在Azure WebRoles中启用HTTP严格传输安全性(HSTS) [英] Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
问题描述
如何为Azure WebRoles启用HTTP严格传输安全性(HSTS)?
How can I turn on HTTP Strict Transport Security (HSTS) for Azure WebRoles?
推荐答案
The accepted answer is confusing and the correct answer (on ServerFault) is hidden in the comments, so I'll just recap it quickly here. Basically this is what you want to do:
- 将所有HTTP请求重定向到HTTPS
- 将
Strict-Transport-Security
标头添加到所有HTTPS请求
- Redirect all HTTP requests to HTTPS
- Add the
Strict-Transport-Security
header to all HTTPS requests
适当的web.config看起来像这样:
The appropriate web.config would look like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
如果要遵守 HSTS预加载,则在Strict_Transport_Security
标头也是如此.这是我的完整重写配置,包括顶点重定向(我是是-www 的家伙)和简单的本地开发设置(在本地主机上没有HTTPS):
If you want to comply with HSTS preload you'll need includeSubDomains
and preload
in the Strict_Transport_Security
header too. Here's my full rewrite configuration, including apex redirection (I'm a yes-www guy) and easy local development setup (no HTTPS on localhost):
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{SERVER_NAME}" pattern="^localhost$" negate="true" />
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Redirect to www" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^yourdomain\.com" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://www.yourdomain.com/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="HSTS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
当然,请使用您的实际域切换yourdomain
.
Of course, switch yourdomain
with your actual domain.
这篇关于在Azure WebRoles中启用HTTP严格传输安全性(HSTS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!