HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

On SUSE Multi-Linux Manager, HSTS is enabled by default. If you need to disable it on the server, follow this procedure:

Procedure: Disabling HSTS on the server

On the server container host, as root, execute the following command to create a new configuration file with setting max-age=0:
mgrctl exec -- \
  echo 'Header always set Strict-Transport-Security "max-age=0; includeSubDomains"' \
  > /etc/apache2/conf.d/zz-spacewalk-www-hsts.conf
Restart Apache with:
mgrctl exec -- systemctl restart apache2

If you need to disable it on the proxy, follow this procedure:

Procedure: Disabling HSTS on the proxy

On the server container host, as root, execute the following command to create a new configuration file with setting max-age=0:
echo 'Header always set Strict-Transport-Security "max-age=0; includeSubDomains' \
  > /etc/uyuni/custom-httpd.conf
Run the command:
mgrpxy install podman --tuning-httpd /etc/uyuni/custom-httpd.conf config.tar.gz

When naming the new config file <filename>.conf, make sure it is loaded at the right time. For example, to override something defined in spacewalk-www.conf the new file needs to be alphabetically after this file. For more information about how Apache loads files, see https://httpd.apache.org/docs.

When HSTS is enabled while using the default SSL certificate generated by SUSE Multi-Linux Manager or a self-signed certificate, browsers will refuse to connect with HTTPS unless the CA used to sign such certificates is trusted by the browser. If you are using the SSL certificate generated by SUSE Multi-Linux Manager, you can trust it by importing the file located at http://<SERVER-HOSTNAME>/pub/RHN-ORG-TRUSTED-SSL-CERT to the browsers of all users.