Snapt Aria provides SSL termination/offloading in both the SSL accelerator and load balancer modules. These are extremely resilient and secure by default, but there are several techniques that can be applied to provide additional security.
- Selecting a stronger Cipher preset will protect your servers against BEAST attacks and several other exploits that can be exposed by SSL.
- Specifying larger prime sizes (4096 bits) for Diffie-Hellman parameters.
- Enabling HSTS. HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking. Setting the Strict-Transport-Security response header enables HSTS and tells browsers to access a website, and optionally, all its subdomains using HTTPS only.
Global SSL options (Setup -> SSL -> SSL Options)
These settings are applicable to both the Snapt Aria load balancer and SSL accelerator modules.
HSTS on Snapt SSL Accelerator (Accelerator -> Configuration -> SSL Options)
The Snapt SSL accelerator provides options for specifying an OpenSSL engine and the SSL protocol version to enforce for SSL/TLS connections.
A Strict-Transport-Security option also allows for enabling HSTS for all SSL terminated accelerated frontend.
HSTS on Snapt Aria virtual Load Balancer (Balancer -> Adv. Configuration -> SSL Options)
HSTS can be enabled on Snapt Aria load balancer groups, frontends, and backends. This offers the flexibility to selectively enable and apply HSTS rules.
To enable HSTS, edit the applicable SSL Terminated Balancer group, frontend or backend. Navigate to the HTTP Options tab shown below and add a Response Add Header Modification rule with the following value: Strict-Transport-Security:\ max-age=31536000
This adds the appropriate HSTS header to every response sent to browsers specifying that they connect to the server (via the Snapt Aria virtual load balancer or SSL accelerator in this case) over HTTPS only and that they remember this setting for about 1 year (31536000 seconds). Upon expiry, subsequent responses from the server will again set the HSTS rule for browser enforcement.