1

I'm setting up a site for myself using nginx and letsencrypt, and I wanted to set up HSTS preloading for the added security benefits, however when I check the url with multiple different scanners, HSTS headers are not sent.

Here's the relevant block in server config:

 server {

    root /var/www/html/pyroballpcbs;
    index index.php index.html index.htm;

    server_name pyroballpcbs.com www.pyroballpcbs.com;
    server_tokens off;

    client_max_body_size 20M;

    location / {
        #try_files $uri $uri/ =404;
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    }

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~ /\.ht {
        deny all;
    }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }

    #listen [::]:443 ssl ipv6only=on default deferred; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    #Config to enable HSTS
    add_header Strict-Transort-Security: "max-age=63072000; includeSubdomains; preload" always;
    ssl_certificate /etc/letsencrypt/live/pyroballpcbs.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pyroballpcbs.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    #Disable insecure TLSv1.0
    ssl_protocols TLSv1.2 TLSv1.3;

}

server {
    if ($host = www.pyroballpcbs.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pyroballpcbs.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    #listen [::]:80;
    add_header Strict-Transort-Security "max-age=63072000; includeSubdomains" always;

    server_name 10.1.10.15 pyroballpcbs.com www.pyroballpcbs.com;
    return 301 https://$host$request_uri; # managed by Certbot
}

Here's output from an nmap script designed to check security headers:

$ nmap -p 443 --script http-security-headers pyroballpcbs.com

Starting Nmap 7.01 ( https://nmap.org ) at 2019-03-13 00:39 PDT
Nmap scan report for pyroballpcbs.com
Host is up (0.00031s latency).
PORT    STATE SERVICE
443/tcp open  https
| http-security-headers:
|   Strict_Transport_Security:
|_    HSTS not configured in HTTPS Server

hstspreload.org is also showing the same issue, as well as ssllabs.com's scanner:

https://hstspreload.org/?domain=pyroballpcbs.com

https://www.ssllabs.com/ssltest/analyze.html?d=pyroballpcbs.com&s=73.241.63.225

and nginx service status output:

$ sudo service nginx status
â nginx.service - nginx - high performance web server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-03-13 00:39:48 PDT; 12min ago
     Docs: http://nginx.org/en/docs/
  Process: 19114 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 19116 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
 Main PID: 19118 (nginx)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/nginx.service
           ââ19118 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
           ââ19119 nginx: worker process

Mar 13 00:39:48 mail.pyroballpcbs.com systemd[1]: Stopped nginx - high performance web server.
Mar 13 00:39:48 mail.pyroballpcbs.com systemd[1]: Starting nginx - high performance web server...
Mar 13 00:39:48 mail.pyroballpcbs.com systemd[1]: nginx.service: PID file /var/run/nginx.pid not readable (yet?) after start: No such file or directory
Mar 13 00:39:48 mail.pyroballpcbs.com systemd[1]: Started nginx - high performance web server.
pyr0ball
  • 13
  • 5

2 Answers2

3

You misspelled the header name, twice.

    add_header Strict-Transort-Security: "max-age=63072000; includeSubdomains; preload" always;

The colon is also not necessary.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
0

Based on the short snippet you've shared and on my DNS lookups to your domain name pyroballpcbs.com I think the problem is that you have configured HSTS on the IPv6 listener while you're hitting your server on IPv4:

IPv4 -->

$ dig +short pyroballpcbs.com
162.255.119.121
73.241.63.225

IPv6 -->

$ dig +short pyroballpcbs.com AAAA
$

Based on the above your domain name only resolves to IPv4 addresses, so there's no way you're hitting your IPv6 listener by pointing traffic to pyroballpcbs.com

Pedro Perez
  • 5,652
  • 1
  • 10
  • 11
  • I'll edit the post with the full config if that helps, but I'm not entirely sure how to fix that. both the ipv4 and ipv6 listeners appear to be under the same section: `listen [::]:443 ssl ipv6only=on default deferred; # managed by Certbot` `listen 443 ssl; # managed by Certbot` I tried removing the option `ipv6only=on` but it didn't seem to make a difference – pyr0ball Mar 14 '19 at 03:24
  • Hey! that definitely changes things. Glad someone else spotted the issue too! :) – Pedro Perez Mar 15 '19 at 15:36