Set up HTTP Strict Transport Security (HSTS)
We can specify HTTP Strict Transport Security (HSTS) in response headers so that your server advertises to clients that it accepts only HTTPS requests. We can redirect any non-HTTPS requests to SSL enabled virtual hosts.
Before you begin
- If SSL/TLS is terminated by a device ahead of the IBM HTTP Server (IHS), and if the IBM HTTP Server is not configured for SSL/TLS, the following procedure does not apply. Instead, you must configure HTTP Strict Transport Security on the device that terminated SSL/TLS. For more information about HTTP Strict Transport Security, see RFC 6797 section 7.
- Determine whether your HSTS policy applies to only the domain or includes subdomains.
- Determine whether the domain can be part of the preinstalled list of known HSTS hosts in a client.
- Determine how long the client can cache the information that indicates that the domain is an HSTS host.
- Restriction: The server does not add the HSTS headers to HTTP 304 (not modified) responses. These responses are used to validate cache freshness. A client will not see the HSTS headers until it accesses at least one uncached (or stale) resource on the server.
- HSTS works only if the client is connecting to the default ports for HTTP (port 80) and HTTPS
(port 443). If you are using non-default ports in your IBM HTTP Server configuration, you need to
use an additional front-end device that does use the default ports. Place the additional front-end
device between your IBM HTTP Server and the client. For
example:
client ----> load balancer (ports 80 and 443) ----> IHS (other ports)
Procedure
-
Enable the modification of response headers.
Uncomment the following Load Module directive for the mod_headers module in the
httpd.conf
file:
LoadModule headers_module modules/mod_headers.so
-
Define the HSTS policy for clients.
Make the following updates in the httpd.conf file:
-
Add the Header directive for Strict-Transport-Security.
The following example Header specifies useful options for defining your HSTS policy. The
directive specifies that the server always requires HTTPS connections. The HTTPS connections apply
to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS
domains for a maximum of one year (31536000 seconds).
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - Add the Header directive to each virtual host section, <virtualhost>, that is enabled for Secure Sockets Layer (SSL).
-
Add the Header directive for Strict-Transport-Security.
The following example Header specifies useful options for defining your HSTS policy. The
directive specifies that the server always requires HTTPS connections. The HTTPS connections apply
to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS
domains for a maximum of one year (31536000 seconds).
-
Redirect requests from virtual hosts that are NOT enabled for SSL to virtual hosts that
are enabled.
RewriteEngine on RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]- Add the stanza once to each non-SSL virtual host section in the httpd.conf file.
- Add the stanza once to the global httpd.conf file, but outside the virtual host sections.
Results
You set up IBM HTTP Server so that it tells clients to
connect to the specified domains and subdomains only over HTTPS. To ensure that your IBM HTTP Server does not process non-HTTPS requests over non-SSL,
you set the server up to redirect these requests to SSL-enabled virtual hosts.
What to do next
Add your server as a front end to your application server environment so that connections
between your application server and a client are over HTTPS.
Related