1

I've set up Apache to use HSTS as follows just for testing and learning purposes only:

/etc/apache2/sites-enabled/000-default.conf 

NameVirtualHost 192.168.3.55:80
NameVirtualHost 192.168.3.55:443
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
 </Directory>
<VirtualHost www:80>
 ServerName www
 ServerAdmin webmaster@localhost
 DocumentRoot /var/www/html
</VirtualHost>
<VirtualHost www:443>
 ServerAdmin webmaster@localhost
 DocumentRoot /var/www/html
 ServerName www
 SSLEngine on
 SSLCertificateFile "/etc/apache2/ssl/mysitename.crt"
 SSLCertificateKeyFile "/etc/apache2/ssl/mysitename.key"
 Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;"
</VirtualHost>

I can connect to port 80 and port 443 just fine. The first site is not encrypted and the latter is. All Good there.

After I visit HTTPS site, I see the hsts headers just fine:

Strict-Transport-Security:max-age=63072000; includeSubdomains;

When I then type in http://www I do see:

Upgrade-Insecure-Requests: 1 in the header using developer tools

However, the browser connects to the HTTP site, I tcpdump the request and see the response is in the clear as well still.

Shouldn't it be a secured connection or am I missing something? I thought the browser would only attempt to visit the secured site from now on)

jouell
  • 601
  • 1
  • 5
  • 20

2 Answers2

2

It might be a result of your attempt to obfuscate the domain name but HSTS requires the FQDN www.example.com and won't work with short hostnames such as www.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
1

Since I'm testing I don't have a valid cert, it was self signed. Oops. Live and learn.

jouell
  • 601
  • 1
  • 5
  • 20
  • On your internet facing domain, you could conditionally set the header based on source address to test. You can also start with a low HSTS time for testing. – Aaron Apr 14 '17 at 15:51