HSTS options are misleading #206
Comments
|
@badsyntax We are correctly configuring HSTS in the nginx configs as user specifies them in the configs.However as you indicated, in the commit gitlab seems to be doing its own thing which I was not aware of. The HSTS config was contributed by another user and I am sure he had no idea that this was happening. However, it seems the way to fix it is to request gitlab upstream to drop their HSTS configs and allow the user to specify it in the nginx configs because it messes with installations where relative_url is used to host multiple applications on a domain. edit: |
|
@sameersbn Thanks for the prompt response. Yea, it's a disappointment to find this in gitlab source. If I have time I'll try send a PR upstream. There's probably a good reason why they're setting some response headers like that. Personally, after finding this problem, I have taken a different route, and have resolved my problems doing SSL Termination at haproxy rather than SSL Pass-Through to let nginx handle the SSL. Unfortunately I wasn't able to test whether HSTS was the culprit :( |
Hey there.
Related to #138
It seems the "Strict-Transport-Security" header will exist in the response, no matter what the HSTS* options are.
In both scenarios below, assume that
GITLAB_HTTPS="true"andGITLAB_HTTPS_ONLY="false"Scenario 1:
Outcome:
You get two "Strict-Transport-Security" entries in the response headers:
Scenario 2 :
Outcome:
You get one "Strict-Transport-Security" entry with a max age of 31536000
I believe the reason for this here: gitlabhq/gitlabhq@94c96cd
The way I read it, there is no way to prevent HSTS headers being sent in the response, without sticking a proxy in the middle and removing those headers. Am I missing something?
The text was updated successfully, but these errors were encountered: