search

GetPageSpeed / ngx_security_headers

NGINX Module for sending security headers
https://www.getpagespeed.com/server-setup/nginx-security-headers-the-right-way
BSD 2-Clause "Simplified" License
111 stars 15 forks source link

Strict-Transport-Security: Preloading doesn't work #15

Closed HansVanEijsden closed 2 years ago

HansVanEijsden commented 2 years ago

First of all, thank you for this module. I'm using it on all of my servers with succes. I did a fresh git pull. Unfortunately, preload doesn't work.

Configure flags:

nginx version: nginx/1.21.6
built by gcc 8.3.0 (Debian 8.3.0-6) 
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --user=www-data --group=www-data --with-http_v2_module --with-http_ssl_module --with-http_v2_hpack_enc --with-pcre-jit --with-file-aio --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_mp4_module --with-http_realip_module --with-http_stub_status_module --with-threads --with-libatomic --with-zlib=/usr/local/src/zlib --with-zlib-opt='-O3 -march=native -flto -fuse-linker-plugin' --with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-3.0.2 --with-openssl-opt='no-zlib enable-rfc3779 enable-ec_nistp_64_gcc_128 no-tests no-unit-test -DCFLAGS=-O3 -march=native -flto -fuse-linker-plugin' --add-module=/usr/local/src/headers-more-nginx-module --add-module=/usr/local/src/echo-nginx-module --add-module=/usr/local/src/ngx_http_substitutions_filter_module --add-module=/usr/local/src/srcache-nginx-module --add-module=/usr/local/src/redis2-nginx-module --add-module=/usr/local/src/ngx_http_redis-0.3.9 --add-module=/usr/local/src/ngx_devel_kit --add-module=/usr/local/src/set-misc-nginx-module --add-module=/usr/local/src/ngx_brotli --add-module=/usr/local/src/ngx_security_headers --add-module=/usr/local/src/ngx_immutable --with-cc-opt='-DTCP_FASTOPEN=23 -march=native -flto -O3 -fuse-linker-plugin -Wno-error=strict-aliasing -fstack-protector-strong -D_FORTIFY_SOURCE=2' --with-ld-opt='-lrt -z relro -fstack-protector-strong'

In the nginx config I added security_headers on; in the main http block.

Header output:

❯ curl --compressed -IL "https://www.weblogzwolle.nl/"
HTTP/2 200 
server: nginx
date: Wed, 16 Mar 2022 21:20:51 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: wordpress_test_cookie=WP%20Cookie%20check; path=/
link: <https://www.weblogzwolle.nl/wp-json/>; rel="https://api.w.org/"
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=63072000; includeSubDomains
x-frame-options: SAMEORIGIN
referrer-policy: strict-origin-when-cross-origin
x-cache: HIT
x-cache-2: BYPASS
public-key-pins: pin-sha256="fAYmhNNLaXs7XP8rVh/3+nACEdZefovkCJt8cZQFcDQ="; pin-sha256="C8AGueBZ5S3lFTVCU+/S3Fteku3NGRa0MHkeMsjvAKk="; pin-sha256="6tMzCDSUXMz7f8wecFye+mg5jgw7125rFQFODpx49xc="; pin-sha256="d4ilv6cF8gYda+qqKSdDulWJR7nfZdt1M6Hi/494i9Y="; max-age=5184000; report-uri="https://hansvaneijsden.report-uri.com/r/d/hpkp/enforce";
content-security-policy: upgrade-insecure-requests
expect-ct: enforce,max-age=604800
content-encoding: br

System:

❯ uname -a
Linux vps 5.10.0-0.bpo.11-amd64 #1 SMP Debian 5.10.92-1~bpo10+1 (2022-02-03) x86_64 GNU/Linux

I have this problem on all of my servers and vhosts. What am I doing wrong? Please let me know if you need more information, I'm happy to provide it.

dvershinin commented 2 years ago

Thank you for the bug report. This was a regression from a previous release. Fixed in v.0.0.11.

HansVanEijsden commented 2 years ago

Hi @dvershinin, wow that's quick. I can confirm it's working now as it should. Thanks for fixing!