How to ensure HTTP Strict Transport Security is implemented
Prior to firmware version 7.2.41 the LoadMaster injected the Strict Transport Security header into ever LM generated message being forwarded to a client. (i.e Not Available Redirection Handling or ESP related responses)
In order to provide the ability to customize this behavior the Strict Transport Security Header option was added under SSL Properties.
The options provided are as follows:
Don't add the Strict Transport Security Header: Selecting this option will ensure that that LoadMaster will not inject the Strict Transport Security Header into LM generated messages (i.e Not Available Redirection Handling or ESP related responses).
Add the Strict Transport Security Header - no subdomains: Selecting this option will ensure that that LoadMaster will inject the Strict Transport Security Header into LM generated messages (i.e Not Available Redirection Handling or ESP related responses). The header will by default contain the max-age=604800 value. However the value of the Strict Transport Security Header will not include the includeSubDomains string.
Add the Strict Transport Security Header - include subdomains: Selecting this option will ensure that that LoadMaster will inject the Strict Transport Security Header into LM generated messages (i.e Not Available Redirection Handling or ESP related responses). The header will by default contain the max-age=604800 value. In addition to the max-age=604800 the includeSubDomains string will also be added to the Strict Transport Security Header.
The LoadMaster can also set HTTP Strict Transport Security (HSTS) by injecting the necessary header into every server response as shown below:
Some items to note before proceeding are listed below:
- For SSL-based services, SSL Acceleration must be enabled to perform the header injection
- Ensure that the entire site is available via HTTPS as returning clients will no longer request insecure HTTP connections
- Ensure all sub-domains are available via HTTPS before setting the includeSubDomains flag
- A valid SSL certificate is required. A self-signed certificate cannot be used.
The instructions below assume that an SSL Virtual Service, with SSL Acceleration enabled, is already configured and working. For documentation regarding the creation of the service see: SSL Accelerated Services.
First, configure the content rule:
- In the main menu of the LoadMaster Web User Interface (WUI), select Rules & Checking > Content Rules.
- Click the Create New button.
- Specify a Rule Name.
- Change Rule Type to Add Header.
- In Header Field to be Added, enter Strict-Transport-Security.
- In Value of Header Field to be Added, enter max-age=<time>.
<time> is a value in seconds up to a maximum of 31536000. Refer to the notes below for additional options in this field.
- Click the Create Rule button.
Now, apply this rule to the Virtual Service by following the steps below in the WUI:
- Go to Virtual Services > View/Modify Services.
- Click Modify on the Virtual Service in which you would like to add HSTS header to.
- Expand the Advanced Properties section.
- Click Show Header Rules.
- Under Response Rules, select the rule created above from the drop-down list.
- Click the Add button.
There are several options for the value of the Strict-Transport-Security header. The only mandatory value is max-age. The possible header values are:
- max-age=: This value tells the browser how long (in seconds) to remember the site's HSTS policy. Take caution when entering large values for max-age because infrequent visitors to your site may experience issues if you relax your SSL policies in the future.
- includeSubDomains: This will include all sub-domains in the HSTS policy as well. Before enabling includeSubDomains, also consider the impact of any existing DNS Canonical Name (CNAME) records for Content Delivery Networks (CDNs), email services, or other third party services. Since includeSubDomains will force such CNAME subdomains to https://.
- preload: This gives the sites permission to be pre-loaded from the pre-load list. To be included on the pre-load list you must submit your site here: hstspreload.appspot.com.
You are correct. If ESP is enabled, the user must first be authenticated before any traffic is processed by the virtual service (this includes content rules).
Please let me know to which virtual service i should apply creating of HSTS header rule?
I have 2 virt services: on my LB:
1. redirect HTTP requests to HTTPS
I've recently been doing some testing with HSTS headers and i think i have just spotted a slight gap in the method described above. I believe that if you have ESP configured for a virtual service this is not applied until after the pre auth is performed.