Enabling HSTS

[rschneider]

To my surprise, I can't find anything on the forums here on how to enable HSTS for the web interface. The server in question is running 6.4, although we do have some running 7.2 that we will also need to enable this on.

Thanks!

 

[shrdlicka]

Hi,
I don't think there is a built-in way for that. You can create an enhancement request for PVE [1]. The alternative would be some proxy server that sets that for you. See the guide in the wiki [2].


[1] https://bugzilla.proxmox.com/enter_bug.cgi?product=pve
[2] https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy
[3] https://forum.proxmox.com/threads/nginx-reverse-proxy-with-novnc-support.52165/

 

[Stoiko Ivanov]

unless I'm mistaken HSTS indicates that a certain url should only be accessed via tls-encrypted https (and not plain http).
however the pveproxy is always only listening on a tls connection - so there is no way for it to serve the content via http.
Additionally since pveproxy listens to a non-standard high-port the visibility problem (http vs https being the only distinction between plain and encrypted) is not such an issue.

So I'm not sure how this would make sense for pveproxy (the story with an nginx or other reverse proxy is a different one - but there you can configure this quite easily as @shrdlicka pointed out).

see also:
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

 

[Stoiko Ivanov]

Ok - a colleague of mine (quite rightly) pointed out that there is one vector where this might be beneficial: in case someone on the path between your browser and pveproxy does intercept the traffic, speaks https with the backend and plain http with you on the same port.
However since you need to actively type https://your.pve.url:8006 into your browser and since that attacker could equally well present you a https frontend and still intercept your traffic - I still consider this only a marginal improvment..