Netdata Tutorial causing ssllabs error: Server sent invalid HSTS policy.

Danran · June 1, 2022, 12:37pm

I have followed the Netdata on Nginx tutorial for Ubuntu 20.04 accurately. Netdata currently works on my server, however, when doing an ssllabs.com test on my netdata page it is reporting back the following errors:

Server sent invalid HSTS policy. See below for further information.
Strict Transport Security (HSTS) **Invalid** **Server provided more than one HSTS header**

In all of my other virtual hosts (based off of @LinuxBabe tutorials as well), ssllabs.com does not report this error. I do not fully understand what the stub_status.conf and netdata.example.com.conf files do exactly, but suspect that somehow the problem lies in one of these configuration files.

My netdata.example.com.conf file looks like this:
upstream backend {
server 127.0.0.1:19999;
keepalive 64;
}

server {

auth_basic "Protected";
auth_basic_user_file /etc/nginx/passwords;

   server_name netdata.example.com;
   location / {
     proxy_set_header X-Forwarded-Host $host;
     proxy_set_header X-Forwarded-Server $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass http://backend;
     proxy_http_version 1.1;
     proxy_pass_request_headers on;
     proxy_set_header Connection "keep-alive";
     proxy_store off;
   }

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/netdata.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/netdata.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

    ssl_trusted_certificate /etc/letsencrypt/live/netdata.example.com/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

}


server {
    if ($host = netdata.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


   listen 80;
   server_name netdata.example.com;

   location / {
     proxy_set_header X-Forwarded-Host $host;
     proxy_set_header X-Forwarded-Server $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass http://backend;
     proxy_http_version 1.1;
     proxy_pass_request_headers on;
     proxy_set_header Connection "keep-alive";
     proxy_store off;
   }
}

My stub_status.conf file looks like this:

    server {
         listen 127.0.0.1:80;
         server_name 127.0.0.1;
         location /nginx_status {
            stub_status on;
    	allow 127.0.0.1;
    	deny all;
         }
    }

Could someone please help me understand what to do to fix this error in ssl labs? Where is the duplicate coming from?

Thanks for any help!