Little Note for HSTS Header

This post is not a feedback, just a note of what might be prone to error for newbies.

For enabling HSTS in Hestia, or enhancing SSL connections, Hestia discusses the global configuration separately from the site-specific configuration and behaves accordingly.

Therefore, you can specify general settings such as ciphers to use in the global configuration, but DO NOT include the HSTS header in /etc/nginx/nginx.conf. This will result in the client receiving two HSTS headers when accessing a specific site, one from the Nginx global settings and one from the site’s own configuration. If you need to customize the HSTS header for a specific site, you should specify it specifically by creating a $HOMEDIR/$user/conf/web/$domain/nginx.hsts_custom.conf file.

Also, when creating custom files to create headers, the “Enable HSTS” option in the Hestia panel should be unchecked to allow Hestia to read the custom configuration correctly.

2 Likes

Maybe we should have a text area in the user interface next to the hsts to edit that file.

Saving custom config via panel is a bad idea… It is an easy method to break nginx config for any users…

User can create a HOMEDIR/$user/conf/web/$domain/nginx.hsts_custom.conf

It is not affected by rebuild and so on… Only thing I am not sure about restoring / backup

2 Likes

We should at least show a warning so that the user knows that further configuration is required.

I agree that it is risky.

How about we make a backup of the nginx config.

Test the old config nginx -t (so we know it works) and if it passes then we can apply the new config and test again.

If both configs work, then we can apply changes. Otherwise, we restore last state.

Does it make sense?

I am not sure whether nginx.hsts_custom.conf can apply other options, likes ssl_protocols or ssl_ciphers.
I am using Mozilla SSL Configuration Generator to build enhanced SSL config, which should effected in global, that’s why I edit the nginx.conf by panel.

If these options in custom conf can also take effect, that would be good to guiding user to build custom conf by themself.

No not but these can be added to /etc/nginx/nginx.conf

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.