如何在AWS Elastic Load Balancer上实施HTTP严格传输安全性(HSTS)? [英] How to implement HTTP Strict Transport Security (HSTS) on AWS Elastic Load Balancer?

问题描述

我想在我的应用程序中实现HSTS.

我有一个ELB终止SSL并将流量转发到我的应用程序，该应用程序是用作反向代理的apache服务器.

我知道，要实现HSTS，我需要在请求中添加标头Strict-Transport-Security.

不幸的是，似乎我无法在我的Apache服务器上实现它，因为必须将其添加到HTTPS虚拟主机中，并且我的Apache仅配置了http虚拟主机，因为SSL在ELB上终止.

这意味着ELB在转发请求时必须向请求添加标头Strict-Transport-Security.

我该怎么做?我可以添加某种对我有用的安全策略吗?

解决方案

我问过AWS支持人员，答案是目前ELB无法在客户端的请求上添加HSTS标头.因此，我决定使用我的Apache服务器找到一种解决方法.这是我找到的解决方案:

HSTS RFC 指出

HSTS主机不得在通过非安全传输方式传递的HTTP响应中包含STS标头字段.

然后我要做的是在Apache中将标头 AFTER 设置为http => https重定向.由于此重定向具有标志[L]，因此这意味着301重定向将不包含标头，但任何https请求都将包含该标头.我的apache配置看起来像这样:

<VirtualHost *:80>
...
    #http=>https
    RewriteCond %{HTTP:X-Forwarded-Proto} =http
    RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

    #hsts
    Header set Strict-Transport-Security "max-age=31536000"

I would like to implement HSTS to my application.

I have an ELB terminating SSL and forwarding the traffic to my application, which is an apache server used as reverse proxy.

I know that in order to implement HSTS, I would need to add the header Strict-Transport-Security to my request.

Unfortunately, it seems that I cannot implement it on my Apache server as it would have to be added to the HTTPS Virtual Host and my Apache only has the http virtual host configured, since the SSL is terminated on the ELB.

That means that the ELB would have to add the header Strict-Transport-Security to the request when it pass it forward.

How do I do that? Can I add some sort of security policy that would do that for me?

解决方案

I asked the AWS Support and the answer was that at the moment ELB cannot add HSTS headers on the requests from the clients. So, I decided to find a workaround using my Apache server. Here is the solution I found:

The HSTS RFC states that

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

What I did then was to set the header AFTER the http=>https redirection in Apache. Since this redirection has the flag [L], that means that the 301 redirection will not include the header, but any https request will. My apache config looks like this:

<VirtualHost *:80>
...
    #http=>https
    RewriteCond %{HTTP:X-Forwarded-Proto} =http
    RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

    #hsts
    Header set Strict-Transport-Security "max-age=31536000"

这篇关于如何在AWS Elastic Load Balancer上实施HTTP严格传输安全性(HSTS)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！