OPNsense Forum

English Forums => Development and Code Review => Topic started by: Oxima69 on March 29, 2019, 09:27:07 am

Title: nginx - HSTS
Post by: Oxima69 on March 29, 2019, 09:27:07 am

Hi,

Since version 1.8

Quote

HSTS not sent automatically anymore if HTTP over TLS is configured (still available via security header)

I guess there's a little problem here.

after activation via security header the nginx.conf has the following entry

Code: [Select]

add_header Strict-Transport-Security "15768000" always;
max-age is missing ?

it should be

Code: [Select]

add_header Strict-Transport-Security "max-age=15768000" always;
Or do I get something wrong......

Title: Re: nginx - HSTS
Post by: fabian on March 29, 2019, 05:36:31 pm

that's a bug which I will fix

Title: Re: nginx - HSTS
Post by: fabian on March 29, 2019, 05:59:27 pm

You can install the patch from here: https://github.com/opnsense/plugins/pull/1284/files

opnsense-patch -c plugins 7ed13346710a56ec504d114c102e34f7f4d35253

Title: Re: nginx - HSTS
Post by: Oxima69 on April 01, 2019, 09:52:37 am

Great,
it works.

Title: Re: nginx - HSTS
Post by: Oxima69 on April 01, 2019, 09:59:25 am

maybe in this context.
there is a little cosmetic error.

when activating the security headers.
you have 2 entries of

Code: [Select]

proxy_hide_header Strict-Transport-Security;

Title: Re: nginx - HSTS
Post by: fabian on April 01, 2019, 09:44:52 pm

use the same command with 26fff9cdd527988c2d147d81e1a8f1f3f02dcd54 and it should be gone.

https://github.com/opnsense/plugins/pull/1288/commits/26fff9cdd527988c2d147d81e1a8f1f3f02dcd54

Title: Re: nginx - HSTS
Post by: Oxima69 on April 02, 2019, 12:31:16 pm

Great,
it works.

Title: Re: nginx - HSTS
Post by: fabian on April 02, 2019, 06:02:28 pm

Good to know that it works. Will be in the next release.