0

I would like to setup a Magento Platform on a Server. I use Centos and nginx and would like to redirect all http connections to https I already set on nginx domain.conf a http https redirect and thats works fine but how can I be sure that all connections are secured. I ask because if I use also HSTS the very first request may still be http.

A review of my example.org.conf file 

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.org www.example.org;
    return 301 https://$server_name$request_uri;
}

server {
    #listen 80 reuseport;
    #listen 443 http2 ssl reuseport;
    listen 443 ssl;
    #listen 80;
    ...
    ...
}

So again I how can I be sure that all connections are secured? The second reason I ask is I noticed that If I open the domain with a smartphone with slow mobile data speed, It starts with just for a second not secure url or I am just wrong?

Hope you could give me an advice

Sven
  • 98,649
  • 14
  • 180
  • 226
vTillmann
  • 11
  • 1
  • 8
  • The very first request will always be http unless you add your site to browsers built-in hsts list. I guess your site is not big enough to be added to that list. – Alexey Ten Aug 02 '16 at 10:55

2 Answers2

1

Without HSTS, you can't prevent that the first connection initiated by the client will use HTTP instead of HTTPS, as you can't control what protocol the user requests. The redirect gets active only after the first request.

With HSTS, the situation is more complicated:

  • If you are in the HSTS preload list of a browser (which you most certainly are not), it should always and only use HTTPS to connect to your domain anyway.
  • If not, the very first connection the browser makes to your domain can still be HTTP, but with the first HTTPS response you send after the redirect, you can set the HSTS header and after this point, the client should only use HTTPS for the duration named in the header, both for the current and future sessions.
  • If you have an attacker posing as MITM before the first connection, HSTS doesn't protect you as he can just filter out the header. If the attack happens after the HSTS header is set, it will be much more difficult to do this.
Sven
  • 98,649
  • 14
  • 180
  • 226
0

How you can ensure all connections are Secure

Ans : You are forwarding all connection permanently 301 https , So there is no chance that your server accepts the unsecured connection.

You can analyse Nginx Access log to understand how many requests redirect from HTTP to https .

In your configuration, some things need to be modified as Nginx best practice.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.org www.example.org;
    return 301 https://$server_name$request_uri;
}

server {

    listen 443 ssl;

    server_name example.org www.example.org;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
Kernelv5
  • 197
  • 6