Docker Traefik Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
1

Hello, I’m having an issue trying to get Nextcloud to stop reporting the following error in Security & setup warnings:

Strict-Transport-Security" HTTP header is not set to at least “15552000” seconds

I’m using Nextcloud 19.0.3 apache docker image with Traefik 2 as the reverse proxy. I have the following labels setup in my Nextcloud docker-compose.yml file:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.cloud.entrypoints=http"
  - "traefik.http.routers.cloud.rule=Host(`$HOST.$DOMAIN`)"
  - "traefik.http.middlewares.cloud-https-redirect.redirectscheme.scheme=https"
  - "traefik.http.routers.cloud.middlewares=cloud-https-redirect"
  - "traefik.http.routers.cloud-secure.entrypoints=https"
  - "traefik.http.routers.cloud-secure.rule=Host(`$HOST.$DOMAIN`)"
  - "traefik.http.routers.cloud-secure.tls=true"
  - "traefik.http.routers.cloud-secure.tls.certresolver=le"
  - "traefik.http.routers.cloud-secure.service=cloud"
  - "traefik.http.services.cloud.loadbalancer.server.port=80"
  - "traefik.docker.network=proxy"
  - "traefik.http.middlewares.cloud.headers.customFrameOptionsValue=SAMEORIGIN"
  - "traefik.http.middlewares.cloud.headers.framedeny=true"
  - "traefik.http.middlewares.cloud.headers.sslredirect=true"
  - "traefik.http.middlewares.cloud.headers.STSIncludeSubdomains=true"
  - "traefik.http.middlewares.cloud.headers.STSPreload=true"
  - "traefik.http.middlewares.cloud.headers.STSSeconds=315360000"
  - "traefik.http.middlewares.cloud.headers.forceSTSHeader=true"
  - "traefik.http.middlewares.cloud.headers.sslProxyHeaders.X-Forwarded-Proto=https"
  - "traefik.http.middlewares.cloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
  - "traefik.http.middlewares.cloud-dav.replacepathregex.replacement=/remote.php/dav/"

I have also verified under Traefik HTTP Middlewares that the cloud@docker is showing the following:

STS SECONDS 315360000
STS INCLUDE SUBDOMAINS True
STS PRELOAD True
FORCE STS HEADER True
FRAME DENY True

Yet I cannot get that warning to go away. Any ideas?

2

Hello! I am not using docker myself, but I had this same 15552000 HSTS problem persisting with my NextCloudPi install, even when I made totally sure the settings were correct.

In the end the problem was that Cloudflare had it’s own HSTS-settings overriding that max-age value and setting it to null. :see_no_evil: You can scan your domain headers f.ex. here and see if the report shows the max-age values you have set.

3

Hi,
i have had the same problem.
Although this answer is a little bit late, maybe it helps someone else.

The problem is that the middleware which sets the STS headers is not connected to the nextcloud https router. Also the middleware which is needed for the (card|cal) dav redirection has to be in that entry.
In this case you should have to add:

  • “traefik.http.routers.cloud-secure.middlewares=cloud,cloud-dav”

PS:
Regarding the (card|cal) dav redirection, in other solutions there is also the following line added:

  • “traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true”
4

Thank you, very helpful

5

Hi, I had the same problem. Tried to implement the cide lune into every virtual server i could find. Turned out it was not the missing lines in the virtual server doc. When I enabled the header the error was gone. Use the following command:

sudo a2enmod headers