From 0725f2ef2465645396382950438383ac01b6a97d Mon Sep 17 00:00:00 2001 From: Karl Eichwalder Date: Tue, 22 Jul 2025 15:00:58 +0200 Subject: [PATCH] disable HSTS https://github.com/SUSE/spacewalk/issues/27857 --- CHANGELOG.md | 1 + .../administration/pages/ssl-certs-hsts.adoc | 43 +++++++++++++------ 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7200e74873a..3dc27c083ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,4 @@ +- Documented how to disable HSTS in Administration Guide - Confidential Computing command updated in Administration Guide (bsc#1246638) - Fixed troubleshooting procedure about login timeout in Administration diff --git a/modules/administration/pages/ssl-certs-hsts.adoc b/modules/administration/pages/ssl-certs-hsts.adoc index 25059e1dd44..79683db99df 100644 --- a/modules/administration/pages/ssl-certs-hsts.adoc +++ b/modules/administration/pages/ssl-certs-hsts.adoc @@ -3,34 +3,51 @@ HTTP Strict Transport Security (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[HSTS]) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. -{productname} allows enabling HSTS, to enable it for a {productname} Server: +On {productname}, HSTS is enabled by default. +If needed, you can disable it on the server following this procedure: -.Procedure -. Create new configuration file: + +.Procedure: Disabling HSTS on the server +. On the server container host, as root, execute the following command to create a new configuration file with setting [literal]``max-age=0``: + + + +[source,shell] ---- -mgrctl exec -- echo 'Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"' >/etc/apache2/conf.d/zz-spacewalk-www-hsts.conf +mgrctl exec -- \ + echo 'Header always set Strict-Transport-Security "max-age=0; includeSubDomains"' \ + > /etc/apache2/conf.d/zz-spacewalk-www-hsts.conf ---- -+ + . Restart Apache with: + + + +[source,shell] ---- mgrctl exec -- systemctl restart apache2 ---- -To enable it for {productname} Proxies: +To disable it on proxies: + +.Procedure: Disabling HSTS on the proxies +. On the server container host, as root, execute the following command to create a new configuration file with setting [literal]``max-age=0``: -.Procedure -. Create new configuration file, for example `/etc/uyuni/custom-httpd.conf`. -. Add line: + + +[source,shell] ---- - `Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains`. +echo 'Header always set Strict-Transport-Security "max-age=0; includeSubDomains' \ + > /etc/uyuni/custom-httpd.conf ---- -. Run command: + +. Run the command: + + + +[source,shell] ---- mgrpxy install podman --tuning-httpd /etc/uyuni/custom-httpd.conf config.tar.gz ---- @@ -38,12 +55,12 @@ mgrpxy install podman --tuning-httpd /etc/uyuni/custom-httpd.conf config.tar.gz [WARNING] ==== When naming the new config file [literal]``.conf``, make sure it is loaded at the right time. -For example, to override something defined in [literal]``spacewalk-www.conf`` the new file needs to be alphabetically after this file. +For example, to override something defined in [literal]``spacewalk-www.conf`` the new file needs to be alphabetically after this file. For more information about how Apache loads files, see https://httpd.apache.org/docs. ==== -[IMPORTANT] +[IMPORTANT] ==== When HSTS is enabled while using the default SSL certificate generated by {productname} or a self-signed certificate, browsers will refuse to connect with HTTPS unless the CA used to sign such certificates is trusted by the browser. If you are using the SSL certificate generated by {productname}, you can trust it by importing the file located at `http:///pub/RHN-ORG-TRUSTED-SSL-CERT` to the browsers of all users.