Opened 11 years ago

Closed 11 years ago

#391 closed defect (invalid)

HSTS header disabled when SSL enabled

Reported by: Shaiffulnizam Mohamad Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.3.x
Keywords: Cc:
uname -a:
nginx -V: 1.4.2, 1.5.3

Description

HSTS header which is as below, is not enabled when SSL is set to enable, when SSL is disable or OFF, then only the header showing up in the Nginx header. :
add_header Strict-Transport-Security "max-age=70400; includeSubdomains";
and
add_header X-Frame-Options SAMEORIGIN; is disable or not enabled when SSL is enabled.

Change History (6)

comment:1 by Shaiffulnizam Mohamad, 11 years ago

Description :
HSTS header which is as below, is not enabled when SSL is set to enable, when SSL is disable or OFF, then only the header showing up in the Nginx header. :
add_header Strict-Transport-Security "max-age=70400; includeSubdomains";
and
add_header X-Frame-Options SAMEORIGIN; is disable or not enabled when SSL is enabled.

uname -a
Linux server3.apasaja.my 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

nginx -V
nginx version: nginx/1.5.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin --conf-path=/usr/local/nginx/conf/nginx.conf --add-module=../ngx_pagespeed-release-1.6.29.3-beta --with-http_spdy_module --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-libatomic --with-pcre=../pcre-8.32 --with-pcre-jit --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.2 --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.1 --add-module=../nginx-accesskey-2.0.3 --with-openssl=../openssl-1.0.1e --add-module=../nginx-http-concat-master --with-openssl-opt=enable-tlsext

comment:2 by Maxim Dounin, 11 years ago

Resolution: invalid
Status: newclosed

The add_header directive allows to add arbitrary headers to a response. If you want to it to only add headers in a specific situation - you have to write appropriate configuration.

comment:3 by Max, 11 years ago

Resolution: invalid
Status: closedreopened

Why the heck is this bug-report closed?
I can confirm that if you provide "Strict-Transport-Security" header in non-ssl setups (e.g. only listening on port 80), the header gets provided. I am on 1.4.2 using wheezy-debian aptitude repository.

But if you want to provide the header while ssl is "on", the header is not provided by nginx anymore.

Example configurations:

# Header gets provided
server {
    port 80;
    add_header Strict-Transport-Security "max-age=600; includeSubdomains";
}

# Header gets not provided, even if you connect to port 80
server {
    port 80;
    port 443 ssl;
    add_header Strict-Transport-Security "max-age=600; includeSubdomains";
}

# Header gets not provided
server {
    port 443 ssl;
    add_header Strict-Transport-Security "max-age=600; includeSubdomains";
}

The first server shows up the header if I visit the website, the last 2 configurations does not provide the header.
This is obviously a bug since the website "https://httpsnow.org/help/hsts" (just used a random website I found on google with "Strict-Transport-Security" enabled, funny enough that they provide it twice) is displaying it while using SSL-Connection.

So the Ticket-Autor was not talking about the thing that he wants only to provide the header if he is on SSL. He said (as I do in this comment) that it does not get provided if SSL is enabled. Please assign this to a developer who can handle this problem.

With kind regards,
Max

comment:4 by Sergey Budnevitch, 11 years ago

Just added header in question to https://mailman.nginx.com, and everything works as expected:

curl -I 'https://mailman.nginx.com/mailman/listinfo'

HTTP/1.1 200 OK
Server: nginx/1.5.3
Date: Mon, 14 Oct 2013 13:46:05 GMT
Content-Type: text/html; charset=us-ascii
Connection: keep-alive
Strict-Transport-Security: max-age=600; includeSubdomains

So, what are you talking about?

comment:5 by Max, 11 years ago

Well, I isolated the problem to fastcgi and php-fpm (dotdeb PHP 5.5.4). So actually, PHP-FPM seems to drop the headers, even if I add the headers AFTER the include of the fastcgi params and fastcgi_pass.

Is that expected? I just want to fix the problem, dont want to blame anyone for this. Its just annyoing since it does not work for me as expected. I'm sorry if I was a bit harsh.

comment:6 by Maxim Dounin, 11 years ago

Resolution: invalid
Status: reopenedclosed

Most likely, you have more add_header directives in your config, and this prevents your add_header Strict-Transport-Security from being inherited. Note that add_header directives, much like all other directives, are inherited from previous levels only if there are no add_header directives defined at a given level. Anyway, this bug is clearly invalid, use mailing list for support questions.

Note: See TracTickets for help on using tickets.