How to use HSTS for proxied http server

imba-tjd · March 5, 2019, 3:41am

I’m using caddy proxy a http-only apache httpd website.
I have successfully run the website with tls1.3, ~~but I’d like to know how to enable HSTS.~~ It seems works😂.

Here is my config:

example.com {
    gzip
    proxy / http://127.0.0.1:81 {
        transparent
        header_downstream Strict-Transport-Security "max-age=60; includeSubdomains;"
    }
    tls null
}

OS: win server 2008
Caddy Version: 0.11.5

Whitestrake · March 5, 2019, 3:50am

Hi @imba-tjd, welcome to the Caddy community.

As you noted in an edit, your configuration already sets HSTS (that’s the HTTP Strict-Transport-Security header).

A few things of note:

You aren’t currently setting preload; - that means that your site will likely not be added to the built-in browser preload lists.
You’ve got a max age of 60 - that’s in seconds, so a browser is going to “forget” the HSTS policy a minute after they browse away from your site. Far more commonly you see people set the HSTS header expiry for a year, i.e. 31536000 seconds.

imba-tjd · March 5, 2019, 3:52am

Thanks, I know them. It’s normal.

matt · March 5, 2019, 5:59am

I believe you still have to submit it manually, IIRC.

Whitestrake · March 5, 2019, 6:12am

Ahh, you’re right! To get preloaded, you serve the header with preload;, then submit the site for inclusion.

Removing the preload; part later on makes you eligible to submit the removal form and might have you automatically removed at some point, but it looks like they never automatically add you.

https://hstspreload.org/

system · June 3, 2019, 6:12am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.