Text only | Text with Images

OPNsense Forum

English Forums => Development and Code Review => Topic started by: Oxima69 on March 29, 2019, 09:27:07 AM

Title: nginx - HSTS
Post by: Oxima69 on March 29, 2019, 09:27:07 AM
Hi,

Since version 1.8
QuoteHSTS not sent automatically anymore if HTTP over TLS is configured (still available via security header)

I guess there's a little problem here.

after activation via security header the nginx.conf has the following entry

Code Select
add_header Strict-Transport-Security "15768000" always;

max-age is missing ?

it should be

Code Select
add_header Strict-Transport-Security "max-age=15768000" always;

Or do I get something wrong......
Title: Re: nginx - HSTS
Post by: fabian on March 29, 2019, 05:36:31 PM
that's a bug which I will fix
Title: Re: nginx - HSTS
Post by: fabian on March 29, 2019, 05:59:27 PM
You can install the patch from here: https://github.com/opnsense/plugins/pull/1284/files

opnsense-patch -c plugins 7ed13346710a56ec504d114c102e34f7f4d35253
Title: Re: nginx - HSTS
Post by: Oxima69 on April 01, 2019, 09:52:37 AM
Great,
it works.
Title: Re: nginx - HSTS
Post by: Oxima69 on April 01, 2019, 09:59:25 AM
maybe in this context.
there is a little cosmetic error.

when activating the security headers.
you have 2 entries of

Code Select
proxy_hide_header Strict-Transport-Security;
Title: Re: nginx - HSTS
Post by: fabian on April 01, 2019, 09:44:52 PM
use the same command with 26fff9cdd527988c2d147d81e1a8f1f3f02dcd54 and it should be gone.

https://github.com/opnsense/plugins/pull/1288/commits/26fff9cdd527988c2d147d81e1a8f1f3f02dcd54
Title: Re: nginx - HSTS
Post by: Oxima69 on April 02, 2019, 12:31:16 PM
Great,
it works.
Title: Re: nginx - HSTS
Post by: fabian on April 02, 2019, 06:02:28 PM
Good to know that it works. Will be in the next release.
Text only | Text with Images