Hi,
we’re doing bugfixing to the .htaccess file, as recommended by this forum to make the webdav warnings go away.
However, this just adds an integrity warning now, since the htaccess file is signed.
Whats the correct way to bypass integrity for this file, and this file only?
I doubt, there is a way to fix the integration checks. In fact, you did just what the integration test should detect: Changes to arbitrary files in the server. So, it works just as expected.
I am not aware of any way to disable the checks selectively. That would be no good idea anyway (you tend to forget to reset the list). The best way was to fix that upstream in the server code and wait for the update.
Or is this something instance-specific?
allright, we’ll remove the UI then.
the fix is merely
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
since otherwise a warning appears that says the header is wrong, which the boss doesnt like.
its set incorrectly by nc itself and the manual even recommends changing htaccess, so i doubt it’ll be fixed upstream. ( https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/security_setup_warnings.html#the-strict-transport-security-http-header-is-not-configured )
removing the entire warning UI seems like the correct fix anyway to remove warnings caused by nc, but i was hoping there’s a technically correct way
If you use a reverse proxy you can change the header there and don’t need to touch the .htaccess.
Just do it in the virtualhost conf directly
https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html#enable-hsts-label
We’re required to use the official docker container, which doesn’t persist the apache config. The only things I can change are in the www folder.
This is in the host not the container to be changed.
The official docker container has apache inside the container, not on the host. (And it’s misconfigured)
How are you accessing the official image from the internet? Where is HTTPS termination done? There is no HTTP server running on the host?
This is inside k8s. Are you suggesting to wrap apache in another apache? Doable i guess, but I’m worried there will be new broken configs that we can’t work around this way
PS: The header is not misconfigured as it uses HTTP (without S). There, of course no encryption enforcement must be done. This is part of the HTTPS server settings.
OK, so you have one container in Kubernetes that runs the NC server. Still, there is no HTTPS termination yet. So, where are the SSL certificates manages?
Typically there is a reverse proxy in front of your containers that does the SSL handling and passes on only unencrypted connections. On this point, the header should be set. A quick glance at some google results brought up ingress as a keyword.
yes termination is part of ingress.
could you point me to the docs that say we must run a another proxy in front of apache?
we’re required to follow the official documentation.
I am sorry, this is no requirement to run it but the ingress should be able to add headers as well as far as I understand the documentation.
official docker image example exists for Nginx
but you can use other proxy as well. I posted traefik config frequently… official reverse proxy config might be helpful