HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

Uyuni allows enabling HSTS, to enable it for a Uyuni Server:

Procedure
  1. Edit /etc/apache2/conf.d/zz-spacewalk-www.conf

  2. Uncomment the line # Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

  3. Restart Apache with systemctl restart apache2

To enable it for Uyuni Proxies:

Procedure
  1. Edit /etc/apache2/conf.d/spacewalk-proxy.conf

  2. Uncomment the line # Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

  3. Restart Apache with systemctl restart apache2

When HSTS is enabled while using the default SSL certificate generated by Uyuni or a self-signed certificate, browsers will refuse to connect with HTTPS unless the CA used to sign such certificates is trusted by the browser. If you are using the SSL certificate generated by Uyuni, you can trust it by importing the file located at http://<SERVER-HOSTNAME>/pub/RHN-ORG-TRUSTED-SSL-CERT to the browsers of all users.