Enabling HSTS in AWS ELB application load balacer

白昼怎懂夜的黑 提交于 2020-01-02 03:35:10

问题


We like to enable HSTS to our IIS deployed web application.

We have SSL terminating ELB Application load balancer. We have enabled the URL rewrite module in IIS and configured the x-Forward-Proto tag to decide and enable HSTS header in the response.

Presently, ALB does not appear to pass custom headers from IIS to the ALB, to the end-user. We wanted to see if there is a way to enable HSTS either at ALB level where it can accept custom headers or if it can be set at IIS level and ALB can pass through the HSTS headers to the browser?


回答1:


HSTS is a policy that is controlled by the backend and not by the load balancer. One could argue that AWS could enable this, but there are other issues that make this more complicated (violation of specs, permanent redirects for HTTP, etc.)

The issue with HSTS is that you cannot (should not) send Strict-Transport-Security over HTTP. The specs say to only send the header over a secure connection. HTTP is not secure. Since the load balancer is talking to the backend over HTTP, IIS is NOT sending the header. You need to use HTTPS on the backend to enable HSTS.

RFC6797

If your goal is to send "Strict-Transport-Security" to the client, use Layer 4 listeners on your load balancer and handle HTTPS at your backend. If a request arrives on HTTP, send a permanent redirect (301). Benefits include absolute control, improved HTTP/2, etc.

Another option is to change your listener to use HTTPS to talk to the backend. Setup HTTPS and SSL on the backend.



来源:https://stackoverflow.com/questions/51906676/enabling-hsts-in-aws-elb-application-load-balacer

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!