HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a policy that helps protect web server appliances against unwanted access. It allows only trusted connections with browsers using HTTPS. When HSTS is enabled, it informs a web browser that has previously visited a site to only use HTTPS connections. Web browsers that have never connected to the site may use HTTP for the initial connection. HSTS is an IETF standards track protocol and specified in RFC 6797.

Warning: Not all browsers will react the same way. Ensure you thoroughly test using all browsers you intend to use

Some web browsers may terminate the connection to the web server and prevent access to the PCoIP Management Console if the security of the connection cannot be verified. Therefor it is important to have a properly created and trusted certificate installed into the Management Console and the ability for the web browser to be able to verify the authenticity of that certificate.

HSTS can be enabled on the PCoIP Management Console by editing the mc-external-config.yml file. It also requires a proper certificate be loaded on the PCoIP Management Console. For more information on configuring HSTS and how it works please review RFC 6797.

The certificate requirements are determined by the browser you are using. See browser documentation for requirements. Requirements include the following and can change at anytime:

  • SHA 256 is the minimum signature algorithm

  • CA signed (can not be a self signed certificate)

  • Subject Alternative Name (Chrome requirement)

To enable HSTS and configure the timeout setting:

  1. Accessing the PCoIP Management Console Virtual Machine Consol

  2. SSH to the PCoIP Management Console virtual machine console.

  3. Log in as administrator and enter the command sudo su.

  4. Change to the following directory:
    /opt/teradici/console/config/

  5. Edit the mc-external-config.yml file to activate HSTS and set the time out by:

    1. Uncommenting (remove # symbol) from the jetty, port, hsts, enabledHSTS and stsMaxAge from the following lines:

      #jetty:
      #   port: 8080
      #    sendServerVersion: false
      #    hsts:
      #        enableHSTS: false
      #        stsMaxAge: 31536000
      #    traceEnabled: false
      #    optionsEnabled: false
      
    2. Editing the enableHSTS value to true.
      enableHSTS: true

    3. Editing the stsMaxAge value to the desired time out in seconds.
      stsMaxAge: 31536000
      !!! note "stsMaxAge" is configurable from the default of -1 to one year (31536000 seconds) and defines how long the web browser should cache the HSTS policy against the server. Your edited lines should look like the following:

      jetty:
          port: 8080
      #    sendServerVersion: false
          hsts:
              enableHSTS: true
              stsMaxAge: 31536000
      #    traceEnabled: false
      #    optionsEnabled: false
      
  6. Save your edits to mc-external-config.yml.

  7. Restart the Management Console console service.
    sudo service mcconsole restart

Tip: Is HSTS enabled?

To confirm if HSTS is enabled, run
curl -k -s -vv https://<PCoIP Management Console ip address>/login/auth | grep Strict
and look at any HTTP response from the server. If enabled, the header will display the max age.