debian 11 + hestia v1.4.17. This is a fresh install of the web server, and I didn’t immediately see if the mail was working to begin with. After a fresh installation, I changed the configurations of nginx and apache2 only by adding security headers, the site itself works fine, but when I enter any mail account, I see that the account is blocked!.. What could it be? I tried to return the headers to their standard position - it didn’t help (
nginx conf
# SSL PCI compliance ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparam.pem; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM"; ssl_ecdh_curve secp384r1; ssl_session_timeout 10m; ssl_buffer_size 1400; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling_verify on; resolver 192.168.1.1 8.8.8.8 8.8.4.4 valid=300s ipv6=off; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Expect-CT "max-age=7776000, enforce"; add_header Referrer-Policy "no-referrer-when-downgrade"; add_header Content-Security-Policy "upgrade-insecure-requests";
in apache2 add Include conf-enabled/security.conf, in the security config itself:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1Older versions
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options: “DENY”
Header always set X-Content-Type-Options: “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
Header always set Content-Security-Policy “upgrade-insecure-requests”Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”Requires Apache >= 2.4.11
SSLSessionTickets Off
curl -I my_domain
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 19 Oct 2021 05:58:50 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: my_domain
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Expect-CT: max-age=7776000, enforce
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: upgrade-insecure-requests
In general, this problem can generally be caused by a change in the security headers? Thanks in advance for your reply!