在Azure WebRoles中启用HTTP严格传输安全性(HSTS) [英] Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles

问题描述

如何为Azure WebRoles启用HTTP严格传输安全性(HSTS)?

How can I turn on HTTP Strict Transport Security (HSTS) for Azure WebRoles?

推荐答案

可接受的答案令人困惑，并且

The accepted answer is confusing and the correct answer (on ServerFault) is hidden in the comments, so I'll just recap it quickly here. Basically this is what you want to do:

1. 将所有HTTP请求重定向到HTTPS
2. 将Strict-Transport-Security标头添加到所有HTTPS请求

1. Redirect all HTTP requests to HTTPS
2. Add the Strict-Transport-Security header to all HTTPS requests

适当的web.config看起来像这样:

The appropriate web.config would look like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

如果要遵守 HSTS预加载，则在Strict_Transport_Security标头也是如此.这是我的完整重写配置，包括顶点重定向(我是是-www 的家伙)和简单的本地开发设置(在本地主机上没有HTTPS):

If you want to comply with HSTS preload you'll need includeSubDomains and preload in the Strict_Transport_Security header too. Here's my full rewrite configuration, including apex redirection (I'm a yes-www guy) and easy local development setup (no HTTPS on localhost):

<rewrite>
  <rules>
    <rule name="Redirect to HTTPS" stopProcessing="true">
      <match url="(.*)" />
      <conditions logicalGrouping="MatchAll">
        <add input="{SERVER_NAME}" pattern="^localhost$" negate="true" />
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
    <rule name="Redirect to www" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTP_HOST}" pattern="^yourdomain\.com" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://www.yourdomain.com/{R:1}" 
           redirectType="Permanent" />
    </rule>
  </rules>
  <outboundRules>
    <rule name="HSTS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
      <conditions>
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
      </conditions>
      <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
    </rule>
  </outboundRules>
</rewrite>

当然，请使用您的实际域切换yourdomain.

Of course, switch yourdomain with your actual domain.

这篇关于在Azure WebRoles中启用HTTP严格传输安全性(HSTS)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！