HOW TO Force HSTS in CloudBolt Server

Overview

CloudBolt ships OVA with a self-signed certificate and a bare minimal Apache configuration. If you want to enforce HSTS in CloudBolt Apache, follow this guide.

Considerations

You are running CloudBolt OVA which supports Apache/2.4.6

Procedure

Step 1 - Confirm/Install mod_headers.so

1. SSH to CloudBolt Instance as a root

2. Run grep headers_module /etc/httpd/conf.modules.d/*

   1. Return should be: [root@cb-230322-root-001-centos7-KEEP modules]# grep headers_module /etc/httpd/conf.modules.d/*
/etc/httpd/conf.modules.d/00-base.conf:LoadModule headers_module modules/mod_headers.so

Step 2 - Edit the httpd config

1. Go to /etc/httpd/conf

2. Run vi httpd.conf

3. Add these lines:

# Load the headers module
LoadModule headers_module modules/mod_headers.so

<VirtualHost *:443>
    # HSTS (31536000 seconds = 1 year)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>

Once a web browser has been added to the site and received the header, it will remember that the site should only be accessed over HTTPS for the duration of the max-age value. This value is reset every time the site is accessed.

To always redirect your visitors to the HTTPS version of your website, use the following configuration:

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Step 3 - Reload Apache

systemctl reload  httpd

Additional information

• CloudBolt Docs: How to Configure SSL Cert in CloudBolt

• CloudBolt OVA is available at https://support.cloudbolt.io/hc/en-us/sections/201319565-Download-CloudBolt

• https://nowherelan.com/2018/12/27/http-strict-transport-security-hsts-in-apache/