HSTS on docker container?

numsi · October 23, 2019, 1:43pm

Hi,
I am running nextcloud of a docker container and I’ve read about the HSTS in the documentation https://docs.nextcloud.com/server/17/admin_manual/installation/harden_server.html?highlight=hsts#enable-http-strict-transport-security

But where to I find the Apache VirtualHost file?

Thanks

Reiner_Nippes · October 23, 2019, 1:58pm

which one?

numsi · October 23, 2019, 3:08pm

It’s linuxserver/nextcloud. I also have letsencrypt container running that has nginx properly configured. But when I go to the nextcloud settings I get that warning that I should configure HSTS.

Reiner_Nippes · October 23, 2019, 3:35pm

sure? because that container should handle ssl.
did you check the nginx config for a line like this:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;

(which letsencrypt container do you have?)

numsi · October 23, 2019, 4:12pm

I have linxserver/letsencrypt and I can access nextcloud like this https://mydomain.com/nextcloud without any issues.

Reiner_Nippes · October 23, 2019, 4:41pm

sure. you would only mention the hsts thing if you have trouble with a man in the middle.

i guess hsts is disabled because of this statment:

github.com

linuxserver/docker-letsencrypt/blob/535dcee33a866b6921a03b13bd7b50350c76b072/root/defaults/ssl.conf#L20


      
          
          # ssl certs
          ssl_certificate /config/keys/letsencrypt/fullchain.pem;
          ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
          
          # protocols
          ssl_protocols TLSv1.2 TLSv1.3;
          ssl_prefer_server_ciphers on;
          ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
          
          # HSTS, remove # from the line below to enable HSTS
          #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
          
          # OCSP Stapling
          ssl_stapling on;
          ssl_stapling_verify on;
          resolver 127.0.0.11 valid=30s; # Docker DNS Server
          
          # Enable TLS 1.3 early data
          ssl_early_data on;

did you use a docker compose file to start your nextcloud/letsencrypt containers? is there a -v statement to map config files from your host into the container?

numsi · October 23, 2019, 4:55pm

Yes I have -v that maps to the config folder

Reiner_Nippes · October 23, 2019, 6:32pm

so you could add/uncomment the add_header Strict-Transport-Security line and restart the container.

numsi · October 23, 2019, 6:49pm

Thank you! That did the trick!