I’m using different vServers for NC installation and a Reverse Proxy
so my NC VM is listening under 192.168.55.16, my RevProxy under 192.168.55.33
I followed the Install instructions from this side
c-rieger
For my config.php i set the parameters from this side
Reverse Proxy - HowTo from NextCloud
'trusted_proxies' =>
array (
0 => '192.168.55.33',
),
'overwritehost' => 'MY.DOMAIN.TLD',
'overwriteconaddr' => '^192\\.168\\.55\\.33$',
'forward_for_headers' =>
array (
0 => 'X_FORWARDED_FOR',
1 => 'HTTP_X_FORWARDED_FOR',
),
My Reverse Proxy (running nginx 1.15.7 with OpenSSL 1.1.1 and TLS 1.3 support)
uses different *.conf files
e.g. a ssl.conf that contains the following parameters
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
# Framing-Prevention
add_header X-Frame-Options DENY;
My first setup of my nc installation contained a headers.conf file under 192.168.55.16 with following parameters
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header Feature-Policy "geolocation 'self'";
After reading this tutorial -> HSTS Support - Reverse Proxy
i decided to change my headers.conf under 192.168.55.16 because of HSTS Errors under Qualys SSL Check - using double paramters for add_header Strict-Transport-Security …
(under 192.168.55.33 in ssl.conf AND 192.168.55.16 in headers.conf)
My headers.conf under 192.168.55.16 looks like this now
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header Feature-Policy "geolocation 'self'";
With that config i get an A+ instead of A under Qualys SSL Check checking my Domain from outside my network.
Checking my NC config under https://MY.DOMAIN.TLD/settings/admin/overview says
Es gibt einige Warnungen bei Deiner Systemkonfiguration.
Der "Strict-Transport-Security" HTTP-Header ist nicht auf mindestens "15552000" Sekunden eingestellt. Für
mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in den Sicherheitshinweisen erläutert ist.
Now my Question:
What possibilities do i have to suppress the Warning under NC or which changes are possible to let NC check ignore the local NC Server settings for HSTS because of the usage of a reverse Proxy in front of the NC vServer?
My NC Server is fully reachable from outside without any problems, but the warning is deceptive every time i open my admin settings page under NC.
I’m using the HSTS parameters under my Rev Proxy (192.168.55.33) because the Qualys-SSL check results for any of my other subDomains in an A+ testimony.
If i use HSTS only under my NC setup (headers.conf under 192.168.55.16) my Qualys-SSL URL check for my other subDomains result in A instead of an A+ and only my NC Server has an A+ testimony.
Thanks for help. I hope my information about my config are sufficient…