HSTS Detection false
Closed this issue · 17 comments
Tried to use https numerous times, and I'm stuck with an "E" rating. I've even been all over your repo in the issues section, and I've done everything listed in the issues:
I've ran numerous queries to ensure HSTS is showing, including you mentioning that it must be passed through HEAD
curl -vIi https://search.beetlejuice.dav -p 443 |& rg "^strict|> .* HTTP/2"
> HEAD / HTTP/2
strict-transport-security: max-age=31536000; includeSubDomains; preload
curl -vi https://search.beetlejuice.dav -p 443|& rg "^strict|> .* HTTP/2"
> GET / HTTP/2
strict-transport-security: max-age=31536000; includeSubDomains; preload
I checked the json at:
And it's confirming that HSTS is not detected.
Tried multiple HSTS scanners online, all report good as well.
If it matters any, running SearXNG via docker and behind Traefik.
execution expired
Seems your server is very slow and don't response in time. I got a timeout after 10s waiting for server response for HSTS header.
Hrmm..... shouldn't be I get immediate responses and it's off-site for me. Can you specify what command you ran so I can try it from an alternative location and from what country? I have geo restrictions to prevent bots, but it's only limited to certain areas (not the search subdomain), so it shouldn't be affecting it, but just in case.
Edit: Oh, you may have had the bad luck. I restarted searxng just a few minutes ago. You may have tried right when I restarted.
Call is here : https://github.com/aeris/cryptcheck/blob/master/lib/cryptcheck/tls/https/server.rb#L18-L33
It's just a curl -I equivalent, and I got a timeout exception after 10s.
Cryptcheck use heavily TLS handshakes, more than one thousand per analysis. Perhaps your anti bot is triggered and throttle the connection. I see very slow analysis in practice.
I'll try it out on a few systems here. If you can try again. Not sure if you saw my edit, but I just restarted things only a few minutes ago. So you may have had the bad luck to run curl at the very moment I restarted
Analysis is in progress, but seems very slow. I guess something throttle the connection on your side after few handshakes.
Interesting. I'll need to get on a remote machine and try some queries out. Just checked some of the services, and none of those are the culprit.
For your service
https://cryptcheck.fr/https/search.betelgeuse.dev
2024-10-17T15:12:57.285Z 3211151 TID-ow17xczcv CheckJob JID-567eac4e903a99c9fbd10073 INFO: done: 116.145 sec
Usually such config analysis is expected to be just couple of seconds like one for my own service, with 2 IP addresses instead of one to analyze.
https://cryptcheck.fr/https/imirhil.fr
2024-10-17T15:15:53.954Z 3211151 TID-ow17xcyw7 CheckJob JID-924b368f165bdd78a2e883ad INFO: done: 4.088 sec
Holy crap. That's a dramatic delay.
So I just shut off another service, if you want to try again. That's the only one I can think of that could be causing the issues. I'm in the middle of finding a server in another country I can test with.
Seems the same
You can't really try what Cryptcheck does. Even infinite loop curl -I won't generate the traffic Cryptcheck generate. Not even close 😅.
2024-10-17T15:25:17.511Z 3211151 TID-ow17xcyw7 CheckJob JID-3fa450b10e30860abac943c0 INFO: done: 116.109 sec
I notice you have an IPv6 declared but nothing response on it. I bet the HSTS test try to prefer IPv6 and so go to timeout.
Yeah, I have an IPV6, I just haven't assigned it to a network adapter yet.
I managed to connect to another connection (Japan), and ran a curl to see what response times I got:
* Connection #0 to host search.beetlejuice.dav left intact
time_namelookup: 0.032079s
time_connect: 0.090793s
time_appconnect: 0.169676s
time_pretransfer: 0.170971s
time_redirect: 0.000000s
time_starttransfer: 0.240935s
----------
time_total: 0.241633s
* Trying 0.0.1.187:80...
I bet the IPv6 is the trouble. It's declared on the DNS and so Cryptcheck try to connect on it for HSTS check and then timeout.
Just for giggles, I'm going to remove the ipv6 definition and stick with just ipv4, see if I get any better results.
I may have to install the CLI version of cryptcheck, I still have like 40 minutes until I can run another scan.
You can disable delay for check with a @ TXT cryptcheck=debug on your DNS
Oh nice, appreciate it. This will help a bit. Having to run only one test per hour makes this a slow process lol
You were right. IPV6:
A+. I feel like a moron. Good to know though. I have an IPv6 assigned, I just need to go look up the proper steps to apply it.
🥳 😊
Appreciate all the help and guidance. I would have been sitting here for yet another six hours trying to figure it out. I've looked through my HSTS configs about 40 times, thinking I've messed a semi-colon or something stupid.
Had you not mentioned the ipv6 thing, who knows if I'd still be here by New Years.