在 AWS ELB 应用程序负载均衡器中启用 HSTS [英] Enabling HSTS in AWS ELB application load balacer
问题描述
我们喜欢为 IIS 部署的 Web 应用程序启用 HSTS.
We like to enable HSTS to our IIS deployed web application.
我们有 SSL 终止 ELB 应用程序负载平衡器.我们在 IIS 中启用了 URL 重写模块并配置了 x-Forward-Proto 标签来决定和启用响应中的 HSTS 标头.
We have SSL terminating ELB Application load balancer. We have enabled the URL rewrite module in IIS and configured the x-Forward-Proto tag to decide and enable HSTS header in the response.
目前,ALB 似乎不会将自定义标头从 IIS 传递到 ALB,再传递给最终用户.我们想看看是否有办法在 ALB 级别启用 HSTS,它可以接受自定义标头,或者是否可以在 IIS 级别设置并且 ALB 可以将 HSTS 标头传递给浏览器?
Presently, ALB does not appear to pass custom headers from IIS to the ALB, to the end-user. We wanted to see if there is a way to enable HSTS either at ALB level where it can accept custom headers or if it can be set at IIS level and ALB can pass through the HSTS headers to the browser?
推荐答案
HSTS 是一种由后端而非负载均衡器控制的策略.有人可能会争辩说 AWS 可以实现这一点,但还有其他问题使这变得更加复杂(违反规范、HTTP 的永久重定向等)
HSTS is a policy that is controlled by the backend and not by the load balancer. One could argue that AWS could enable this, but there are other issues that make this more complicated (violation of specs, permanent redirects for HTTP, etc.)
HSTS 的问题在于您不能(不应该)通过 HTTP 发送 Strict-Transport-Security.规范说只通过安全连接发送标头.HTTP 不安全.由于负载平衡器通过 HTTP 与后端通信,因此 IIS 不发送标头.您需要在后端使用 HTTPS 才能启用 HSTS.
The issue with HSTS is that you cannot (should not) send Strict-Transport-Security over HTTP. The specs say to only send the header over a secure connection. HTTP is not secure. Since the load balancer is talking to the backend over HTTP, IIS is NOT sending the header. You need to use HTTPS on the backend to enable HSTS.
如果您的目标是发送Strict-Transport-Security"对于客户端,在负载均衡器上使用第 4 层侦听器并在后端处理 HTTPS.如果请求通过 HTTP 到达,则发送永久重定向 (301).好处包括绝对控制、改进的 HTTP/2 等.
If your goal is to send "Strict-Transport-Security" to the client, use Layer 4 listeners on your load balancer and handle HTTPS at your backend. If a request arrives on HTTP, send a permanent redirect (301). Benefits include absolute control, improved HTTP/2, etc.
另一种选择是将您的侦听器更改为使用 HTTPS 与后端通信.在后端设置 HTTPS 和 SSL.
Another option is to change your listener to use HTTPS to talk to the backend. Setup HTTPS and SSL on the backend.
这篇关于在 AWS ELB 应用程序负载均衡器中启用 HSTS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
