[h1]如何申請 https HSTS Preload List,讓瀏覽器看我的網站一律走 HTTPS[/h1]
HSTS preload 原理簡單說就是:
你在「瀏覽器」打: example.com ,瀏覽器一律走 443 TLS HTTPS,沒有例外,縱使你指定 URL 為 "http" prefix ,瀏覽器仍強制走 https。 在 HSTS max-age 過期之前一律是這樣。
你會看到這個頁面,我相信你的網站已經是 "https (TLS 1.1/1.2+)" enabled;並且初步瞭解 HTTP Strict Transport Security (HSTS)
所以其他的解釋都先略過,直接講重點。
[hr]
[h2]Q1: 如何申請 HSTS Preload List?[/h2]
Ans1:
請使用此網站 (Google 相關)
=>
https://hstspreload.org/
(1.1) 前提是 Non-SSL/TLS-HTTP 80 設定好 301 rewrite
(1.2) 並且所有 sub-domain / nested subdomain 都要支援
(1.3) 設定好 SSL/TLS 443 HTTPS Header Strict-Transport-Security Headers
如果通過 hstspreload.org 的檢查,會出現可以 submit 的頁面
此時打個勾,按確認即可!
[hr]
[h2]Q2: 開發過程中如果出包,如何清除瀏覽器 HSTS cache?[/h2]
Ans2:
請參考此網站
http://classically.me/blogs/how-clear-hsts-settings-major-browsers
當然只能清自己的,所以務必小心!
[hr]
[h2]Q3: 是否有 HSTS preload 清單?[/h2]
Ans3: 有的,目前 2017/02/06 約有兩萬多筆,forced-https
https://www.chromium.org/hsts
https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json
[h2]Q4: 常見的錯誤? 其他 https HSTS 提示補充?[/h2]
Ans4:
因為要 include all sub domains,要注意下列事項
(4.1) 注意 DNS CNAME,假設你有把 Google G Suite 指向類似 docs.example.com --> ghs.google.com
可能要把 CNAME 改成 DNS A or DNS AAAA,
然後 server side script (your js/php/python/asp/cgi script)
或 rewrite rules 再把動態 rewrite 301 到 ghs.google.com
(4.2) HSTS Preload 的完整寫法 for Apache 2 httpd,最後一個欄位「不用分號」
代碼:
$ a2enable headers
$ vim <your SSL site config path>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
</IfModule>
$ service apache2 restart
(4.3) 部分 SSL/TLS certificate 購買時又分的很細(www only vs. all subdomain),
所以如果你有非 WWW 的 subdomain ,
除了 (4.1) 之外,也要先檢查一下你買了什麼樣的 SSL/TLS 憑證服務。
(4.4) 剛開始先把 max-age 設定小一點 (e.g. 1),等所有 subdomain 都完整測過,
再把 max-age 設定為 180 天以上!
31536000 / 86400 = 365 天
15552000 / 86400 = 180 天
[hr]
代碼:
$ whois hstspreload.org
Domain Name: HSTSPRELOAD.ORG
Domain ID: D188554067-LROR
WHOIS Server:
Referral URL: http://www.markmonitor.com
Updated Date: 2016-11-15T23:49:33Z
Creation Date: 2016-05-13T22:22:58Z
Registry Expiry Date: 2017-05-13T22:22:58Z
Sponsoring Registrar: MarkMonitor Inc.
Sponsoring Registrar IANA ID: 292
Domain Status: clientDeleteProhibited https://icann.org/epp
Domain Status: clientTransferProhibited https://icann.org/epp
Domain Status: clientUpdateProhibited https://icann.org/epp
Registrant ID: mmr-87489
Registrant Name: DNS Admin
Registrant Organization: Google Inc.
Registrant Street: 1600 Amphitheatre Parkway
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6502530000
Registrant Phone Ext:
Registrant Fax: +1.6502530001
Registrant Fax Ext:
Registrant Email: dns-admin@google.com
Admin ID: mmr-87489
Admin Name: DNS Admin
Admin Organization: Google Inc.
Admin Street: 1600 Amphitheatre Parkway
Admin City: Mountain View
Admin State/Province: CA
Admin Postal Code: 94043
Admin Country: US
Admin Phone: +1.6502530000
Admin Phone Ext:
Admin Fax: +1.6502530001
Admin Fax Ext:
Admin Email: dns-admin@google.com
Tech ID: mmr-87489
Tech Name: DNS Admin
Tech Organization: Google Inc.
Tech Street: 1600 Amphitheatre Parkway
Tech City: Mountain View
Tech State/Province: CA
Tech Postal Code: 94043
Tech Country: US
Tech Phone: +1.6502530000
Tech Phone Ext:
Tech Fax: +1.6502530001
Tech Fax Ext:
Tech Email: dns-admin@google.com
Name Server: NS-CLOUD-E1.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-E2.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-E3.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-E4.GOOGLEDOMAINS.COM
DNSSEC: unsigned
>>> Last update of WHOIS database: 2017-02-05T19:28:14Z <<<
(2017-02-06 18:52)
[/url]
[/url]
[/url]
[/url]
[/url]
[/url]
