Snapt provides SSL termination/offloading in both the Accelerator and Balancer modules. These are extremely resilient and secure by default, but there are several techniques that can be applied to provide additional security.
- Selecting a stronger Cipher preset will protect your servers against BEAST attacks and several other exploits which can be exposed by SSL.
- Specifying larger prime sizes (4096 bits) for Diffie-Hellman parameters.
- Enabling HSTS. HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking. Setting the Strict-Transport-Security response header enables HSTS and tells browsers to access a website, and optionally, all its subdomains using HTTPS only.
Global SSL options (Setup -> SSL -> SSL Options)
These setting are applicable to both the Snapt balancer and accelerator modules.
HSTS on Snapt Accelerator (Accelerator -> Configuration -> SSL Options)
The Snapt accelerator provides options for specifying an OpenSSL engine and the SSL protocol version to enforce for SSL/TLS connections.
A Strict-Transport-Security option also allows for enabling HSTS for all SSL terminated accelerated frontend.
HSTS on Snapt Balancer (Balancer -> Adv. Configuration -> SSL Options)
HSTS can be enabled on Snapt load balancer groups, frontends, and backends. This offers the flexibility to selectively enable and apply HSTS rules.
To enable HSTS, edit the applicable SSL Terminated Balancer group, frontend or backend. Navigate to the HTTP Options tab shown below and add a Response Add Header Modification rule with the following value: Strict-Transport-Security:\ max-age=31536000
This adds the appropriate HSTS header to every response sent to browsers specifying that they connect to the server (via the Snapt balancer or accelerator in this case) over HTTPS only and that they remember this setting for about 1 year (31536000 seconds). Upon expiry, subsequent responses from the server will again set the HSTS rule for browser enforcement.