Hi,
My Host allows me to send HSTS headers which I usually configure, but if I do this as normal (apache config), I do get a warning about more then one HSTS header has been send out
“Server provided more than one HSTS header”
Is Nextcloud sending HSTS headers themself ?
No. So this either is a bug in the header detection (unlikely) or something else in your setup adds it twice (my bet is on that).
Can you post the results of curl -v https://example.com/
? Obviously replace example.com with your own domain
Yeah, guessing the same, was just a bit puzzled as other domains work fine.
root@jessie-rpi:~# curl -v https://sub.domain.tld/cloud
* Hostname was NOT found in DNS cache
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 1.2.3.4...
* Connected to sub.domain.tld (1.2.3.4) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: CN=sub.domain.tld
* start date: 2016-06-15 15:19:00 GMT
* expire date: 2016-09-13 15:19:00 GMT
* subjectAltName: sub.domain.tld matched
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET /cloud HTTP/1.1
> User-Agent: curl/7.38.0
> Host: sub.domain.tld
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 26 Jun 2016 20:39:40 GMT
* Server Apache is not blacklisted
< Server: Apache
< Strict-Transport-Security: max-age=31536000
< Location: https://sub.domain.tld/cloud/
< Vary: Accept-Encoding
< Content-Length: 245
< Content-Type: text/html; charset=iso-8859-1
<
{ [data not shown]
100 245 100 245 0 0 911 0 --:--:-- --:--:-- --:--:-- 917
* Connection #0 to host sub.domain.tld left intact