HTTP Strict Transport Security (HSTS) Warning in NC 14.0.4 when using Reverse Proxy in Front of NC Server

ℹ️ Support
, ,
1

I’m using different vServers for NC installation and a Reverse Proxy

so my NC VM is listening under 192.168.55.16, my RevProxy under 192.168.55.33

I followed the Install instructions from this side
c-rieger

For my config.php i set the parameters from this side
Reverse Proxy - HowTo from NextCloud

 'trusted_proxies' =>
 array (
 0 => '192.168.55.33',
 ),
 'overwritehost' => 'MY.DOMAIN.TLD',
 'overwriteconaddr' => '^192\\.168\\.55\\.33$',
 'forward_for_headers' =>
 array (
 0 => 'X_FORWARDED_FOR',
 1 => 'HTTP_X_FORWARDED_FOR',
),

My Reverse Proxy (running nginx 1.15.7 with OpenSSL 1.1.1 and TLS 1.3 support)
uses different *.conf files

e.g. a ssl.conf that contains the following parameters

 # HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
# Framing-Prevention
add_header X-Frame-Options DENY;

My first setup of my nc installation contained a headers.conf file under 192.168.55.16 with following parameters

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header Feature-Policy "geolocation 'self'";

After reading this tutorial → HSTS Support - Reverse Proxy

i decided to change my headers.conf under 192.168.55.16 because of HSTS Errors under Qualys SSL Check - using double paramters for add_header Strict-Transport-Security …
(under 192.168.55.33 in ssl.conf AND 192.168.55.16 in headers.conf)

My headers.conf under 192.168.55.16 looks like this now

#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header Feature-Policy "geolocation 'self'";

With that config i get an A+ instead of A under Qualys SSL Check checking my Domain from outside my network.

Checking my NC config under https://MY.DOMAIN.TLD/settings/admin/overview says

Es gibt einige Warnungen bei Deiner Systemkonfiguration.
Der "Strict-Transport-Security" HTTP-Header ist nicht auf mindestens "15552000" Sekunden eingestellt. Für 
mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in den Sicherheitshinweisen erläutert ist.

Now my Question:

What possibilities do i have to suppress the Warning under NC or which changes are possible to let NC check ignore the local NC Server settings for HSTS because of the usage of a reverse Proxy in front of the NC vServer?

My NC Server is fully reachable from outside without any problems, but the warning is deceptive every time i open my admin settings page under NC.

I’m using the HSTS parameters under my Rev Proxy (192.168.55.33) because the Qualys-SSL check results for any of my other subDomains in an A+ testimony.
If i use HSTS only under my NC setup (headers.conf under 192.168.55.16) my Qualys-SSL URL check for my other subDomains result in A instead of an A+ and only my NC Server has an A+ testimony.

Thanks for help. I hope my information about my config are sufficient…

2

I switched over to 15.0.2

Under 15.0.2 i didn’t find any parameter too to kill this message about no HSTS Support found in local NC configuration.

It’s clear that no upgrade of NC will kill my problem out of the box, but is there anybody out there who has any idea about to suppress this HSTS message in NC ?

3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.