Apache Lounge



Forum Index Downloads Search Register Log in  RSS Apache Lounge

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.



A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.

[solved] How did I "lose" my hpkp header?

Post new topic   Reply to topic    Apache Forum Index -> Apache

View previous topic :: View next topic  
Author Message

Joined: 04 Jul 2017
Posts: 4

PostPosted: Tue 04 Jul '17 10:53    Post subject: [solved] How did I "lose" my hpkp header? Reply with quote

Dear Community,

I ran into an issue that I can't figure out by myself and I would appreciate every input I can get.

Before we start here a the relevant infos:

I use Apache2 (2.4.25 under Debian 9) as a reverse proxy for a web application my colleagues develop. The backend is an "embedded" Tomcat (to be precise it is a spring boot web application which embeds Apache Tomcat 8.5.x).

The Apache server is equipped with two different wildcard certificates (*.example.com and *.test.example.com).

I serve vHosts for example.com/www.example.com as well as for test.example.com/www.test.example.com which both get an A+ at SSLLABS.

Now I added another vHost (which I did a 1000 times before on my other Apache2 servers) but this one only get an A rating at SSLLABS.

The reason for that is, that my HPKP config is not showing up at the SSLLABS test.

The thing is, I don't get why...

The only difference between the other 1000 times I have done this before (on other Apache2 servers) is that I use https for the backend connection and not http (by the way I use mod_proxy and the related modules).


<VirtualHost *:80>
ServerName it.test.example.com
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]

<VirtualHost *:443>
ServerName it.test.example.com
ServerAdmin logfiles@hlp.de
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
ErrorLog /var/log/apache2/it.test-error.log
CustomLog /var/log/apache2/it.test-access.log combined
<Location ~ "^/(?!.well-known|wartung|server-status)">
Include /var/apache2/global-conf/allow-from-ip-range
AuthType Basic
AuthName "Closed user group"
AuthUserFile /var/apache2/global-passwd/passwords
AuthGroupFile /var/apache2/global-passwd/groups
Require group sales_grp
# the following config line includes the hpkp header and the certificate file directives!
Include /var/apache2/global-conf/ssl-test-example-com
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
<Proxy *>
    Require all granted
ProxyPass /.well-known !
ProxyPass /wartung !
ProxyPass /server-status !
ErrorDocument 503 /wartung/503.html
ProxyPass / https://abc.appsrv.example.com:8443/
ProxyPassReverse / https://abc.appsrv.example.com:8443/

I really can't figure out right now where the issue is and why the hpkp header is dropped within this vhost. Because, as mentioned above, the other vhosts work fine and at least the www.test.example.com vhosts includes the same config file(s).

I really would appreciate input from the community. Thanks in advance.

Best regards,

Last edited by hlpinform on Thu 06 Jul '17 11:55; edited 1 time in total
Back to top

Joined: 04 Jul 2017
Posts: 4

PostPosted: Tue 04 Jul '17 11:14    Post subject: Reply with quote

One little fun fact. SSLLABS also shows me that I miss the HSTS header.

But if I access the site with chrome and open up the developer toolbar I can clearly see my Strict-Transport-Security header as well my Public-Key-Pins.

So I'm not quite sure who is right. Is my config ok and SSLLABS is "lying" or is there a major bug in my config?

I would suggest a config flaw because Scott Helme's hpkp analyzer also says I'm missing out the header information on my vhost.

https://report-uri.io/home/pkp_analyse :-/
Back to top

Joined: 23 Nov 2008
Posts: 49

PostPosted: Tue 04 Jul '17 18:17    Post subject: Reply with quote

There's no HPKP in that config. Maybe your HPKP is set in the Include'ed configuration file that you didn't post?
Back to top

Joined: 04 Jul 2017
Posts: 4

PostPosted: Wed 05 Jul '17 7:54    Post subject: Reply with quote

You are right. I totally forgot to post both included files.

Sorry for that.

Here are both files:


Header set Public-Key-Pins: 'max-age=2592000; pin-sha256="<used_key>"; pin-sha256="<backup_key_1>"; pin-sha256="<backup_key_2>"; pin-sha256="<backup_key_3>"; report-uri="<report uri>"' env=HTTPS

SSLCertificateFile /<path>/<filename>.crt
SSLCertificateKeyFile /<path>/<filename>.key
SSLCACertificateFile /<path>/<filename_ca_bundle>.crt


# Ext-IPv4 Range
Require ip <our_external_ipv4_network>
# Ext-IPv6 Range
Require ip <our_ipv6_network>
# Server
Require ip <one_internal_ipv4_network>
Back to top

Joined: 04 Jul 2017
Posts: 4

PostPosted: Thu 06 Jul '17 11:55    Post subject: Reply with quote

Okay, got it. I never lost my header information...

As I said before, my chrome was right and the headers were sent by Apache to the client.

But due to the basic auth, the headers were never transfered to Qualys or Scott Helmes header check.

So I whitelisted the ip-ranges of both sites and not I got my A+ "back". Smile

Best regards
Back to top

Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1