I installed the cloud storage the same way as written on the site (https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-18-04), but I have two problems that I want to solve. The solutions indicated in the community have not yet led to a positive result. Help me, please. noob
//The server has a Self-Signed Certificate. 512 MB RAM. 1 CORE CPU. 20 GB SSD
-
The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies;
-
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips.
Hello pasinannie,
Here is how I configured my Apache Server SSL config to fix HSTS and __Host-Prefix:
Header always set Referrer-Policy “no-referrer”
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
SSLEnginge On
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
#With RC4 only for older browsers
#SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”
#Same as above but without RC4 - gave me better results on SSL Tests
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”
Note: I had issues with the __Host-Prefix message as well, but adding the no-referrer Referrer-Policy, to remove messages in the Nextcloud Admin panel, solved that one as well.
Hope it works for you too!