httpd.conf file changes are being reverted for HSTS

Question

I needed to specify HSTS headers for the management GUI under apache on the LTM.
I modified /etc/httpd/conf/httpd.conf and added:&nbsp;
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"&nbsp;
All is well, but after a few days it reverts magically to:&nbsp;
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"&nbsp;
What would cause this?&nbsp;
Is there a master template version of httpd.conf elsewhere ?&nbsp;

larry_wichter · Answer

BTW my LTM is using BIG-IP 11.5.1 Build 10.0.180 Hotfix HF10&nbsp;

nitass · Answer

can you try sys httpd include?
e.g.
// default

[root@ve13a:Active:In Sync] config  tmsh list sys httpd
sys httpd { }

[root@ve13a:Active:In Sync] config  grep Strict-Transport-Security /config/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"

[root@ve13a:Active:In Sync] config  curl -Ik https://172.28.24.14
HTTP/1.1 200 OK
Date: Wed, 03 Jan 2018 23:51:36 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Last-Modified: Wed, 03 Jan 2018 23:51:03 GMT
ETag: "f98a6e-f97-561e7e35fcb0c"
Accept-Ranges: bytes
Content-Length: 3991
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html; charset=ISO-8859-1

// sys httpd include

[root@ve13a:Active:Changes Pending] config  tmsh modify sys httpd include 'Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"'

[root@ve13a:Active:In Sync] config  grep Strict-Transport-Security /config/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

[root@ve13a:Active:In Sync] config  curl -Ik https://172.28.24.14
HTTP/1.1 200 OK
Date: Thu, 04 Jan 2018 00:00:16 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains;
Last-Modified: Wed, 03 Jan 2018 23:52:37 GMT
ETag: "f996cd-f97-561e7e8fda551"
Accept-Ranges: bytes
Content-Length: 3991
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html; charset=ISO-8859-1

// save

[root@ve13a:Active:In Sync] config  tmsh save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done
[root@ve13a:Active:In Sync] config

nitass_89166 · Answer

can you try sys httpd include?
e.g.
// default

[root@ve13a:Active:In Sync] config  tmsh list sys httpd
sys httpd { }

[root@ve13a:Active:In Sync] config  grep Strict-Transport-Security /config/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"

[root@ve13a:Active:In Sync] config  curl -Ik https://172.28.24.14
HTTP/1.1 200 OK
Date: Wed, 03 Jan 2018 23:51:36 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Last-Modified: Wed, 03 Jan 2018 23:51:03 GMT
ETag: "f98a6e-f97-561e7e35fcb0c"
Accept-Ranges: bytes
Content-Length: 3991
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html; charset=ISO-8859-1

// sys httpd include

[root@ve13a:Active:Changes Pending] config  tmsh modify sys httpd include 'Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"'

[root@ve13a:Active:In Sync] config  grep Strict-Transport-Security /config/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

[root@ve13a:Active:In Sync] config  curl -Ik https://172.28.24.14
HTTP/1.1 200 OK
Date: Thu, 04 Jan 2018 00:00:16 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains;
Last-Modified: Wed, 03 Jan 2018 23:52:37 GMT
ETag: "f996cd-f97-561e7e8fda551"
Accept-Ranges: bytes
Content-Length: 3991
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html; charset=ISO-8859-1

// save

[root@ve13a:Active:In Sync] config  tmsh save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done
[root@ve13a:Active:In Sync] config

larry_wichter · Answer

Thank you - using sys httpd command solved this.&nbsp;

larry_wichter · Answer

Thank you - using sys httpd command solved this.&nbsp;

Forum Discussion

httpd.conf file changes are being reverted for HSTS

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Change admin account

Audit WAF changes

Change cookie domain in HTTP::respond

api token timeout change

Ch-ch-ch-ch-changes