Qualys SSL Labs: Suddenly `A` instead of `A+`?

On last test on a Trellis site using Qualys SSL Labs test the score is suddenly only A instead of A+, do you have the same on another Trellis site?
(No HTTP/3 stuff tested there, just defaults; the result cache on Qualys SSL Labs result page was also cleared).

Edit 2: Apparently there is some specific configuration that causes a 2nd certificate to be used, which is unintended and may be the cause for the lower score.

Edit 3: The difference is the missing HTTP Strict Transport Security (HSTS) with long duration deployed on this server. May this be the reason for the missing + in the score?

The degraded score was caused by missing HSTS headers. Those HSTS headers were actually added, but an add_header directive in the PHP-location block made nginx clearing all other headers set in higher-level server block.

2 Likes

Hi @strarsis, I’m curious what changes were required to resolve the missing headers. Did you end up using the more_set_headers module, and if so, how did you install it with Trellis?

I’ve been struggling to add a custom header directive for CORS and your post has me wondering if maybe I’m running into the NGINX inheritance issue that you highlight here.

@needle: Indeed, your post reminded me of this issue, too. With the add_header directive from stock/core nginx you have to re-add all the header again that would have been added by the higher-level server-block. You could do this by copying those over in the Trellis jinja templates. Alternatively you can put them into an extra file and include them, but this can add more complication.

Alternatively there are nginx modules that offer directives that do not override the previously set HTTP headers, as more_set_headers.
more_set_headers, among other directives, is provided by the ngx_headers_more nginx plugin.

For Ubuntu extras.getpagespeed.com appears to offer a repository for a package with the ngx_headers_more plugin.
It would be a good idea to test this with a Trellis VM or a staging system, whether the package and the plugin is compatible with the version of nginx used in Trellis.

1 Like

Thank you for elaborating on this. :pray: Turns out my issue was simply a malformed location block, but it’s still helpful to know about these additional nginx modules.

1 Like