0

I would like to prevent users accessing my website using http. Instead, I want to enforce the use of https.

Usually, I have my websites hosted at providers who simply have a checkbox "Enforce https".

In this case, I have my own Ubuntu (nginx) server.

I would like to know if I can also enforce https server wide, or do I have to work with a preload flag in the HSTS header?

Can anybody point me to a document that describes how to resolve this issue with my configuration?

Thank you!

tmighty
  • 10,734
  • 21
  • 104
  • 218

2 Answers2

2

Usually you need two server blocks where the one that listen on plain HTTP port redirect all requests to HTTPS:

server {
    listen               80;
    server_name          example.com;
    return               301 https://example.com$request_uri;
}

server {
    listen               443 ssl;
    server_name          example.com;
    ssl_certificate      /path/to/certificate;
    ssl_certificate_key  /path/to/privatekey;
    add_header           Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    # all the other configuration
}

If you also need to redirect all non-www domain name requests to www one (or vise versa), check this answer.

Ivan Shatsky
  • 13,267
  • 2
  • 21
  • 37
1

The answer by @IvanShatsky shows how to implement HSTS in Nginx (and I believe that's what you need).

Just to add some context to the answer:

  • You want to have both HTTP → HTTPS redirect and HSTS header.
  • To prevent all vulnerable scenarios you want HSTS header to include preload attribute (unless your TLD is HSTS-enabled, like .dev or .app).
  • In order to add a domain to the preload list, you still need to submit it at https://hstspreload.org.

Since enabling preload is pretty much a one-way ticket, safe rollout plan make look like this:

The idea is to start small and gradually increment the expiration time and inclusion criteria.

  • Find out all subdomains you have (consult DNS CNAME entries). Those may be served by your servers or 3rd party services
  • Make sure the root domain and all subdomains can serve traffic over SSL/TLS (accessible via HTTPS)
  • Ensure HTTP → HTTPS redirect is configured
  • Set small expiration time, e.g. max-age=600 (10 minutes), make sure all systems operational
  • Add includeSubDomains directive
  • Make incremental changes to max-age. Aim for the value of 2 years
  • Add preload directive and submit the domain to the HSTS preload list

Ultimate guide to HTTP Strict Transport Security (HSTS).

Max Ivanov
  • 5,695
  • 38
  • 52