Hi there.
Just moved my server from OwnCloud to Nextcloud (Nextcloud 9.0.52 (stable)) by way of a new VM install on Ubuntu Server 14.04.
I’m having real trouble trying to get HSTS working. I’m not sure if it’s my config or something else. I’ve got SSL working nicely but just trying to round off some of the last remaining warnings on the admin page. This worked well in OwnCloud but I was using NGINX then, and I’ve since moved to Apache for Nextcloud.
Any advice would be welcome! Here are my confs. Anyone spot anything out of the ordinary? I’ve tried just about every combination of header line from the web searches but nothing seems to do the trick. As I mentioned, the certs seem to work well and I can access HTTPS OK and get a SSL Labs score of A but HSTS is never enabled! I’m sure I’m doing something stupid…
nextcloud.conf:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName exturlremoved
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-PO$
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/exturlremoved/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/exturlremoved/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/exturlremoved/chain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<Directory /var/www/nextcloud>
Options Indexes FollowSymLinks
AllowOverride All
Allow from all
Require all granted
Dav Off
Satisfy Any
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
</VirtualHost>
</IfModule>
000-default.conf:
<VirtualHost *:80>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
</VirtualHost>