I have been trying to hardening my domain even better. I started setting it up in vhost (/etc/Apache2/sites-enabled/site_in_question) with: Header always set Strict-Transport-Security "max-age=10886400; includeSubdomains; preload" set in the <VirtualHost:443> block. It worked fine, but then I had to make a new subdomain, and discovered that the addition of the Header vanished. So I decided to put it directly in ISPConfig's Apache directive for the domain. Bad decision, it seems. Now I'm completely unable to get in touch with any of my domains on the server including ISPConfig. How can I revert to a point where I can get in touch with my ISPConfig again. Is it possible somehow to get into the database and delete that Header directive? And how?
No, that works fine. I have done that, and set via apache config snippets. Check error logs, eg. is apache failing to start? To temporarily undo your change, you can just edit the vhost file and delete the custom directive line(s). Once apache is running again, you can edit the vhost in ISPConfig to remove or change those.
Yes apache failed to reload. Thank you Now I learned something new (again ). If I make a snippet code, or just include code in the directive box, the code appears both in the http and the https section. But for redirecting from http to https, it doesn't make sense (according to https://hstspreload.org/?domain=mydomain.tld) to put it in http section, only in https section. But it seems that this is not an option as snippets or directive inputs in ispc. Is there a way to put cone in just https section of vhost?
You can create a custom vhost config for ISPConfig and resync the sites, or put this line in the directive: Code: Header set Strict-Transport-Security "max-age=31536000" env=HTTPS You should start with a shorter age, like 60 (seconds), test if it works, and then make it longer.
Thanks for your suggestion. I found out about that in another thread, but in relation to disable TLSv1.0 and TLSv1.1, which seems to be outdated now. I found out to copy the template /usr/local/ispconfig/server/conf/vhost.conf.master to /usr/local/ispconfig/server/conf-custom/vhost.conf.master and do the changes there. pretty awesome. But for the time being, I just set up the HSTS header as a code snippet, which I can then choose to implement on a domain basis by adding it to the directives of the domain. The more I work with ISPC, the more I love it. By the way, I found this page from the Netherlands for help in hardening ones domains, and it is a pretty nice tool: https://internet.nl
I'm familiar with it If you need any extra help with the hardening, I'm glad to help. I have several Hall of Fame notations on internet.nl
Good to hear. Well I know you are all very gifted in here. In comparison I'm a novice, but eager to learn. I have been able to get an 81%, my only 2 remaining problems left are IPv6 not present, which I am trying to figure out with my ISP. And my DANE validity seems not to pass. Other than that I'm happy.
If DANE doesn't pass, your website could be inaccessible for some users. I would suggest not to use it unless you completely know what you are doing. If you want to use it and have a let's encrypt certificate, this DNS record is valid for all certificates signed with the LE X3 Root cert: Code: le-ca TLSA 2 0 1 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d[code]
Just found out that my ISP doesn't provide IPv6. And now my DANE is none existent, and thus not validated. I cant seem to make your suggestion work, but neither is my own: Record: TLSA Host: _443._tcp.bnjpro.dk Data: fda82506a205df8f1e027c2974992d748766b16bc61f0c475d8d36d620fae7eb Usage: 3 Selector: 1 Matching: 1 TTL: 30
Code: <If "%{HTTPS} == 'on'"> <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" Header always set Content-Security-Policy: upgrade-insecure-requests </IfModule> </If>
It's hard to keep this updated every 60 days manually... I would just leave this out, for sure for web.