regarding-hsts-in-netscaler

参考:

Strict Transport Security (STS or HSTS) with Citrix NetScaler and Access Gateway Enterprise

https://www.citrix.com/blogs/2010/09/10/strict-transport-security-sts-or-hsts-with-citrix-netscaler-and-access-gateway-enterprise/

How Do I Configure HTTP Strict Transport Security (HSTS) on NetScaler

https://support.citrix.com/article/CTX205221

How to Enable HTTP Strict Transport Security (HSTS) on NetScaler 12

https://support.citrix.com/article/CTX224172

Check HSTS preload status and eligibility   https://hstspreload.org/

SSL Server Test    https://www.ssllabs.com/ssltest/index.html

https://discussions.citrix.com/topic/398147-regarding-hsts-in-netscaler/

Posted September 3, 2018

1)What is the use of HSTS?

Short version: HSTS ensures client browsers will only use HTTPS to connect to your web site(s). The lack of HTTP will make it more difficult for Man-in-the-Middle and/or fake sites to get access to your users' credentials or other sensitive info.

Long version: See https://www.troyhunt.com/understanding-http-strict-transport/

2)In Netscaler version 11.0 there is no inbuilt profile so how can we create it?

You need a Responder policy and a Rewrite policy. The Responder Action and Policy will redirect from HTTP->HTTPS for you web site and at the same time it will specify the HSTS header in this Redirect. Below is a general HTTPS redirect, so you can bind below policy to your HTTP Load Balancing or Content Switch vServers and the HSTS flag will tell the client's browser that for the next 31536000 seconds (1 year) to always skip HTTP for this particular URL.

The Rewrite policy should be bound to your HTTPS LB/CS vServers (since if a user browses to your website using HTTPS immediately then he will not get the Redirect response above and hence not the HSTS flag).

add responder action REA-HTML-HTTPS_REDIRECT respondwith q{"HTTP/1.1 301 Moved Permanently\r\n" + "Location: https://" + HTTP.REQ.HEADER("Host").HTTP_HEADER_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE + "\r\n" + "Strict-Transport-Security: max-age=31536000\r\n" + "Connection: close\r\n" + "Cache-Control: no-cache\r\n" + "Pragma: no-cache\r\n" + "\r\n"}

add responder policy REP-HTTPS_REDIRECT "CLIENT.SSL.IS_SSL.NOT" REA-HTML-HTTPS_REDIRECT

add rewrite action RWA-RES-INSERT_HSTS insert_http_header Strict-Transport-Security "\"max-age=31536000\""
add rewrite policy RWP-RES-INSERT_HSTS "CLIENT.SSL.IS_SSL" RWA-RES-INSERT_HSTS

3)Suppose if we want HSTS to use in ntescaler wheather anthing have to be done in backend servers as well or only in netscaler?

You only need to do it on Netscaler, assuming that all your clients connect to your web systems through Netscaler (and not directly to backend if they are internal users, for example)

4)for which vserver  https or http the HSTS applied?

If you have HTTP LB vServers (instead of SSL/HTTPS), and there is no HTTPS CS vServer in front of it, then HSTS will serve no purpose for this particular LB vServer since HTTPS isn't being used. If you do have SSL/HTTPS LB or CS vServers, then bind above responder policy to your HTTP port 80 LB/CS vServers since they will be the ones performing the Redirect.

5)Chrome from which version HSTS is supported?

Not sure, but it's been supported for at least 2 years, so quite a few versions back.

Some things to note:

* Google has a Preload list for HSTS, but this is optional and not necessary to add your web site(s) to. The Preload list has its own specific requirements on the HSTS implementation.

* Start out with a low value in the HSTS header, do not use 1 year initially (use 30 minutes or something) since if you screw up somehow, the HSTS value will be stored in clients' web browsers and you cannot clear/change this value from server-side.

* When enabling HSTS it forces all connections for that particular URL to use HTTPS. Ensure your web system is 100% HTTPS supported before enabling HSTS (check source code and javascripts that they do not point to http:// addresses of your web site)

* If your company has both URLs www.mycompany.com and mycompany.com, and you perform redirect from mycompany.com to www.mycompany.com, then you will need multiple Responder Policies with HSTS header instead of just one. For example, you shouldn't do an immediate redirect from http://mycompany.com -> https://www.mycompany.com, but rather split it up into an initial http->https redirect for mycompanycom and then a secondary redirect from https://mycompany.com to https://www.mycompany.com. This ensures HSTS flag is correctly set for the mycompany.com URL.

Configure support for HTTP strict transport security (HSTS)

https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/how-to-articles/ssl-support-for-hsts.html

 March 6, 2019     Contributed by:  S C

 

Citrix ADC appliances support HTTP strict transport security (HSTS) as an in-built option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

Enable HSTS in an SSL front-end profile or on an SSL virtual server. If you enable SSL profiles, then you should enable HSTS on an SSL profile instead of enabling it on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included. For example, you can specify that subdomains for www.example.com, such as www.abc.example.com and www.xyx.example.com, can be accessed only by using HTTPS by setting the IncludeSubdomains parameter to YES.

If you access any web sites that support HSTS, the response header from the server contains an entry similar to the following:

The client stores this information for the time specified in the max-age parameter. For subsequent requests to that web site, the client checks its memory for an HSTS entry. If an entry is found, it accesses that web site only by using HTTPS.

You can configure HSTS at the time of creating an SSL profile or an SSL virtual server by using the add command. You can also configure HSTS on an existing SSL profile or SSL virtual server by modifying it using the set command.

Configure HSTS by using the CLI

At the command prompt, type:

COPY
add ssl vserver <vServerName> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO)

OR

COPY
add ssl profile <name> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO )

Arguments

HSTS

         State of HTTP Strict Transport Security (HSTS) on an SSL virtual server or SSL profile. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client.

          Possible values: ENABLED, DISABLED

          Default: DISABLED

maxage

          Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server.

          Default: 0

          Minimum: 0

          Maximum: 4294967294

IncludeSubdomains

         Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

          Possible values: YES, NO

          Default: NO

In the following examples, the client must access the web site and its subdomains for 157,680,000 seconds only by using HTTPS.

COPY
add ssl vserver VS-SSL –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES
COPY
add sslProfile hstsprofile –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES

Configure HSTS by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, select a virtual server of type SSL and click Edit.

Perform the following steps if the default SSL profile is enabled on the appliance.

  1. Select an SSL profile and click Edit.

  2. In Basic Settings, click the pencil icon to edit the settings. Scroll down and select HSTS and Include Subdomains.

Perform the following steps if the default SSL profile is not enabled on the appliance.

  1. In Advanced Settings, select SSL Parameters.

  2. Select HSTS and Include Subdomains.

Support for HSTS preload

Note:

This feature is available in release 12.1 build 51.x and later.

The Citrix ADC appliance supports adding an HSTS preload in the HTTP response header. To include the preload, you must set the preload parameter in the SSL virtual server or SSL profile to YES. The appliance then includes the preload in the HTTP response header to the client. You can configure this feature using both the CLI and the GUI. For more information about HSTS preload, see https://hstspreload.org/.

Following are examples of valid HSTS headers with preload:

COPY
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
COPY
Strict-Transport-Security: max-age=63072000; preload

Configure HSTS preload by using the CLI

At the command prompt, type:

COPY
add ssl vserver <vServerName> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -preload ( YES | NO )

OR

COPY
add ssl profile <name> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO ) -preload ( YES | NO )

Configure HSTS preload by using the GUI

Perform the following steps if the default SSL profile is enabled on the appliance.

  1. Navigate to System > Profiles > SSL Profiles. Select an SSL profile and click Edit.

  2. In Basic Settings, click the pencil icon to edit the settings. Scroll down and select HSTS and Preload.

Perform the following steps if the default SSL profile is not enabled on the appliance.

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, select a virtual server of type SSL and click Edit.

  2. In Advanced Settings, select SSL Parameters.

  3. Select HSTS and Preload.

====================== End

regarding-hsts-in-netscaler的更多相关文章

  1. 【流量劫持】躲避 HSTS 的 HTTPS 劫持

    前言 HSTS 的出现,对 HTTPS 劫持带来莫大的挑战. 不过,HSTS 也不是万能的,它只能解决 SSLStrip 这类劫持方式.但仔细想想,SSLStrip 这种算劫持吗? 劫持 vs 钓鱼 ...

  2. 使用https的HSTS需要注意的一个问题

    HSTS(HTTP Strict Transport Security) 简单来说就是由浏览器进行http向https的重定向.如果不使用HSTS,当用户在浏览器中输入网址时没有加https,浏览器会 ...

  3. LB 简单比较 – F5、NetScaler、LVS、Nginx、Haproxy

    LB 简单比较 – F5.NetScaler.LVS.Nginx.Haproxy 负载均衡技术是构建大型网站必不可少的架构策略之一.它的目的是,把用户的请求分发到多台后端的设备上,用以均衡服务器的负载 ...

  4. HTTPS强制安全策略-HSTS协议阅读理解

    https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security [阅读理解式翻译,非严格遵循原 ...

  5. 【翻译】Netscaler真实表现性能调整

    源地址:https://msandbu.wordpress.com/2014/10/31/netscaler-and-real-performance-tuning/ 作者显然不是以英语为母语的,所以 ...

  6. HTTP HSTS协议和 nginx

    导读 Netcraft 公司最近公布了他们检测SSL/TLS网站的研究,并指出只有仅仅5%的用户正确执行了HTTP严格传输安全HSTS.本文介绍nginx如何配置HSTS. 什么是HSTS HTTPS ...

  7. 使用mitmf 来绕过HSTS站点抓取登陆明文

    使用mitmf 来绕过HSTS站点抓取登陆明文 HSTS简介 HSTS是HTTP Strict Transport Security的缩写,即:"HTTP严格安全传输".当浏览器第 ...

  8. [Citrix NetScaler] 简述

    额 就这个题目 Citrix NetScaler 是一个VPN,一个代理,一个Gateway的存在,一个Citrix的产品 首先是我们利用Citrix NetScaler的测试环境: 架构上分2种: ...

  9. web前端利用HSTS(新的Web安全协议HTTP Strict Transport Security)漏洞的超级Cookie(HSTS Super Cookie)

    web前端如果想实现cookie跨站点,跨浏览器,清除浏览器cookie该cookie也不会被删除这似乎有点难,下面的教程让你完全摆脱document.cookie 1.服务器端设置HSTS 如PHP ...

随机推荐

  1. Mercury:唯品会全链路应用监控系统解决方案详解(含PPT)

    Mercury:唯品会全链路应用监控系统解决方案详解(含PPT) 原创: 姚捷 高可用架构 2016-08-08    

  2. API 设计 POSIX File API

    小结: 1. https://mp.weixin.qq.com/s/qWrSyzJ54YEw8sLCxAEKlA API 设计最佳实践的思考 谷朴 阿里技术 昨天   阿里妹导读:API 是模块或者子 ...

  3. java从包package中获取所有的Class

      1.从包package中获取所有的Class方法: /** * 从包package中获取所有的Class * @param pack * @return */ public static List ...

  4. 不是springboot项目怎么使用内置tomcat

    不是springboot项目怎么使用内置tomcat   解决方法: 1.pom.xml中添加以下依赖 <properties>  <tomcat.version>8.5.23 ...

  5. 采购信息记录批导BAPI

    转自:https://www.cnblogs.com/freeandeasy/p/11810272.html作者的话:   可以批导创建及修改信息记录的主数据.而且可以对条件中的时间段及其数量等级中的 ...

  6. sql 获取本周周一和周日

    版本1.0(获取周日存在问题,请勿使用,仅用于引以为戒) 存在问题,获取周日的时候,当当前时间正好是周日,会获取下一周的周日,而非本周周日. ,)),) ),, ,)),) 版本2.0 看到版本1.0 ...

  7. tk mybatis动态sql中过滤不使用的字段

    实体字段如下 @Data @NoArgsConstructor @AllArgsConstructor @Builder /*** * app图标 */ @JsonFormat public clas ...

  8. C++ - 第一个程序

    代码: #include <iostream> using namespace std; int main() { cout << "hello!" < ...

  9. (十六)Centos之安装mysql

    第一步:获取mysql YUM源 进入mysql官网获取RPM包下载地址 https://dev.mysql.com/downloads/repo/yum/ 点击 下载 右击 复制链接地址 https ...

  10. 容器版单个jenkins实现CI/CD----带solo博客开源项目

    实验架构: 192.168.0.96 gitlab 192.168.0.97 jenkins.docker-1.7 192.168.0.98 harbor.docker-1.7集群 jenkins安装 ...