Configuration help - httpsts hardening

Trevor_Stuart · April 16, 2025, 8:29pm

I’m trying to follow Hardening and security guidance — Nextcloud latest Administration Manual latest documentation
Specifically the Enable HTTP Strict Transport Security.
As I want to resolve the errors in my nextcloud instance.

Nextcloud is running as a docker.
The guide says “Apache VirtualHost file” but doens’t say where that is. I did some googling and it appears to be located in
/etc/apache/xxxxx Problem is doesn’t that mean it’ll get wiped each time I reset the container?
I pointed all my config details to /home/user/.config/appdata/nextcloud so it would be located on a persistent volume, but /etc isn’t located there…

jtr · April 16, 2025, 8:55pm

Keep in mind the installation section of the Admin Manual is primarily for a bare metal install and, more specifically, the default is Apache.

In any case, which Docker image are you using?

The place to configure Strict-Transport-Security is wherever you terminate your HTTPS (i.e. your reverse proxy in many cases).

Trevor_Stuart · April 16, 2025, 9:34pm

Running latest from linuxserver.io
My reverse proxy is caddy running in opnsense (a completely different VM).
So the settings it references are needing to be completed in Caddy?

jtr · April 16, 2025, 9:57pm

You can either do it in Nginx within the LSIO image or in Caddy.

LSIO’s image has it in the Nginx config (if it’s up-to-date; check your container startup messages for out-of-date config file mentions), but the line is commented out by default IIRC.

/config/nginx/ssl.conf I think.