Red Hat Bugzilla – Bug 1430035
Support HTTP Strict Transport Security (HSTS) policy
Last modified: 2018-02-09 03:47:24 EST
origin PR 16544 openshift-docs PR 5365
Commits pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/9ebaefce365aaa449088cbe3758fe6c1d4a08b04 Router support for Strict-Transport-Security (hsts) Strict-Transport-Security (hsts) policy (RFC 6797) is a way that the host can tell clients to always use https requests to the host. It is controlled by adding the haproxy.router.openshift.io/hsts_header annotation to the route. When the Strict-Transport-Security response is received by a client, it observes the policy until: 1) It is updated by another response from the host, or 2) the max-age decrements to 0 The max-age is only updated when the client receives a response that contains the Strict-Transport-Security header. Otherwise that the client just decrements max-age to 0. When hsts policy is no longer desired for a host set max-age=0 in the annotation rather than deleting the annotation. When a client makes another request the response will cause the policy to be discarded. In the route add the annotation: metadata: annotations: haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains Where max-age=<seconds> is required and includeSubDomains and preload are optional. When the annotation is present for a route https responses will include the Strict-Transport-Security header with the annotation's value. The annotation value must contain max-age=<seconds> and it may contain either or both of: includeSubDomains and preload. max-age sets the length of time the client should force requests to the host to be https. max-age=31536000 is one year. includeSubDomains requests all subdomains of the host should observe the max-age of the host. preload tells the client to include this host in its host preload list. Bug: 1430035 https://bugzilla.redhat.com/show_bug.cgi?id=1430035 Trello: https://trello.com/c/H1FhCI1I/452-3-sccfsi-support-hsts-policy https://github.com/openshift/origin/commit/621b7e3cf0d6bd7fe80615240def5b32de2bcdb9 Merge pull request #16544 from pecameron/bz1430035 Automatic merge from submit-queue (batch tested with PRs 14558, 16544). Router support for Strict-Transport-Security (hsts) Strict-Transport-Security (hsts) support (RFC 6797) is a way that the host can tell clients to always use https requests to the host. It is controlled by adding the haproxy.router.openshift.io/hsts_header annotation to the route. When the Strict-Transport-Security response is received by a client, it respects the request until: 1) It is updated by the response from the host to another request. 2) the max-age decrements to 0 The max-age is only updated when the client receives a response that contains the Strict-Transport-Security header. Other than that the client just decrements max-age to 0. When hsts is no longer desired for a host set max-age=0 in the annotation rather than deleting the annotation. There is no telling when a client will make a request to the host. In the route add the annotation: metadata: annotations: haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains Where max-age=<seconds> is required and includeSubDomains and preload are optional. When the annotation is present for a route https responses will include the Strict-Transport-Security header with the annotation's value. The annotation value must contain max-age=<seconds> and it may contain either or both of: includeSubDomains and preload. max-age sets the length of time the client should force requests to the host to be https. max-age=31536000 is one year. includeSubDomains requests all subdomains of the host should observe the max-age of the host. preload tells the client to include this host in its host preload list. Bug: 1430035 https://bugzilla.redhat.com/show_bug.cgi?id=1430035 Trello: https://trello.com/c/H1FhCI1I/452-3-sccfsi-support-hsts-policy
This is in 3.7, why is it still in MODIFIED state?
Verified this issue on v3.7.7 we can set the hsts policy in CLI, steps 1. Create pod/svc 2. Create edge/reencrypt route 3. Set hsts for the route, eg: oc annotate route myroute haproxy.router.openshift.io/hsts_header=max-age=100;includeSubDomains;preload 4. Check the route response header curl --head https://$route -k the result should contain 'strict-transport-security=max-age=100;includeSubDomains;preload' Since this issue still need to fix in web console. So file another bug 1512759 to trace.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:3464