HSTS Missing from HTTPS Server

In my configuration, I am using Apache to reverse proxy the requests to a uwsgi. After our security office scanned the server, it was shown that HSTS is missing from the HTTPS server. The instructions say to add some lines to /etc/apache2/sites-enabled/. The only file in there is 000-default.conf that holds the configuration, but the VirtualHost is port 80. I am using an F5 to to automatically redirect port 80 to port 443, but it is still showing this vulnerability.
My question is, how can enable the Virtual Host for 443 on the server? Or can that configuration be located somewhere else? Or can I just create a new Virtual Host with the added configuration for mailman?
Thanks, Joe Koral

On 11/4/24 12:06, jkoral@luc.edu wrote:
My question is, how can enable the Virtual Host for 443 on the server? Or can that configuration be located somewhere else? Or can I just create a new Virtual Host with the added configuration for mailman?
For example, this is /etc/apache2/sites-enabled/020-mailman.conf on lists.mailman3.org
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} off [NC]
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R=permanent]
RewriteCond %{SERVER_NAME} =lists.mailman3.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
ServerName lists.mailman3.org
Alias /static/ /opt/mailman/mm/static/
<Directory "/opt/mailman/mm/static/">
Require all granted
</Directory>
<IfModule mod_headers.c>
RequestHeader unset X-Forwarded-Proto
<If "%{HTTPS} =~ /on/">
RequestHeader set X-Forwarded-Proto "https"
</If>
</IfModule>
<IfModule mod_proxy.c>
ProxyPreserveHost On
ProxyPass "/postorius" "http://127.0.0.1:8000/postorius"
ProxyPass "/hyperkitty" "http://127.0.0.1:8000/hyperkitty"
ProxyPass "/accounts" "http://127.0.0.1:8000/accounts"
ProxyPass "/admin" "http://127.0.0.1:8000/admin"
ProxyPass "/user-profile" "http://127.0.0.1:8000/user-profile"
ProxyPass "/mailman3" "http://127.0.0.1:8000/mailman3"
ProxyPass "/archives" "http://127.0.0.1:8000/archives"
ProxyPassMatch "^/$" "http://127.0.0.1:8000/mailman3"
</IfModule>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.list.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.list.org/privkey.pem
</VirtualHost>
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

HSTS can only be applied on the HTTPS (port 443) VirtualHost, not on port 80. Since your Apache config only has a port 80 vhost, you’ll need to either locate or create a <VirtualHost *:443> block. Inside that, add: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Then enable SSL modules (a2enmod ssl headers), reload Apache, and the scan should detect HSTS correctly. If nothing exists for 443, it’s safe to create a new VirtualHost for your mailman site. I found the one helpful guide at:- https://cheapsslweb.com/resources/how-to-fix-the-hsts-missing-from-https-ser.... Hope it helps!
participants (3)
-
jkoral@luc.edu
-
lyrawilliams1985@gmail.com
-
Mark Sapiro