Nginx

nginx 未能發送 HSTS 標頭,儘管已配置為這樣做

  • March 14, 2019

我正在使用 nginx 和 letencrypt 為自己設置一個站點,並且我想設置 HSTS 預載入以增加安全性,但是當我使用多個不同的掃描器檢查 url 時,不會發送 HSTS 標頭。

這是伺服器配置中的相關塊:

server {

   root /var/www/html/pyroballpcbs;
   index index.php index.html index.htm;

   server_name pyroballpcbs.com www.pyroballpcbs.com;
   server_tokens off;

   client_max_body_size 20M;

   location / {
       #try_files $uri $uri/ =404;
       try_files $uri $uri/ /index.php$is_args$args;
   }

   location ~ \.php$ {
       include snippets/fastcgi-php.conf;
       fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
   }

   location = /favicon.ico { log_not_found off; access_log off; }
   location = /robots.txt { log_not_found off; access_log off; allow all; }
   location ~ /\.ht {
       deny all;
   }
   location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
       expires max;
       log_not_found off;
   }

   #listen [::]:443 ssl ipv6only=on default deferred; # managed by Certbot
   listen 443 ssl; # managed by Certbot
   #Config to enable HSTS
   add_header Strict-Transort-Security: "max-age=63072000; includeSubdomains; preload" always;
   ssl_certificate /etc/letsencrypt/live/pyroballpcbs.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/pyroballpcbs.com/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
   #Disable insecure TLSv1.0
   ssl_protocols TLSv1.2 TLSv1.3;

}

server {
   if ($host = www.pyroballpcbs.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   if ($host = pyroballpcbs.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot

   listen 80;
   #listen [::]:80;
   add_header Strict-Transort-Security "max-age=63072000; includeSubdomains" always;

   server_name 10.1.10.15 pyroballpcbs.com www.pyroballpcbs.com;
   return 301 https://$host$request_uri; # managed by Certbot
}

以下是設計用於檢查安全標頭的 nmap 腳本的輸出:

$ nmap -p 443 --script http-security-headers pyroballpcbs.com

Starting Nmap 7.01 ( https://nmap.org ) at 2019-03-13 00:39 PDT
Nmap scan report for pyroballpcbs.com
Host is up (0.00031s latency).
PORT    STATE SERVICE
443/tcp open  https
| http-security-headers:
|   Strict_Transport_Security:
|_    HSTS not configured in HTTPS Server

hstspreload.org 以及 ssllabs.com 的掃描器也顯示了相同的問題:

https://hstspreload.org/?domain=pyroballpcbs.com

https://www.ssllabs.com/ssltest/analyze.html?d=pyroballpcbs.com&s=73.241.63.225

和 nginx 服務狀態輸出:

$ sudo service nginx status
â nginx.service - nginx - high performance web server
  Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
  Active: active (running) since Wed 2019-03-13 00:39:48 PDT; 12min ago
    Docs: http://nginx.org/en/docs/
 Process: 19114 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)
 Process: 19116 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 19118 (nginx)
   Tasks: 2 (limit: 4915)
  CGroup: /system.slice/nginx.service
          ââ19118 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
          ââ19119 nginx: worker process

Mar 13 00:39:48 mail.pyroballpcbs.com systemd[1]: Stopped nginx - high performance web server.
Mar 13 00:39:48 mail.pyroballpcbs.com systemd[1]: Starting nginx - high performance web server...
Mar 13 00:39:48 mail.pyroballpcbs.com systemd[1]: nginx.service: PID file /var/run/nginx.pid not readable (yet?) after start: No such file or directory
Mar 13 00:39:48 mail.pyroballpcbs.com systemd[1]: Started nginx - high performance web server.

你拼錯了標題名稱,兩次。

   add_header Strict-Transort-Security: "max-age=63072000; includeSubdomains; preload" always;

冒號也不是必需的。

根據您共享的簡短片段以及我對您的域名 pyroballpcbs.com 的 DNS 查找,我認為問題在於您在使用 IPv4 訪問伺服器時在 IPv6 偵聽器上配置了 HSTS:

IPv4 –>

$ dig +short pyroballpcbs.com
162.255.119.121
73.241.63.225

IPv6 –>

$ dig +short pyroballpcbs.com AAAA
$

基於上述內容,您的域名僅解析為 IPv4 地址,因此您無法通過將流量指向 pyroballpcbs.com 來訪問您的 IPv6 偵聽器

引用自:https://serverfault.com/questions/958029