Re: httpd: hsts (rfc 6797)
- Original Message - There is a non-standard preload token that Google requires to get onto Chrome's HSTS preload list[0] which is also used by Firefox. Any chance of supporting this? Or is its omission a conscious decision? [0] https://hstspreload.appspot.com/ FWIW, from my experience, the preload token presence is not yet enforced. Having Strict-Transport-Security: max-age=31536000; includeSubDomains is just enough. -- Marco Bonetti
Re: httpd: hsts (rfc 6797)
On Sat, 18 Jul 2015 02:53:01 +0200 Reyk Floeter wrote: HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option I agree HSTS is useful but disagree with the rhetoric personally. It improves security for average website deployers using bog standard hosting and large websites that can't control their own sites or design them properly/well/securely/without js from 10s of domains. For me, however I don't buy google's argument of it doing no harm because of AES acceleration when SSL amplification DOS is taken into account and so I hope Google don't push too hard. When my sites get enough demand to require more than one server then I shall want to *maximise* the chances of delivering insecure content which dictates http only servers. Pages can be enforced over SSL without HSTS and cookies too which many advocates don't seem to realise (that the secure cookie flags and ways to control them exist).
Re: httpd: hsts (rfc 6797)
On Sat, Jul 18, 2015 at 12:14:37AM +, Florian Obser wrote: OK? As discussed, I like the implementation this way. Comments below. Reyk diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. +Valid options are: +.Bl -tag -width Ds +.It Ic max-age Ar seconds +Set the maximum time in seconds a receiving user agent should regard +this host as a HSTS host. +The default is one year. +.It Ic subdomains +Signal to the receiving user agent that this host and all sub domains +of the host's domain should be considered HSTS hosts. +.El .It Ic listen on Ar address Oo Ic tls Oc Ic port Ar number Set the listen address and port. This statement can be specified multiple times. diff --git httpd.h httpd.h index 2cb7934..9596000 100644 --- httpd.h +++ httpd.h @@ -68,6 +68,7 @@ #define SERVER_OUTOF_FD_RETRIES 5 #define SERVER_MAX_PREFETCH 256 #define SERVER_MIN_PREFETCHED32 +#define SERVER_HSTS_DEFAULT_AGE 31536000 #define MEDIATYPE_NAMEMAX128 /* file name extension */ #define MEDIATYPE_TYPEMAX64 /* length of type/subtype */ @@ -351,13 +352,14 @@ SPLAY_HEAD(client_tree, client); #define SRVFLAG_NO_BLOCK 0x0008 #define SRVFLAG_LOCATION_MATCH 0x0010 #define SRVFLAG_SERVER_MATCH 0x0020 +#define SRVFLAG_SERVER_HSTS 0x0040 #define SRVFLAG_BITS \ \10\01INDEX\02NO_INDEX\03AUTO_INDEX\04NO_AUTO_INDEX \ \05ROOT\06LOCATION\07FCGI\10NO_FCGI\11LOG\12NO_LOG\13SOCKET \ \14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG \ \21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH \ - \26SERVER_MATCH + \26SERVER_MATCH\27SERVER_HSTS #define TCPFLAG_NODELAY 0x01 #define TCPFLAG_NNODELAY 0x02 @@ -443,6 +445,9 @@ struct server_config { char*return_uri; off_treturn_uri_len; + int64_t hsts_max_age; Do you really need int64_t instead of int here? How many years do you want to enforce HSTS? Or, in the distant future we either entirely switched to encrypted connections or the opposite and it became illegal in a dystopian future. + int hsts_subdomains; + TAILQ_ENTRY(server_config) entry; }; TAILQ_HEAD(serverhosts, server_config); diff --git parse.y parse.y index 0870819..8dfad1a 100644 --- parse.y +++ parse.y @@ -133,7 +133,7 @@ typedef struct { %token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN %token LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY ON PORT PREFORK PROTOCOLS %token REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT -%token TLS TYPES +%token TLS TYPES HSTS MAXAGE SUBDOMAINS %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS %token v.string STRING %token v.number NUMBER @@ -256,6 +256,8 @@ server: SERVER optmatch STRING{ HTTPD_TLS_ECDHE_CURVE, sizeof(s-srv_conf.tls_ecdhe_curve)); + s-srv_conf.hsts_max_age = -1; You could just initialize it to SERVER_HSTS_DEFAULT_AGE here. + if (last_server_id == INT_MAX) { yyerror(too many servers defined); free(s); @@ -556,6 +558,30 @@ serveroptsl : LISTEN ON STRING opttls port { parentsrv = NULL; } | include + | hsts { + if (parentsrv != NULL) { + yyerror(hsts inside location); + YYERROR; + } + srv-srv_conf.flags |= SRVFLAG_SERVER_HSTS; + } + ; + +hsts : HSTS '{' optnl hstsflags_l '}' + | HSTS hstsflags + | HSTS + ; + +hstsflags_l : hstsflags optcommanl hstsflags_l + | hstsflags optnl + ; + +hstsflags: MAXAGE NUMBER { + srv_conf-hsts_max_age = $2; + } + | SUBDOMAINS{ + srv-srv_conf.hsts_subdomains = 1; + } ; fastcgi : NO FCGI { @@ -1115,6 +1141,7 @@ lookup(char *s) { ecdhe, ECDHE }, { error, ERR }, { fastcgi,FCGI }, + { hsts, HSTS }, { include,INCLUDE }, { index, INDEX },
Re: httpd: hsts (rfc 6797)
Reyk Floeter wrote: On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism. HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: hsts. If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. well, here's one list of headers that people may wish to use. https://www.owasp.org/index.php/List_of_useful_HTTP_headers there are many similar top five headers you need to use today! lists and blogs and such. hsts isn't unique. the key pinning and frame options headers are also widely recommended.
Re: httpd: hsts (rfc 6797)
Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism.
httpd: hsts (rfc 6797)
OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. +Valid options are: +.Bl -tag -width Ds +.It Ic max-age Ar seconds +Set the maximum time in seconds a receiving user agent should regard +this host as a HSTS host. +The default is one year. +.It Ic subdomains +Signal to the receiving user agent that this host and all sub domains +of the host's domain should be considered HSTS hosts. +.El .It Ic listen on Ar address Oo Ic tls Oc Ic port Ar number Set the listen address and port. This statement can be specified multiple times. diff --git httpd.h httpd.h index 2cb7934..9596000 100644 --- httpd.h +++ httpd.h @@ -68,6 +68,7 @@ #define SERVER_OUTOF_FD_RETRIES5 #define SERVER_MAX_PREFETCH256 #define SERVER_MIN_PREFETCHED 32 +#define SERVER_HSTS_DEFAULT_AGE31536000 #define MEDIATYPE_NAMEMAX 128 /* file name extension */ #define MEDIATYPE_TYPEMAX 64 /* length of type/subtype */ @@ -351,13 +352,14 @@ SPLAY_HEAD(client_tree, client); #define SRVFLAG_NO_BLOCK 0x0008 #define SRVFLAG_LOCATION_MATCH 0x0010 #define SRVFLAG_SERVER_MATCH 0x0020 +#define SRVFLAG_SERVER_HSTS0x0040 #define SRVFLAG_BITS \ \10\01INDEX\02NO_INDEX\03AUTO_INDEX\04NO_AUTO_INDEX \ \05ROOT\06LOCATION\07FCGI\10NO_FCGI\11LOG\12NO_LOG\13SOCKET \ \14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG \ \21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH \ - \26SERVER_MATCH + \26SERVER_MATCH\27SERVER_HSTS #define TCPFLAG_NODELAY0x01 #define TCPFLAG_NNODELAY 0x02 @@ -443,6 +445,9 @@ struct server_config { char*return_uri; off_treturn_uri_len; + int64_t hsts_max_age; + int hsts_subdomains; + TAILQ_ENTRY(server_config) entry; }; TAILQ_HEAD(serverhosts, server_config); diff --git parse.y parse.y index 0870819..8dfad1a 100644 --- parse.y +++ parse.y @@ -133,7 +133,7 @@ typedef struct { %token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN %token LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY ON PORT PREFORK PROTOCOLS %token REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT -%token TLS TYPES +%token TLS TYPES HSTS MAXAGE SUBDOMAINS %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS %token v.string STRING %token v.number NUMBER @@ -256,6 +256,8 @@ server : SERVER optmatch STRING{ HTTPD_TLS_ECDHE_CURVE, sizeof(s-srv_conf.tls_ecdhe_curve)); + s-srv_conf.hsts_max_age = -1; + if (last_server_id == INT_MAX) { yyerror(too many servers defined); free(s); @@ -556,6 +558,30 @@ serveroptsl: LISTEN ON STRING opttls port { parentsrv = NULL; } | include + | hsts { + if (parentsrv != NULL) { + yyerror(hsts inside location); + YYERROR; + } + srv-srv_conf.flags |= SRVFLAG_SERVER_HSTS; + } + ; + +hsts : HSTS '{' optnl hstsflags_l '}' + | HSTS hstsflags + | HSTS + ; + +hstsflags_l: hstsflags optcommanl hstsflags_l + | hstsflags optnl + ; + +hstsflags : MAXAGE NUMBER { + srv_conf-hsts_max_age = $2; + } + | SUBDOMAINS{ + srv-srv_conf.hsts_subdomains = 1; + } ; fastcgi: NO FCGI { @@ -1115,6 +1141,7 @@ lookup(char *s) { ecdhe, ECDHE }, { error, ERR }, { fastcgi,FCGI }, + { hsts, HSTS }, { include,INCLUDE }, { index, INDEX }, { ip, IP }, @@ -1125,6 +1152,7 @@ lookup(char *s) { logdir, LOGDIR }, { match, MATCH }, { max,MAXIMUM }, + { max-age,MAXAGE }, { no, NO }, { nodelay,NODELAY }, { on, ON }, @@ -1141,6 +1169,7 @@ lookup(char *s) { socket, SOCKET },
Re: httpd: hsts (rfc 6797)
On Sat, 18 Jul 2015, at 12:14 PM, Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. +Valid options are: +.Bl -tag -width Ds +.It Ic max-age Ar seconds +Set the maximum time in seconds a receiving user agent should regard +this host as a HSTS host. +The default is one year. +.It Ic subdomains +Signal to the receiving user agent that this host and all sub domains +of the host's domain should be considered HSTS hosts. +.El There is a non-standard preload token that Google requires to get onto Chrome's HSTS preload list[0] which is also used by Firefox. Any chance of supporting this? Or is its omission a conscious decision? [0] https://hstspreload.appspot.com/
Re: httpd: hsts (rfc 6797)
On Fri, Jul 17, 2015 at 08:51:54PM -0400, Ted Unangst wrote: Reyk Floeter wrote: On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism. HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: hsts. If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. well, here's one list of headers that people may wish to use. https://www.owasp.org/index.php/List_of_useful_HTTP_headers there are many similar top five headers you need to use today! lists and blogs and such. hsts isn't unique. the key pinning and frame options headers are also widely recommended. Sure, but how is this related to florian's diff? Do you say we cannot do HSTS now because we have to support all other popular headers or a generic mechanism first? That doesn't help us. HSTS is simply the most wanted. At least by our users and ourselves. Additionally, we also want to make it simple by hiding the complexity with good defaults and without the need that the users have to study the List_of_useful_HTTP_headers and their various buttons first to program their own custom HTTP configurations. Reyk
Re: httpd: hsts (rfc 6797)
On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism. HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: hsts. If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. Adding a generic header mechanism would make it utterly more complex, both from a useability and a implementation point of view. If we ever find the time and need for such mechanism, we can keep the existing hsts keywords as a higher layer on top of it. Reyk
Re: httpd: hsts (rfc 6797)
On 2015/07/17 20:51, Ted Unangst wrote: Reyk Floeter wrote: On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism. HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: hsts. If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. well, here's one list of headers that people may wish to use. https://www.owasp.org/index.php/List_of_useful_HTTP_headers there are many similar top five headers you need to use today! lists and blogs and such. hsts isn't unique. the key pinning and frame options headers are also widely recommended. There are others outside of security too, like cache-control.