HSTS Missing from HTTPS Server
In my configuration, I am using Apache to reverse proxy the requests to a uwsgi. After our security office scanned the server, it was shown that HSTS is missing from the HTTPS server. The instructions say to add some lines to /etc/apache2/sites-enabled/. The only file in there is 000-default.conf that holds the configuration, but the VirtualHost is port 80. I am using an F5 to to automatically redirect port 80 to port 443, but it is still showing this vulnerability.
My question is, how can enable the Virtual Host for 443 on the server? Or can that configuration be located somewhere else? Or can I just create a new Virtual Host with the added configuration for mailman?
Thanks, Joe Koral
On 11/4/24 12:06, jkoral@luc.edu wrote:
My question is, how can enable the Virtual Host for 443 on the server? Or can that configuration be located somewhere else? Or can I just create a new Virtual Host with the added configuration for mailman?
For example, this is /etc/apache2/sites-enabled/020-mailman.conf on lists.mailman3.org
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} off [NC]
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R=permanent]
RewriteCond %{SERVER_NAME} =lists.mailman3.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
ServerName lists.mailman3.org
Alias /static/ /opt/mailman/mm/static/
<Directory "/opt/mailman/mm/static/">
Require all granted
</Directory>
<IfModule mod_headers.c>
RequestHeader unset X-Forwarded-Proto
<If "%{HTTPS} =~ /on/">
RequestHeader set X-Forwarded-Proto "https"
</If>
</IfModule>
<IfModule mod_proxy.c>
ProxyPreserveHost On
ProxyPass "/postorius" "http://127.0.0.1:8000/postorius"
ProxyPass "/hyperkitty" "http://127.0.0.1:8000/hyperkitty"
ProxyPass "/accounts" "http://127.0.0.1:8000/accounts"
ProxyPass "/admin" "http://127.0.0.1:8000/admin"
ProxyPass "/user-profile" "http://127.0.0.1:8000/user-profile"
ProxyPass "/mailman3" "http://127.0.0.1:8000/mailman3"
ProxyPass "/archives" "http://127.0.0.1:8000/archives"
ProxyPassMatch "^/$" "http://127.0.0.1:8000/mailman3"
</IfModule>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.list.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.list.org/privkey.pem
</VirtualHost>
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
jkoral@luc.edu -
Mark Sapiro