HTTP Strict Transport Security warning appears altough correct code is applied

nicleobonus · December 27, 2023, 3:43pm

Nextcloud version: 28.0.1
Operating system and version: Debian 12 (Bookworm)
Apache or nginx version: Apache 2.4.57
PHP version: 8.2.7

The issue you are facing:
I know, this has been discussed in this forum several times, but I am somehow not able to find a answer to my problem:
In my Nextcloud, the error description of a missing HTTP Strict Transport Security header appears.
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS.
But when I add the lines to my nextcloud.conf file in the Apache config folder as described in the docs, nothing changes.
Interestingly, it works, when I add the same lines to the .htaccess file of the Nextcloud installation, but obviously, after every update, the problem appears again.
Does anybody have an idea what my problem could be?

Here is my Apache config file:

VirtualHost *:80>
ServerName my.server.org
Redirect permanent / https://my.server.org/
RewriteEngine on
RewriteCond %{SERVER_NAME} =my.server.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
  DocumentRoot /var/www/nextcloud/
  ServerName my.server.org
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>

SSLCertificateFile /etc/letsencrypt/live/my.server.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.server.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =my.server.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Is this the first time you’ve seen this error?
No

The output of your Nextcloud log in Admin > Logging:
(It is empty.)

The output of your Apache/nginx/system log in /var/log/apache2/error.log:

[Wed Dec 27 00:00:01.546459 2023] [ssl:warn] [pid 6597] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Dec 27 00:00:01.546551 2023] [mpm_prefork:notice] [pid 6597] AH00163: Apache/2.4.57 (Debian) OpenSSL/3.0.11 configured -- resuming normal operations
[Wed Dec 27 00:00:01.546555 2023] [core:notice] [pid 6597] AH00094: Command line: '/usr/sbin/apache2'
[Wed Dec 27 03:48:58.433906 2023] [php:error] [pid 12764] [client 1.123.123.123:12345] script '/var/www/html/echo.php' not found or unable to stat, referer: https://www.google.com/
[Wed Dec 27 06:44:48.313609 2023] [mpm_prefork:notice] [pid 6597] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
[Wed Dec 27 06:44:48.349923 2023] [ssl:warn] [pid 6597] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Dec 27 06:44:48.350017 2023] [mpm_prefork:notice] [pid 6597] AH00163: Apache/2.4.57 (Debian) OpenSSL/3.0.11 configured -- resuming normal operations
[Wed Dec 27 06:44:48.350022 2023] [core:notice] [pid 6597] AH00094: Command line: '/usr/sbin/apache2'
[Wed Dec 27 06:44:52.772560 2023] [mpm_prefork:notice] [pid 6597] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
[Wed Dec 27 06:44:52.800281 2023] [ssl:warn] [pid 6597] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Dec 27 06:44:52.800355 2023] [mpm_prefork:notice] [pid 6597] AH00163: Apache/2.4.57 (Debian) OpenSSL/3.0.11 configured -- resuming normal operations
[Wed Dec 27 06:44:52.800359 2023] [core:notice] [pid 6597] AH00094: Command line: '/usr/sbin/apache2'

Thank you for you support!
nicleobonus

ernolf · December 27, 2023, 10:39pm

nicleobonus:

<VirtualHost *:443>
  DocumentRoot /var/www/nextcloud/
  ServerName my.server.org
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

I guess that the order matters.
I use max-age=63072000 as sugested by:

This is how I have it and it works:

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    SSLEngine on
    ServerName domain.net
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    </IfModule>
  ServerAdmin admin@domain.net
  DocumentRoot /var/www/nextcloud
  .. etc

Much luck,
ernolf

nicleobonus · December 27, 2023, 11:04pm

Tank you very much for your answer!
I applied the changes you suggested, so my nextcloud.conf now looks like this:

<VirtualHost *:80>
ServerName my.server.org
Redirect permanent / https:/my.server.org/
RewriteEngine on
RewriteCond %{SERVER_NAME} =my.server.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
  SSLEngine on
  ServerName my.server.org
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  </IfModule>
  DocumentRoot /var/www/nextcloud/
  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
SSLCertificateFile /etc/letsencrypt/live/my.server.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.server.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =my.server.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Unfortunately, the warning still appears.
Kind regards
nicleobonus

spooner · November 2, 2024, 6:10am

Hello everyone,
I have a freshly installed Nextcloud on an Ubuntu server and am now also struggling with the warning:

The “Strict-Transport-Security” HTTP header is not configured to least “15552000” seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

I have customised the virtual host file.
sudo a2enmod headers
ausgeführt
neugestartet

All without success

I don’t know where is the problem.

Regards Arthur

nicleobonus · November 3, 2024, 9:24am

I was able to solve my issue by cleaning up my sites-available (and therefore sites-enabled) folder in Apache. In fact, Let’s Encrypt created a new config file which is named nextcloud-le-ssl.conf. This file had conflicting properties to my nextcloud.conf file that wanted to regulate the SSL properties as well. I just put everything regarding SSL in the nextcloud-le-ssl.conf file including the HSTS settings and deleted them from the original nextcloud.conf file.
I hope that works for you as well.
Kind regards
nicleobonus

spooner · November 6, 2024, 8:00pm

Thanks, that is it.
Now it works

system · November 14, 2024, 8:01pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.