httpd.conf file changes are being reverted for HSTS

Question

I needed to specify HSTS headers for the management GUI under apache on the LTM.
I modified /etc/httpd/conf/httpd.conf and added:&nbsp;
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"&nbsp;
All is well, but after a few days it reverts magically to:&nbsp;
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"&nbsp;
What would cause this?&nbsp;
Is there a master template version of httpd.conf elsewhere ?&nbsp;

larry_wichter · Answer

BTW my LTM is using BIG-IP 11.5.1 Build 10.0.180 Hotfix HF10&nbsp;

nitass · Answer

can you try sys httpd include?
e.g.
// default

[root@ve13a:Active:In Sync] config  tmsh list sys httpd
sys httpd { }

[root@ve13a:Active:In Sync] config  grep Strict-Transport-Security /config/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"

[root@ve13a:Active:In Sync] config  curl -Ik https://172.28.24.14
HTTP/1.1 200 OK
Date: Wed, 03 Jan 2018 23:51:36 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Last-Modified: Wed, 03 Jan 2018 23:51:03 GMT
ETag: "f98a6e-f97-561e7e35fcb0c"
Accept-Ranges: bytes
Content-Length: 3991
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html; charset=ISO-8859-1

// sys httpd include

[root@ve13a:Active:Changes Pending] config  tmsh modify sys httpd include 'Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"'

[root@ve13a:Active:In Sync] config  grep Strict-Transport-Security /config/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

[root@ve13a:Active:In Sync] config  curl -Ik https://172.28.24.14
HTTP/1.1 200 OK
Date: Thu, 04 Jan 2018 00:00:16 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains;
Last-Modified: Wed, 03 Jan 2018 23:52:37 GMT
ETag: "f996cd-f97-561e7e8fda551"
Accept-Ranges: bytes
Content-Length: 3991
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html; charset=ISO-8859-1

// save

[root@ve13a:Active:In Sync] config  tmsh save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done
[root@ve13a:Active:In Sync] config

nitass_89166 · Answer

can you try sys httpd include?
e.g.
// default

[root@ve13a:Active:In Sync] config  tmsh list sys httpd
sys httpd { }

[root@ve13a:Active:In Sync] config  grep Strict-Transport-Security /config/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"

[root@ve13a:Active:In Sync] config  curl -Ik https://172.28.24.14
HTTP/1.1 200 OK
Date: Wed, 03 Jan 2018 23:51:36 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Last-Modified: Wed, 03 Jan 2018 23:51:03 GMT
ETag: "f98a6e-f97-561e7e35fcb0c"
Accept-Ranges: bytes
Content-Length: 3991
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html; charset=ISO-8859-1

// sys httpd include

[root@ve13a:Active:Changes Pending] config  tmsh modify sys httpd include 'Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"'

[root@ve13a:Active:In Sync] config  grep Strict-Transport-Security /config/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

[root@ve13a:Active:In Sync] config  curl -Ik https://172.28.24.14
HTTP/1.1 200 OK
Date: Thu, 04 Jan 2018 00:00:16 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains;
Last-Modified: Wed, 03 Jan 2018 23:52:37 GMT
ETag: "f996cd-f97-561e7e8fda551"
Accept-Ranges: bytes
Content-Length: 3991
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html; charset=ISO-8859-1

// save

[root@ve13a:Active:In Sync] config  tmsh save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done
[root@ve13a:Active:In Sync] config

larry_wichter · Answer

Thank you - using sys httpd command solved this.&nbsp;

larry_wichter · Answer

Thank you - using sys httpd command solved this.&nbsp;

Forum Discussion

httpd.conf file changes are being reverted for HSTS

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Submenus missing in ASM Security Tab

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Related Content

iRules variables in BIG-IP Next: behavior change

Audit WAF changes

Change admin account

Ch-ch-ch-ch-changes

APM Customization: Password Change Validation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS