Let’s Encrypt problem after upgrading to 1.9.0.beta3


#1

After upgrading to 1.9.0.beta3 , the SSL(Let’s Encrypt) rating has changed from A+ to A,the problem is HSTS.

Thanks very much


(Matt Palmer) #2

What is the problem with HSTS?


#3

Using the ssllabs.com query, HTTP Strict Transport Security (HSTS) with long duration deployed on this server this sentence disappears . Thank you.


(Matt Palmer) #4

The default HSTS configuration is compliant with the SSL Labs recommendations. What site are you testing, and what changes have you made to the default discourse_docker templates?


#5

I have nothing to change, completely default. My website is https://www.xxxx.com/


(Matt Palmer) #6

Your site is not sending an HSTS header at all. You’re also sending a header that was reverted from the default template nine days ago. Whatever you’re doing over there, it isn’t what we recommend.


(Jeff Atwood) #7

Working fine on my self hosted by the book install of Discourse


#8


(Jeff Atwood) #9

Hmm, plausible, as I did a command line rebuild yesterday cc @falco.


(Matt Palmer) #11

Can confirm discourse.codinghorror.com is no longer sending a HSTS header at all:

$ wget -O /dev/null -S https://discourse.codinghorror.com -q
  HTTP/1.1 200 OK
  Server: nginx
  Date: Thu, 13 Jul 2017 22:04:15 GMT
  Content-Type: text/html; charset=utf-8
  Transfer-Encoding: chunked
  Connection: keep-alive
  Vary: Accept-Encoding
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  X-Discourse-Route: list/latest
  Cache-Control: no-store, must-revalidate, no-cache, private
  X-Discourse-Cached: true
  X-Request-Id: f40d4ea9-375a-4a9e-b6e1-c7500ffa194f
  X-Runtime: 0.002585
  X-Discourse-TrackView: 1
  Referrer-Policy: no-referrer-when-downgrade

(Rafael dos Santos Silva) #12

Yeah, I made a mistake when I added the Referrer-Policy header.

nginx add_header lack of support for inheritance got me there.

Will fix soon.


(Matt Palmer) #13

Awwwwwwww yeah… we’ve all been to that circle of hell.


(Rafael dos Santos Silva) #14

Rebuild a site to test this in action:


(Jeff Atwood) #15

It works!

Thanks for the report @saluzi this was a definite regression.


(Jeff Atwood) #16