Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: [solved] How did I "lose" my hpkp header? |
|
| Author |
|
hlpinform
Joined: 04 Jul 2017
Posts: 4
|
 Posted: Tue 04 Jul '17 10:53 Post subject: [solved] How did I "lose" my hpkp header? |
 |
|
Dear Community,
I ran into an issue that I can't figure out by myself and I would appreciate every input I can get.
Before we start here a the relevant infos:
I use Apache2 (2.4.25 under Debian 9) as a reverse proxy for a web application my colleagues develop. The backend is an "embedded" Tomcat (to be precise it is a spring boot web application which embeds Apache Tomcat 8.5.x).
The Apache server is equipped with two different wildcard certificates (*.example.com and *.test.example.com).
I serve vHosts for example.com/www.example.com as well as for test.example.com/www.test.example.com which both get an A+ at SSLLABS.
Now I added another vHost (which I did a 1000 times before on my other Apache2 servers) but this one only get an A rating at SSLLABS.
The reason for that is, that my HPKP config is not showing up at the SSLLABS test.
The thing is, I don't get why...
The only difference between the other 1000 times I have done this before (on other Apache2 servers) is that I use https for the backend connection and not http (by the way I use mod_proxy and the related modules).
| Code: |
<VirtualHost *:80>
ServerName it.test.example.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</VirtualHost>
<VirtualHost *:443>
ServerName it.test.example.com
ServerAdmin logfiles@hlp.de
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
ErrorLog /var/log/apache2/it.test-error.log
CustomLog /var/log/apache2/it.test-access.log combined
<Location ~ "^/(?!.well-known|wartung|server-status)">
Include /var/apache2/global-conf/allow-from-ip-range
AuthType Basic
AuthName "Closed user group"
AuthUserFile /var/apache2/global-passwd/passwords
AuthGroupFile /var/apache2/global-passwd/groups
Require group sales_grp
</Location>
# the following config line includes the hpkp header and the certificate file directives!
Include /var/apache2/global-conf/ssl-test-example-com
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
<Proxy *>
Require all granted
</Proxy>
ProxyPass /.well-known !
ProxyPass /wartung !
ProxyPass /server-status !
ErrorDocument 503 /wartung/503.html
ProxyPass / https://abc.appsrv.example.com:8443/
ProxyPassReverse / https://abc.appsrv.example.com:8443/
</VirtualHost>
|
I really can't figure out right now where the issue is and why the hpkp header is dropped within this vhost. Because, as mentioned above, the other vhosts work fine and at least the www.test.example.com vhosts includes the same config file(s).
I really would appreciate input from the community. Thanks in advance.
Best regards,
René
Last edited by hlpinform on Thu 06 Jul '17 11:55; edited 1 time in total |
|
| Back to top |
|
hlpinform
Joined: 04 Jul 2017
Posts: 4
|
| Posted: Tue 04 Jul '17 11:14 Post subject: |
|
|
One little fun fact. SSLLABS also shows me that I miss the HSTS header.
But if I access the site with chrome and open up the developer toolbar I can clearly see my Strict-Transport-Security header as well my Public-Key-Pins.
So I'm not quite sure who is right. Is my config ok and SSLLABS is "lying" or is there a major bug in my config?
I would suggest a config flaw because Scott Helme's hpkp analyzer also says I'm missing out the header information on my vhost.
https://report-uri.io/home/pkp_analyse :-/ |
|
| Back to top |
|
covener
Joined: 23 Nov 2008
Posts: 59
|
| Posted: Tue 04 Jul '17 18:17 Post subject: |
|
|
| There's no HPKP in that config. Maybe your HPKP is set in the Include'ed configuration file that you didn't post? |
|
| Back to top |
|
hlpinform
Joined: 04 Jul 2017
Posts: 4
|
| Posted: Wed 05 Jul '17 7:54 Post subject: |
|
|
You are right. I totally forgot to post both included files.
Sorry for that.
Here are both files:
| Code: |
Header set Public-Key-Pins: 'max-age=2592000; pin-sha256="<used_key>"; pin-sha256="<backup_key_1>"; pin-sha256="<backup_key_2>"; pin-sha256="<backup_key_3>"; report-uri="<report uri>"' env=HTTPS
SSLCertificateFile /<path>/<filename>.crt
SSLCertificateKeyFile /<path>/<filename>.key
SSLCACertificateFile /<path>/<filename_ca_bundle>.crt |
| Code: |
# Ext-IPv4 Range
Require ip <our_external_ipv4_network>
# Ext-IPv6 Range
Require ip <our_ipv6_network>
# Server
Require ip <one_internal_ipv4_network>
|
|
|
| Back to top |
|
hlpinform
Joined: 04 Jul 2017
Posts: 4
|
| Posted: Thu 06 Jul '17 11:55 Post subject: |
|
|
Okay, got it. I never lost my header information...
As I said before, my chrome was right and the headers were sent by Apache to the client.
But due to the basic auth, the headers were never transfered to Qualys or Scott Helmes header check.
So I whitelisted the ip-ranges of both sites and not I got my A+ "back". 
Best regards
René |
|
| Back to top |
|
|
|
|
|
|
