Server-wide mta-sts.txt

Discussion in 'Tips/Tricks/Mods' started by remkoh, Nov 18, 2024 at 12:47 AM.

Tags:
  1. remkoh

    remkoh Active Member HowtoForge Supporter

    Just for the fun of it I've created a script like I did before for /.well-known/security.txt which dynamically creates /.well-known/mta-sts.txt

    Features:
    • Fields "mode" and "max_age" according to RFC8461 can be configured
      • If values are invalid then redirect to http://<(sub.)domain.tld>/
    • Check if visited URL is HTTPS, if not then redirect to HTTPS
    • Check if visited URL starts with "mta-sts.", if not then redirect to http://<(sub.)domain.tld>/
    • Check if (sub)domain "<(sub.)domain.tld>" has "_mta-sts.<(sub.)domain.tld>" TXT record in DNS, if not then redirect to http://<(sub.)domain.tld>/
    • Check if (sub)domain "<(sub.)domain.tld>" has MX record(s) in DNS, if none then redirect to http://<(sub.)domain.tld>/
      • Generate mta-sts.txt in which MX is sorted by weight, if weight is equal then by alphabet
    Your customers will still be able to overrule the file with one of their own in their documentroot.
    It can be installed into both Apache and Nginx.

    Here you find my files and how to install them onto your webserver:
    https://github.com/remkohat/dynamic_mta-sts.txt

    The last part of the installation "Server-wide", both Apache and Nginx, will now be explained for ISPConfig:

    Apache:

    Copy vhost.conf.master to create your own custom vhost template for your websites.
    Code:
    cp /usr/local/ispconfig/server/conf/vhost.conf.master /usr/local/ispconfig/server/conf-custom/
    !Skip this step if you already have your own custom vhost template!

    Find these lines in /usr/local/ispconfig/server/conf-custom/vhost.conf.master:
    Code:
    <tmpl_if name="rewrite_enabled">
               RewriteEngine on
    Insert this next line:
    Code:
                   RewriteOptions Inherit
    !Skip this step if you already have it in your custom vhost template!

    Nginx:

    Copy nginx_vhost.conf.master to create your own custom vhost template for your websites.
    Code:
    cp /usr/local/ispconfig/server/conf/nginx_vhost.conf.master /usr/local/ispconfig/server/conf-custom/
    !Skip this step if you already have your own custom vhost template!

    Find these lines in /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master:
    Code:
           root   <tmpl_var name='web_document_root_www'>;
               disable_symlinks if_not_owner from=$document_root;
    Insert this next line:
    Code:
           include /etc/nginx/snippets/mta-sts.conf;

    ISPConfig:

    Create an alias or subdomain mta-sts.(sub.)domain.tld for your (sub.)domain.tld website.
    Ofcourse you also can create a website instead of an alias or subdomain.

    And add a corresponding TXT record in your DNS:
    Code:
    Name:                           Type:  TTL:     Value:
_mta-sts.<(sub.)domain.tld>.    TXT    <TTL>    v=STSv1; id=<id>
     
    remkoh, Nov 18, 2024 at 12:47 AM
    #1
    till and ahrasis like this.

Share This Page