Newbie - Best Tutorial for Implementing HSTS? (Bitnami/Wordpress)

[SEE SELF_REPLY UPDATE] Hi Guys. Thank you so much (Griffin) for pointing me to the Certbot Bitnami SSL SAN certificate creation guide - worked a treat and hopefully when it comes to auto renew "it just does it".
This one didn't even require TXT files and just worked. Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application

I am a total noob and you've got me up and running with a few links and a bit of insight. Many thanks again.

Now I'm ready to redirect http:// to https:// as I can see people are going to receive security warnings when they type in my web address.

I've been reading this forum a lot, I'm just too new to have a go at this without a step-by-step guide, so can anyone suggest the best HSTS tutorial for my needs?

Needs:
The website at most will have a contact form so I don't want to do the white-list as I'm seeing some difficult problems arise not being able to connect if there's a certificate issue. Am I right here?

Thoughts:
The certs seem ok?
Using https://check-your-website.server-daten.de/
It looks like HSTS solves a lot of my problems although I'm needing a tutorial on how to set preferred www and non-www although this might be covered when applying HSTS? Not sure...

image

oof! H can't be good?! (no encryption)


My domain is: skynfüd.com (or skynfüd.com) SAN SSL> skynfud.com, skynfud.co.uk, skynfix.co.uk and all www versions.

My web server is (include version): Bitnami WordPress 5.6.1-1

The operating system my web server runs on is (include version): Linux / Debian 4.19.181-1 / Apache Installed

My hosting provider, if applicable, is: Amazon Lightsail (Wordpress Instance)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Erm... not sure, this command isn't working but I did use Cerbot for sure.

3 Likes

OK. I'm having a go at HSTS with about 8 different tutorials up on tabs.

[SCRAP]They all keep mentioning "Virtual Host" but I don't have that set up....
After searching around I found my httpd-vhosts.conf file

I don't know where to type this...
a2enmod headers
console does nothing? a2enmod: command not found

Then add to my httpd-vhosts.conf:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Many thanks in advance. Finding a good noob tutorial that explains everything is a real headache.

One final issue I can see is with the following:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/

I have 4 domains and not sure if I can just list them here or how to redirect them all to "https://skynfüd.com"

Any help would be massively appreciated...

2 Likes

https://docs.bitnami.com/aws/apps/owncloud/administration/force-https-apache/

This did it! Yay! Only took all freakin' night (04:50am now... time flies when you're having fun)

3 Likes

Thanks for the props. :slightly_smiling_face:

Sorry I didn't see your struggle sooner. I'm glad you got it worked out though!

:partying_face:

A few tips:

  1. Make sure all of your versions are redirecting properly with redirect-checker.org, including the https sites you want redirected to a different https site
  2. Choose to redirect either www.example.com to example.com or vice versa (which is known as choosing a canonical name and is critical for SEO)
  3. Use 301 Moved Permanently redirects not 302 Found redirects (which is what the "permanent" part means after the Redirect directive in the Apache VirtualHost you mentioned)
1 Like

Hi @SSLisKillingMe

no, H isn't good. A user uses http - and isn't redirected to https.

But HSTS isn't the solution, correct redirects and one destination (Grade B, no Grade E, D, C) are required.

Please check the short FAQ:

If it is your first certificate: Grade B without HSTS and without Cookie errors.
...
If you use HSTS and your certificate is invalid (wrong domain name, expired, revoked), visitors can't create an exception in their browser. So it's impossible to visit your site. HSTS requires an always valid certificate , so you shouldn't add HSTS if you don't know your certificate renew works.

3 Likes

It's thanks to you again and that initial Bitnami set of SSL/SAN tutorials that I found this HSTS tutorial. Don't know why I didn't find it before but clicking your link and a few clicks later I'd figured it out.

Cheers! :beers:

2 Likes

Heed JuergenAuer's advice well. He knows what he's doing here. It's actually his tool that you used to get that H grade.

2 Likes

Thanks Juergen. More learning to do... if it's the case you don't HSTS on a first certificate, how can you securely padlock and redirect to https when you launch a website? Do you just force an auto-renew certificate earlier than the 90 days to check first?

2 Likes

Hi, @SSLisKillingMe. Love the username but I hope that it won't be a valid one for very much longer. Welcome to the community!

I'd also like to say thank you for sticking with it as a complete newbie. Feedback like yours on what kind of tutorials are good for helping newbies is very important and I'm glad you found some that worked for your learning style. @jple, I suggest that you maybe might want to note this interaction for your "comms-improvement" wishlist so that you can get an idea of what kind of language works best for newbies.

4 Likes

For sure. It's definitely hard to know exactly how to implement in every environment and with each client, but I will put some headspace into how to include that.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.