding to httpd on the same machine and see how I get on!

[larryhynes]

Well, I got it working. It took a while to figure out I could use my existing cert (signed by a CA) and key as address.crt and address.key. It took another little while to figure out that the syntax to add a header is match header response add..., as opposed to match header request add.... (It may well be worth adding that as an example in the man page, for us mere mortals.) So, for me at least, relayd is a little convoluted. ;p It also still feels like a rather large hammer to apply to the nut of adding Cache-Control: max-age=, and I would like to have some degree of control over the values applied to specific file types. I almost gave up once or twice and just installed nginx or h2o, but I stuck with it and am happy with the outcome. I get remarkable results from minimal configs for both httpd and relayd.

[larryhynes]

Well, I got it working. It took a while to figure out I could use my existing cert (signed by a CA) and key as address.crt and address.key. It took another little while to figure out that the syntax to add a header is match header response add..., as opposed to match header request add.... (It may well be worth adding that as an example in the man page, for us mere mortals.) So, for me at least, relayd is a little convoluted. ;p It also still feels like a rather large hammer to apply to the nut of adding Cache-Control: max-age=, and I would like to have some degree of control over the values applied to specific file types. I almost gave up once or twice and just installed nginx or h2o, but I stuck with it and am happy with the outcome. I get remarkable results from minimal configs for both httpd and relayd.

[larryhynes]

@sysfu I've written up my own experiences on the wiki. @reyk You might have a look and check that I'm not way wide of the mark on anything!

[larryhynes]

@sysfu I've written up my own experiences on the wiki. @reyk You might have a look and check that I'm not way wide of the mark on anything!

[larryhynes]

Hmmm. My relayd died this morning. I've combed the logs and there's nothing to suggest a reason, it appears to have just stopped (meaning 2hrs+ website downtime before I got to it!). Reading this thread it seems this may not be entirely unexpected while running 5.7 release, which is alarming. I've set up a 'site not reachable' push notification to my phone to I'll be able to catch it in time if it happens again. So using relayd to add headers may not be a good solution, depending on your OpenBSD system, for the time being.

[larryhynes]

Hmmm. My relayd died this morning. I've combed the logs and there's nothing to suggest a reason, it appears to have just stopped (meaning 2hrs+ website downtime before I got to it!). Reading this thread it seems this may not be entirely unexpected while running 5.7 release, which is alarming. I've set up a 'site not reachable' push notification to my phone to I'll be able to catch it in time if it happens again. So using relayd to add headers may not be a good solution, depending on your OpenBSD system, for the time being.

[larryhynes]

relayd just crashed again. I caught it in time, this time. I'm going to delete the wiki page I wrote on using relayd to add headers.

[larryhynes]

relayd just crashed again. I caught it in time, this time. I'm going to delete the wiki page I wrote on using relayd to add headers.

[sysfu]

That's a bummer. I was going to grab a copy of the wiki page but it looks like you've already deleted it. I haven't messed with relayd much lately but would eventually like to get it running in front of all my websites so I have some automated failover in place when needed.

[sysfu]

That's a bummer. I was going to grab a copy of the wiki page but it looks like you've already deleted it. I haven't messed with relayd much lately but would eventually like to get it running in front of all my websites so I have some automated failover in place when needed.

[larryhynes]

I kept a local copy, see below. ;)

FWIW, i've installed monit (available from packages) to restart relayd when it dies, and I'm OK with that so far. My hosting provider doesn't officially support OBSD -stable or -current so I'm unwilling to deviate from a vanilla -release install; I think relayd will be more stable for me when the time comes to upgrade to 5.8 -stable. In the meantime I'm not happy to encourage people to use software that is failing me on a -release of an OS, hence the deletion.

Example 1: http traffic on external ip relayed to localhost and served with a header set.

This is an example config to set up relayd to handle incoming http traffic on port 80 and redirect it to httpd on localhost port 8080 on the same machine and add a 'Cache-Control:' header.

# /etc/relayd.conf

table <local> { 127.0.0.1 }
ext_ip = "123.456.789.0"

http protocol "http" {
    tcp { nodelay, sack, socket buffer 65536, backlog 100 }
    match response header set "Cache-Control" value "max-age=1814400"
    return error
    pass
}

relay "www" {
    listen on $ext_ip port 80
    protocol "http"
    forward to <local> port 8080 check tcp
}

(Note that relayd will add a colon : after your header – in this case Cache-Control.)

And here's what httpd.conf might look like:

# /etc/httpd.conf

server "www.example.com" {
    listen on 127.0.0.1 port 8080
    block return 301 "http://example.com$DOCUMENT_URI"
}

server "example.com" {
    listen on 127.0.0.1 port 8080
    root "/htdocs/example.com"
}

(The above httpd.conf assumes you want to redirect www.example.com to example.com. You can do the opposite if you wish.)

Example 2: http traffic on external ip redirected to https on external ip, relayed to http on localhost port 8082 and served with a header set.

This example uses httpd to listen for incoming http traffic on port 80, redirect it to the external port 443 where relayd will relay it - using tls acceleration - to localhost port 8082.

# /etc/relayd.conf

table <local> { 127.0.0.1 }
ext_ip = "123.456.789.0"

http protocol "https" {
    tcp { nodelay, sack, socket buffer 65536, backlog 100 }
    match response header set "Cache-Control" value "max-age=1814400"
    return error
    pass
    tls { no client-renegotiation, cipher-server-preference }
}

relay "tlsforward" {
    listen on $ext_ip port 443 tls
    protocol "https"
    forward to <local> port 8082 mode loadbalance check tcp
}

And a corresponding httpd.conf might look like:

# /etc/httpd.conf

ext_ip = "123.456.789.0"

server "www.example.com" {
    alias "example.com"
    listen on $ext_ip port 80
    block return 301 "https://www.example.com$DOCUMENT_URI"
}

server "example.com" {
    listen on 127.0.0.1 port 8082
    block return 301 "https://www.example.com$DOCUMENT_URI"
}

server "www.example.com" {
    listen on 127.0.0.1 port 8082
    root "/htdocs/example.com"

(In this example relayd will look for your tls cert and key at /etc/ssl/123.456.789.0.crt and /etc/ssl/private/123.456.789.0.key, respectively. Note that in this example we redirect example.com to www.example.com, and disallow any insecure traffic.)

[larryhynes]

I kept a local copy, see below. ;)

FWIW, i've installed monit (available from packages) to restart relayd when it dies, and I'm OK with that so far. My hosting provider doesn't officially support OBSD -stable or -current so I'm unwilling to deviate from a vanilla -release install; I think relayd will be more stable for me when the time comes to upgrade to 5.8 -stable. In the meantime I'm not happy to encourage people to use software that is failing me on a -release of an OS, hence the deletion.

Example 1: http traffic on external ip relayed to localhost and served with a header set.

This is an example config to set up relayd to handle incoming http traffic on port 80 and redirect it to httpd on localhost port 8080 on the same machine and add a 'Cache-Control:' header.

# /etc/relayd.conf

table <local> { 127.0.0.1 }
ext_ip = "123.456.789.0"

http protocol "http" {
    tcp { nodelay, sack, socket buffer 65536, backlog 100 }
    match response header set "Cache-Control" value "max-age=1814400"
    return error
    pass
}

relay "www" {
    listen on $ext_ip port 80
    protocol "http"
    forward to <local> port 8080 check tcp
}

(Note that relayd will add a colon : after your header – in this case Cache-Control.)

And here's what httpd.conf might look like:

# /etc/httpd.conf

server "www.example.com" {
    listen on 127.0.0.1 port 8080
    block return 301 "http://example.com$DOCUMENT_URI"
}

server "example.com" {
    listen on 127.0.0.1 port 8080
    root "/htdocs/example.com"
}

(The above httpd.conf assumes you want to redirect www.example.com to example.com. You can do the opposite if you wish.)

Example 2: http traffic on external ip redirected to https on external ip, relayed to http on localhost port 8082 and served with a header set.

This example uses httpd to listen for incoming http traffic on port 80, redirect it to the external port 443 where relayd will relay it - using tls acceleration - to localhost port 8082.

# /etc/relayd.conf

table <local> { 127.0.0.1 }
ext_ip = "123.456.789.0"

http protocol "https" {
    tcp { nodelay, sack, socket buffer 65536, backlog 100 }
    match response header set "Cache-Control" value "max-age=1814400"
    return error
    pass
    tls { no client-renegotiation, cipher-server-preference }
}

relay "tlsforward" {
    listen on $ext_ip port 443 tls
    protocol "https"
    forward to <local> port 8082 mode loadbalance check tcp
}

And a corresponding httpd.conf might look like:

# /etc/httpd.conf

ext_ip = "123.456.789.0"

server "www.example.com" {
    alias "example.com"
    listen on $ext_ip port 80
    block return 301 "https://www.example.com$DOCUMENT_URI"
}

server "example.com" {
    listen on 127.0.0.1 port 8082
    block return 301 "https://www.example.com$DOCUMENT_URI"
}

server "www.example.com" {
    listen on 127.0.0.1 port 8082
    root "/htdocs/example.com"

(In this example relayd will look for your tls cert and key at /etc/ssl/123.456.789.0.crt and /etc/ssl/private/123.456.789.0.key, respectively. Note that in this example we redirect example.com to www.example.com, and disallow any insecure traffic.)

[B4rb3rouss]

Hi,
Just to follow, is HSTS still planned?
Regards.

[B4rb3rouss]

Hi,
Just to follow, is HSTS still planned?
Regards.

[mrijkeboer]

HSTS is already implemented: httpd.conf(5).

[mrijkeboer]

HSTS is already implemented: httpd.conf(5).

[B4rb3rouss]

My bad, of course it is, but in httpd, at the right place.

[B4rb3rouss]

My bad, of course it is, but in httpd, at the right place.