本文介绍了在AWS ELB应用程序负载平衡器中启用HSTS的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们希望对我们的IIS部署的Web应用程序启用HSTS.

We like to enable HSTS to our IIS deployed web application.

我们有SSL终止ELB应用程序负载平衡器.我们已经在IIS中启用了URL重写模块,并配置了x-Forward-Proto标记来决定并启用响应中的HSTS标头.

We have SSL terminating ELB Application load balancer. We have enabled the URL rewrite module in IIS and configured the x-Forward-Proto tag to decide and enable HSTS header in the response.

当前,ALB似乎没有将自定义标头从IIS传递到ALB,再传递给最终用户.我们想看看是否有一种方法可以在允许接受自定义标头的ALB级别启用HSTS,还是可以在IIS级别设置HSTS并使ALB可以通过HSTS标头传递到浏览器?

Presently, ALB does not appear to pass custom headers from IIS to the ALB, to the end-user. We wanted to see if there is a way to enable HSTS either at ALB level where it can accept custom headers or if it can be set at IIS level and ALB can pass through the HSTS headers to the browser?

推荐答案

HSTS是由后端而非负载均衡器控制的策略.有人可能会说AWS可以做到这一点,但是还有其他一些问题使事情变得更加复杂(违反规范,HTTP的永久重定向等)

HSTS is a policy that is controlled by the backend and not by the load balancer. One could argue that AWS could enable this, but there are other issues that make this more complicated (violation of specs, permanent redirects for HTTP, etc.)

HSTS的问题在于您不能(不应)通过HTTP发送严格传输安全性.规范说只能通过安全连接发送标头. HTTP不安全.由于负载平衡器正在通过HTTP与后端通信,因此IIS不会发送标头.您需要在后端使用HTTPS来启用HSTS.

The issue with HSTS is that you cannot (should not) send Strict-Transport-Security over HTTP. The specs say to only send the header over a secure connection. HTTP is not secure. Since the load balancer is talking to the backend over HTTP, IIS is NOT sending the header. You need to use HTTPS on the backend to enable HSTS.

RFC6797

如果您的目标是向客户端发送严格的传输安全性",请在负载均衡器上使用第4层侦听器,并在后端处理HTTPS.如果请求通过HTTP到达,则发送永久重定向(301).好处包括绝对控制,改进的HTTP/2等.

If your goal is to send "Strict-Transport-Security" to the client, use Layer 4 listeners on your load balancer and handle HTTPS at your backend. If a request arrives on HTTP, send a permanent redirect (301). Benefits include absolute control, improved HTTP/2, etc.

另一个选择是更改您的侦听器,以使用HTTPS与后端通信.在后端设置HTTPS和SSL.

Another option is to change your listener to use HTTPS to talk to the backend. Setup HTTPS and SSL on the backend.

这篇关于在AWS ELB应用程序负载平衡器中启用HSTS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 22:20