HTTP强制安全传输技术(HTTP Strict Transport Security, HSTS)是一个网际网路的安全策略机制,让网页伺服器设定一个时间,限制用户端的浏览器在该时间内,只能够使用安全的HTTPS连线方式(HTTP强制转成HTTPS连线),浏览该网站内容,以减少连线被劫持的风险。
HSTS也算是一套很成熟的安全性增强的应用了,只需要有SSL认证即可,我近几年都是用VestaCP,所以这边做个开启HSTS的纪录方便查阅 ?
NGiNX设定
1 2 3 4 5 |
rm -f /etc/nginx/conf.d/default.conf.bak cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak sed -i '/server_name/a add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;' /etc/nginx/conf.d/default.conf sed -i '/server_name/a add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;' /home/admin/conf/web/*.nginx.ssl.conf sed -i 's/443 ssl/443 http2 ssl/g' /home/admin/conf/web/*.nginx.ssl.conf |
Apache设定
? ? ? 此非必要选项 ? ? ?
1 2 3 4 5 6 7 8 9 10 11 12 |
rm -f /etc/httpd/conf/httpd.conf.bak cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak cat >> /etc/httpd/conf/httpd.conf <<- EOF ########## Setting up HSTS ########### # Enable Headers and rewrite modules LoadModule headers_module /usr/lib64/httpd/modules/mod_headers.so LoadModule rewrite_module /usr/lib64/httpd/modules/mod_rewrite.so # Setting up: https://is.gd/BqzkAj # ref. https://hstspreload.org Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" ########## Setting up HSTS ########### EOF |
? ? ? 此非必要选项 ? ? ?
###最终测试
1 |
apachectl configtest && nginx -t |
只要有出现下列三行即可 ?
1 2 3 |
Syntax OK nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful |
###重启
systemctl restart httpd && systemctl restart nginx
然后到Qualys. SSL labs检测,我的已经是A+等级了 ???
ref.
- IBM HTTP Server – 设定 HTTP 严格传输安全 (HSTS)
- HTTP Strict Transport Security (HSTS) and NGINX
- MDN Web Docs – Strict-Transport-Security
- Google扩大HSTS应用范围,确保旗下更多网站安全性