Content
Introductory
A HSTS by using a header, we can make our websites more secure Man-in-the-middle against these types of attacks. In this short description, we will see how to set this HTTP header Apache based LAMP, or ISPConfig in our server environment.
Prerequisites
To use the HSTS header, the headers Apache module. On more complex servers, this was already turned on during the installation, but if, for example, we only have a simpler LAMP server, we can turn it on with the following commands:
sudo a2enmod headers
sudo systemctl restart apache2
HSTS setup
The HSTS header can be easily set, whether it is a simple LAMP server or a more complex ISPConfig server environment.
Setup on a LAMP server
To set it up, log in as root, then go to the following directory:
cd /etc/apache2/sites-available/
then open the .vhost file belonging to the website to be set up Virtual hosting file in this directory:
nano xxxx.vhost
Then find the section below:
<VirtualHost *:443>
[...]
</VirtualHost>
And add the following lines to it:
<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
HTTPS redirection
Note that the above setting (a *:443 within the section) only applies to the HTTPS virtual host, i.e. when someone connects with the HTTPS protocol from the start. Therefore, we also have to protect the plain HTTP virtual host part so that even the first connection is secure, even if someone tries to connect using the unencrypted HTTP protocol.
The best way to do this is to set a redirect to HTTPS.
Now look for the HTTP (*:80) virtualhost block here:
<VirtualHost *:80>
[...]
</VirtualHost>
And in this section, add the following lines somewhere:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
With this, we also protected the plain, text-based HTTP connection.
Once everything is done, restart Apache:
systemctl restart apache2
With that, we would be ready on the LAMP server.
Setting in the ISPConfig control panel
To set up ISPConfig, click here Debian 10 (Buster) perfect server I'm using it for demonstration, as it has a working web account, so no special preparation is needed to set it up.
To set it up, log in to the control panel as an admin, then go to the Sites main menu. Here, select the website you want to set up:
Here, go to the Options tab, then scroll down to the bottom of the form:
Then insert the following section into the Apache directives field as shown in the image:
<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
Then save it.
Directive template setup
If you operate many websites, it is more appropriate to set such settings as a directive template (directive snippet), the essence of which is to store the setting itself in one place, and only insert the template (snippet) associated with the setting in the individual setting sections of the websites. To do this, go to the System main menu and select "Directive snippets" from the menu in the left column, then add a new item:
Here, give a name to our template, for example "HSTS Header", choose Apache (default) as the type, then put the above-mentioned three-line code fragment in the Snippet field, then save it. Then, if we go back to the website settings, where we previously set this code fragment, then the "Available Apache Directive Snippets:" under the line, our "HSTS Header" setting is also in the form of a link:
If you click on this [HSTS Header] link here, it will paste the code snippet you downloaded into the field. That way, if we later add a new website to the control panel, we don't have to search for the things to be set, but only from here we can plug in the necessary code snippets that we saved as a template.
HTTPS redirection
One of the weaknesses of HSTS is that it does not provide protection during the very first visit. That is why it is already safe during the first visit HTTPS our visitors connect with a connection, turn on HTTPS redirection - if we haven't done this before.
To do this, go back to the website settings and select the Redirect tab here:
And here let's set the "Rewrite HTTP to HTTPS" option, as shown in the picture. Let's save it.
With these settings, we therefore exclude anyone from connecting to our website via the unencoded, text-based outdated HTTP connection.
Inspection, testing
We can check the effectiveness of our work in two ways.
Check in your browser
We can do this in all browsers, I will show you how to check our set HTTP header in Chrome.
After completing the previous settings, load the website or update it so that the settings take effect. Then click anywhere on the website with the right mouse button, then select the "Examination" option below in the pop-up menu:
Click here Network tab, then below it says to refresh the page to record network activity. Let's press one CTRL + R key combination, or one F5-five.
Then the parts of the page are loaded:
Here, click on any cell of the first (Name) column, then the URL request and response header data for the item will be loaded:
Here, scroll down until you find our configured HSTS header:
Testing with a web service
The other option to check the HSTS HTTP header is to try it on a website created for this purpose. There are many such sites, in this example we will try the following web verification system:
https://geekflare.com/tools/hsts-test
If we enter our domain name here, it will output the result. Of course, here we can only test websites accessible from the Internet, so let's look at the linuxportal.info domain:
And if we scroll down, the exact header setting is also displayed:
Conclusion
Setting up the HSTS HTTP header is not complicated and in return offers a higher degree of protection for both our websites and our visitors.
- To post registration and login required
- 217 views