HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
SUSE Manager allows enabling HSTS, to enable it for a SUSE Manager Server:
-
Edit
/etc/apache2/conf.d/zz-spacewalk-www.conf
-
Uncomment the line
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
-
Restart Apache with
systemctl restart apache2
To enable it for SUSE Manager Proxies:
-
Edit
/etc/apache2/conf.d/spacewalk-proxy.conf
-
Uncomment the line
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
-
Restart Apache with
systemctl restart apache2
IMPORTANT: Once HSTS is enabled while using the default SSL certificate generated by SUSE Manager or a self-signed certificate, browsers will refuse to connect using HTTPS unless the CA used to sign such certificates is trusted by the browser.
If you are using the SSL certificate generated by SUSE Manager, you can trust it by importing the file located at http://<SERVER-HOSTNAME>/pub/RHN-ORG-TRUSTED-SSL-CERT
to the browsers of all users.