How to use HSTS for proxied http server


(谭九鼎) #1

I’m using caddy proxy a http-only apache httpd website.
I have successfully run the website with tls1.3, but I’d like to know how to enable HSTS. It seems works😂.

Here is my config:

example.com {
    gzip
    proxy / http://127.0.0.1:81 {
        transparent
        header_downstream Strict-Transport-Security "max-age=60; includeSubdomains;"
    }
    tls null
}

OS: win server 2008
Caddy Version: 0.11.5


(Matthew Fay) #2

Hi @imba-tjd, welcome to the Caddy community.

As you noted in an edit, your configuration already sets HSTS (that’s the HTTP Strict-Transport-Security header). :smiley:

A few things of note:

  • You aren’t currently setting preload; - that means that your site will likely not be added to the built-in browser preload lists.
  • You’ve got a max age of 60 - that’s in seconds, so a browser is going to “forget” the HSTS policy a minute after they browse away from your site. Far more commonly you see people set the HSTS header expiry for a year, i.e. 31536000 seconds.

(谭九鼎) #3

Thanks, I know them. It’s normal.:grin:


(Matt Holt) #4

I believe you still have to submit it manually, IIRC.


(Matthew Fay) #5

Ahh, you’re right! To get preloaded, you serve the header with preload;, then submit the site for inclusion.

Removing the preload; part later on makes you eligible to submit the removal form and might have you automatically removed at some point, but it looks like they never automatically add you.

https://hstspreload.org/