1

Topic: Enabling HSTS on nginx

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.42
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: RHEL 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  Mariadb
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? not yet but will
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello, I'm trying all the functionality of iredmail before buying PRO version and put it in production.

I have a correct letsencrypt cert and enabled TLS 1.3 in nginx.

Testing server with https://www.ssllabs.com I score "A" because it misses HSTS
Testing server with https://securityheaders.com I score "B" because it misses HSTS


First question: Enabling HSTS on iredmail will cause any known problem? Maybe HTTPS (sogo) will be OK but settings will be applied to other protocol and software (postfix/dovecot), causing problem with email or client connection?


As I said this is still a test server so I've tried to enable HSTS to see results with my own eyes.

In file /etc/nginx/sites-available/00-default-ssl.conf I've added

include /etc/nginx/templates/hsts.tmpl;

In file /etc/nginx/templates I've just added includeSubDomains so this is the content of the file:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

then i restart the server. Everything seems OK but If I try to test my webserver again

On https://www.ssllabs.com I score "A+" with HSTS and everything seems to be perfect
On https://securityheaders.com I score "D" , (much worse) because HSTS looks OK but now I'm missing:
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy

(in previous test without HSTS all these headers were OK)
Looks like enabling HSTS on nginx disabled some other headers that were enabled by default.

Second question: Why does this happen? Am I doing something wrong? Any suggestions are welcome

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Enabling HSTS on nginx

you need to set the other headers aswell manually

3

Re: Enabling HSTS on nginx

So, for future readers, I report what I've done:

In /etc/nginx/sites-available/00-default-ssl.conf I've add

include /etc/nginx/templates/headermaxsecurity.tmpl;

Then i create file /etc/nginx/templates/headermaxsecurity.tmpl with inside

add_header X-Frame-Options "deny" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" always;

systemctl restart nginx


Now i have A+ in both test

I'm not an header expert so any tips or suggestions are welcome.

Post's attachments

headers.JPG
headers.JPG 45.8 kb, file has never been downloaded. 

ssl.JPG
ssl.JPG 64.35 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

4

Re: Enabling HSTS on nginx

Stardust wrote:

Looks like enabling HSTS on nginx disabled some other headers that were enabled by default.

Wrong.
Other headers are defined in /etc/nginx/conf-enabled/headers.conf. we have sample file here and it's in your /etc/nginx/conf-available/headers.conf:
https://github.com/iredmail/iRedMail/bl … aders.conf

You should check why this file was not loaded in your host config file.

5

Re: Enabling HSTS on nginx

Hello Zhang,

sorry, I didn't notice an header.conf already exist on the server, this is why some headers were already set even in my first security scan, when I scored "B".

I just tried some debugging, to understand: when i enable hsts.tmpl (adding include /etc/nginx/templates/hsts.tmpl; to file /etc/nginx/sites-available/00-default-ssl.conf ), the file header.conf is not considered anymore. I just tried doing some edit (adding/removing headers) and restarting nginx: nothing changes, whatever I write.

If i remove the use of file /etc/nginx/templates/hsts.tmpl; than the header.conf works again. Looks like I can't put add_header instruction in two different file.

To be clear: This it's not a problem, I can just move all the headers in a single file...

Howewer:
if I put all the header (HSTS included) in the default single file /etc/nginx/conf-available/headers.conf something does not work, I see an empty SOGO login page.

So i went back to the solution I propose in my post #3, this way everything works and I score A+ in the test.

To summarize:

added in /etc/nginx/sites-available/00-default-ssl.conf

    include /etc/nginx/templates/hsts.tmpl;
    include /etc/nginx/templates/headermaxsecurity.tmpl;

Than in /etc/nginx/templates/headermaxsecurity.tmpl :

add_header X-Frame-Options "deny" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options noopen;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" always;

and in /etc/nginx/templates/hsts.tmpl :

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

This way, everything works and I have A+ in every test.

Once again, any tips or suggestions are welcome.

6

Re: Enabling HSTS on nginx

It doesn't make any sense to me, there's no reason it works with all "add_header ..." in one file, but not in 2 files.

Please check:

- Make sure file /etc/nginx/conf-available/headers.conf is linked to /etc/nginx/conf-enabled/headers.conf, this way it will be loaded by Nginx globally.
- Make sure /etc/nginx/nginx.conf has config line to load all "*.conf" files under /etc/nginx/conf-enabled/. for example (snippet below, not full config file):

http {
    include /etc/nginx/conf-enabled/*.conf;
    ...
}

7

Re: Enabling HSTS on nginx

I'm using iRedMail Easy, so in /opt/iredmail/custom/nginx/sites-conf.d/default-ssl/

I created file headers.conf, with contents:

add_header X-Frame-Options "deny" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options noopen;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

then sudo /etc/init.d/nginx reload

And I get A+ on both measurement sites.

Thanks all!

Ted

8

Re: Enabling HSTS on nginx

bjmoose wrote:

I'm using iRedMail Easy, so in /opt/iredmail/custom/nginx/sites-conf.d/default-ssl/

I created file headers.conf, with contents:

Your /etc/nginx/nginx.conf should already load files under /etc/nginx/conf-enabled/, which includes headers.conf. Is it?