regarding-hsts-in-netscaler

参考：

Strict Transport Security (STS or HSTS) with Citrix NetScaler and Access Gateway Enterprise

https://www.citrix.com/blogs/2010/09/10/strict-transport-security-sts-or-hsts-with-citrix-netscaler-and-access-gateway-enterprise/

How Do I Configure HTTP Strict Transport Security (HSTS) on NetScaler

https://support.citrix.com/article/CTX205221

How to Enable HTTP Strict Transport Security (HSTS) on NetScaler 12

https://support.citrix.com/article/CTX224172

Check HSTS preload status and eligibility   https://hstspreload.org/

SSL Server Test    https://www.ssllabs.com/ssltest/index.html

https://discussions.citrix.com/topic/398147-regarding-hsts-in-netscaler/

Posted September 3, 2018

1)What is the use of HSTS?

Short version: HSTS ensures client browsers will only use HTTPS to connect to your web site(s). The lack of HTTP will make it more difficult for Man-in-the-Middle and/or fake sites to get access to your users' credentials or other sensitive info.

Long version: See https://www.troyhunt.com/understanding-http-strict-transport/

2)In Netscaler version 11.0 there is no inbuilt profile so how can we create it?

You need a Responder policy and a Rewrite policy. The Responder Action and Policy will redirect from HTTP->HTTPS for you web site and at the same time it will specify the HSTS header in this Redirect. Below is a general HTTPS redirect, so you can bind below policy to your HTTP Load Balancing or Content Switch vServers and the HSTS flag will tell the client's browser that for the next 31536000 seconds (1 year) to always skip HTTP for this particular URL.

The Rewrite policy should be bound to your HTTPS LB/CS vServers (since if a user browses to your website using HTTPS immediately then he will not get the Redirect response above and hence not the HSTS flag).

add responder action REA-HTML-HTTPS_REDIRECT respondwith q{"HTTP/1.1 301 Moved Permanently\r\n" + "Location: https://" + HTTP.REQ.HEADER("Host").HTTP_HEADER_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE + "\r\n" + "Strict-Transport-Security: max-age=31536000\r\n" + "Connection: close\r\n" + "Cache-Control: no-cache\r\n" + "Pragma: no-cache\r\n" + "\r\n"}add responder policy REP-HTTPS_REDIRECT "CLIENT.SSL.IS_SSL.NOT" REA-HTML-HTTPS_REDIRECTadd rewrite action RWA-RES-INSERT_HSTS insert_http_header Strict-Transport-Security "\"max-age=31536000\""
add rewrite policy RWP-RES-INSERT_HSTS "CLIENT.SSL.IS_SSL" RWA-RES-INSERT_HSTS

3)Suppose if we want HSTS to use in ntescaler wheather anthing have to be done in backend servers as well or only in netscaler?

You only need to do it on Netscaler, assuming that all your clients connect to your web systems through Netscaler (and not directly to backend if they are internal users, for example)

4)for which vserver  https or http the HSTS applied?

If you have HTTP LB vServers (instead of SSL/HTTPS), and there is no HTTPS CS vServer in front of it, then HSTS will serve no purpose for this particular LB vServer since HTTPS isn't being used. If you do have SSL/HTTPS LB or CS vServers, then bind above responder policy to your HTTP port 80 LB/CS vServers since they will be the ones performing the Redirect.

5)Chrome from which version HSTS is supported?

Not sure, but it's been supported for at least 2 years, so quite a few versions back.

Some things to note:

* Google has a Preload list for HSTS, but this is optional and not necessary to add your web site(s) to. The Preload list has its own specific requirements on the HSTS implementation.

* Start out with a low value in the HSTS header, do not use 1 year initially (use 30 minutes or something) since if you screw up somehow, the HSTS value will be stored in clients' web browsers and you cannot clear/change this value from server-side.

* When enabling HSTS it forces all connections for that particular URL to use HTTPS. Ensure your web system is 100% HTTPS supported before enabling HSTS (check source code and javascripts that they do not point to http:// addresses of your web site)

* If your company has both URLs www.mycompany.com and mycompany.com, and you perform redirect from mycompany.com to www.mycompany.com, then you will need multiple Responder Policies with HSTS header instead of just one. For example, you shouldn't do an immediate redirect from http://mycompany.com -> https://www.mycompany.com, but rather split it up into an initial http->https redirect for mycompanycom and then a secondary redirect from https://mycompany.com to https://www.mycompany.com. This ensures HSTS flag is correctly set for the mycompany.com URL.

Configure support for HTTP strict transport security (HSTS)

https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/how-to-articles/ssl-support-for-hsts.html

Citrix ADC appliances support HTTP strict transport security (HSTS) as an in-built option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

Enable HSTS in an SSL front-end profile or on an SSL virtual server. If you enable SSL profiles, then you should enable HSTS on an SSL profile instead of enabling it on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included. For example, you can specify that subdomains for www.example.com, such as www.abc.example.com and www.xyx.example.com, can be accessed only by using HTTPS by setting the IncludeSubdomains parameter to YES.

If you access any web sites that support HSTS, the response header from the server contains an entry similar to the following:

The client stores this information for the time specified in the max-age parameter. For subsequent requests to that web site, the client checks its memory for an HSTS entry. If an entry is found, it accesses that web site only by using HTTPS.

You can configure HSTS at the time of creating an SSL profile or an SSL virtual server by using the add command. You can also configure HSTS on an existing SSL profile or SSL virtual server by modifying it using the set command.

Configure HSTS by using the CLI

At the command prompt, type:

add ssl vserver <vServerName> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO)

OR

add ssl profile <name> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO )ArgumentsHSTSState of HTTP Strict Transport Security (HSTS) on an SSL virtual server or SSL profile. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client.Possible values: ENABLED, DISABLEDDefault: DISABLEDmaxageSet the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server.Default: 0Minimum: 0Maximum: 4294967294IncludeSubdomainsEnable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.Possible values: YES, NODefault: NO

In the following examples, the client must access the web site and its subdomains for 157,680,000 seconds only by using HTTPS.

add ssl vserver VS-SSL –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES

add sslProfile hstsprofile –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES

Configure HSTS by using the GUI

1. Navigate to Traffic Management > Load Balancing > Virtual Servers, select a virtual server of type SSL and click Edit.

Perform the following steps if the default SSL profile is enabled on the appliance.

1. Select an SSL profile and click Edit.

2. In Basic Settings, click the pencil icon to edit the settings. Scroll down and select HSTS and Include Subdomains.

   

Perform the following steps if the default SSL profile is not enabled on the appliance.

1. In Advanced Settings, select SSL Parameters.

2. Select HSTS and Include Subdomains.

   

Support for HSTS preload

Note:

This feature is available in release 12.1 build 51.x and later.

The Citrix ADC appliance supports adding an HSTS preload in the HTTP response header. To include the preload, you must set the preload parameter in the SSL virtual server or SSL profile to YES. The appliance then includes the preload in the HTTP response header to the client. You can configure this feature using both the CLI and the GUI. For more information about HSTS preload, see https://hstspreload.org/.

Following are examples of valid HSTS headers with preload:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Strict-Transport-Security: max-age=63072000; preload

Configure HSTS preload by using the CLI

At the command prompt, type:

add ssl vserver <vServerName> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -preload ( YES | NO )

OR

add ssl profile <name> -HSTS ( ENABLED | DISABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO ) -preload ( YES | NO )

Configure HSTS preload by using the GUI

Perform the following steps if the default SSL profile is enabled on the appliance.

1. Navigate to System > Profiles > SSL Profiles. Select an SSL profile and click Edit.

2. In Basic Settings, click the pencil icon to edit the settings. Scroll down and select HSTS and Preload.

   

Perform the following steps if the default SSL profile is not enabled on the appliance.

1. Navigate to Traffic Management > Load Balancing > Virtual Servers, select a virtual server of type SSL and click Edit.

2. In Advanced Settings, select SSL Parameters.

3. Select HSTS and Preload.

   

====================== End