변군이글루

HSTS (HTTP Strict Transport Security) 설정

Redirect HTTP connections to HTTPS

Apache 설정

<VirtualHost *:80>
    ServerName example.com

    RewriteEngine on
    RewriteCond %{HTTPS}  !on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]
</VirtualHost>

NGINX 설정

server {
    listen 80;
    server_name example.com;
    return 301 https://$http_host$request_uri;    
}

HSTS 설정

 - HSTS를 사용하려면 "Strict-Transport-Security" HTTP 헤더를 설정합니다.

  max-age = 적용 시간. 초단위

  includeSubdomains : 서브 도메인도 적용

  preload : 클라이언트(브라우저)에 preload list에 추가

Apache 설정

<VirtualHost example.com:443>
Header always set Strict-Transport-Security "max-age=86400; includeSubdomains; preload"
</VirtualHost>

NGINX 설정

server {
    listen 443;
    server_name example.com;
    add_header Strict-Transport-Security "max-age=86400; includeSubdomains; preload";   
}

HSTS가 활성화되었는지 확인하는 방법

크롬 브라우저에서 확인

chrome://net-internals/#hsts

- domain1.co.kr

- domain2.co.kr

cURL을 사용하여 HSTS 헤더 확인

 curl -s -D- https://domain.com/ | grep -i Strict

$ curl -s -D- https://sangchul.kr/ | grep -i Strict
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

$ curl --head https://sangchul.kr
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Tue, 29 Sep 2020 02:09:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Link: <https://sangchul.kr/index.php?rest_route=/>; rel="https://api.w.org/"
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Public-Key-Pins: max-age=31536000;
                pin-sha256="O2ELvEUIPxmsA7vJAbZxoiABBkonE3U+INXiuRkWTu4=";
                pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";
                pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=";
                pin-sha256="T3QGJPkeB/a0wqVRQLP1AMsOTOxc8OJOR6nczDNd7H4=";
                includeSubDomains

HTTP Strict Transport Security

RFC: RFC6797 (HTTP Strict Transport Security (HSTS))