HSTS Configuration

tomwaller · July 18, 2016, 6:53pm

Hi there.

Just moved my server from OwnCloud to Nextcloud (Nextcloud 9.0.52 (stable)) by way of a new VM install on Ubuntu Server 14.04.

I’m having real trouble trying to get HSTS working. I’m not sure if it’s my config or something else. I’ve got SSL working nicely but just trying to round off some of the last remaining warnings on the admin page. This worked well in OwnCloud but I was using NGINX then, and I’ve since moved to Apache for Nextcloud.

Any advice would be welcome! Here are my confs. Anyone spot anything out of the ordinary? I’ve tried just about every combination of header line from the web searches but nothing seems to do the trick. As I mentioned, the certs seem to work well and I can access HTTPS OK and get a SSL Labs score of A but HSTS is never enabled! I’m sure I’m doing something stupid…

nextcloud.conf:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerName exturlremoved
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined   
SSLEngine on
SSLProtocol             all -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-PO$
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/exturlremoved/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/exturlremoved/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/exturlremoved/chain.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
        <Directory /var/www/nextcloud>
                Options Indexes FollowSymLinks
                AllowOverride All
                Allow from all
                Require all granted
                Dav Off
                Satisfy Any
        </Directory>
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
</VirtualHost>
</IfModule>

000-default.conf:

<VirtualHost *:80>
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
</VirtualHost>

r0uzic · July 18, 2016, 9:57pm

Have you enabled the module headers? sudo a2enmod headers

tomwaller · July 19, 2016, 6:17am

Yes. I have enabled the modules. Running the command again says ‘the
modules are already enabled’, or words to that effect.

tomwaller · July 19, 2016, 7:07am

One thing I was slightly confused about is whether I should have a 000-default.conf in the first place seeing as I am only going to be using HTTPS on port 443.

This is a clean Ubuntu Server install and the server will not be hosting anything else. Does anyone think the configs could be done any differently? I ask as I read something about HSTS only working if the header packet is encrypted, so I wonder if it’s the configs I’m using that may be the problem?

tomwaller · July 19, 2016, 9:49am

So I’ve finally got this working though I’m not entirely sure why. Posting in case anyone else has this behavior.

I had to add the following lines to the bottom of the /etc/apache2/apache2.conf file. I think this will effect everysite on the server, but in my case, this is dedicated to Nextcloud so no bother. Use with caution if you host multiple sites though as I do not fully understand the impact and it will likely effect other sites.

Not sure why this doesn’t work on the vhosts config but it got rid of the warning so happy for now.

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

NickBee · July 24, 2017, 1:57pm

Enabling the module headers fixed this warning for me, thank you!

mikejtl · February 7, 2018, 4:07am

I’m attempting to follow these directions to enable HSTS headers but have never done this kind of work before.

I’ve managed to use Filezilla to download and edit the .conf file but I don’t know where in the file to put the new text?

Also, when I try to upload it back to the server Filezilla asks me if I wan’t to overwrite the existing file and when I say yes the transfer fails. Any suggestions would be most appreciated.

maxtimbo · July 27, 2020, 3:50am

In case anyone comes across this and their nextcloud is behind HAproxy, you must set HSTS in HAProxy.

backend cloud.my_server.com
 <snip>
 http-response set-header Strict-Transport-Security max-age=157680000;