NC does not load after I set up HTTP Strict Transport Security

Nextcloud version (eg, 12.0.2): 13.0.2
Operating system and version (eg, Ubuntu 17.04): Debian GNU/Linux 9.4 (stretch) (Armbian version)
Apache or nginx version (eg, Apache 2.4.25): Nginx 1.10.3
PHP version (eg, 7.1): 7.0.27

The issue you are facing:

With HSTS enabled (in Nginx) I cannot access my Nextcloud instance through the website any more.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. I tried to get rid of the following warning/error:

    The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips.

    by following the advice on the security tips link (together with NC examples for setting up Nginx).

  2. I uncommented in my Nginx Nextcloud config file both lines that say:

    add_header Strict-Transport-Security "max-age=15768000;
  3. reload/restart Nginx

  4. Error I get in Chrome (in Firefox, the page just does not even start loading):


The output of your Nextcloud log in Admin > Logging:

Didn’t see anything relevant. If there is something I should watch out for, do let me know and I’m happy to reproduce.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => '###REDACTED###',
  'passwordsalt' => '###REDACTED###',
  'secret' => '###REDACTED###,
  'trusted_domains' =>
  array (
    0 => '',
    1 => '',
  'datadirectory' => '/srv/nextcloud_data',
  'overwrite.cli.url' => 'http://localhost',
  'dbtype' => 'pgsql',
  'version' => '',                                                                                                                      [20/953]
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '5432',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'www-data',
  'dbpassword' => ''###REDACTED###',
  'logtimezone' => 'Europe/Ljubljana',
  'installed' => true,
  'memcache.local' => '\OC\Memcache\APCu',
#  'memcache.local' => '\OC\Memcache\Redis',
#  'redis' => array (
#   'host' => '/var/run/redis/redis.sock',
#   'port' => 0,
#   ),
#  'memcache.locking' => '\OC\Memcache\Redis',
  'maintenance' => false,
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\Preview\Image',
    1 => 'OC\Preview\MP3',
    2 => 'OC\Preview\TXT',
    3 => 'OC\Preview\MarkDown',
    4 => 'OC\Preview\Epub',
    5 => 'OC\Preview\PDF',
  'theme' => '',
  'loglevel' => 0,
  'mail_domain' => ''###REDACTED###',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpsecure' => 'ssl',
  'mail_from_address' => ''###REDACTED###',
  'mail_smtpauth' => 1,
  'mail_smtphost' => ''###REDACTED###',
  'mail_smtpport' => '465',
  'mail_smtpname' => ''###REDACTED###',
  'mail_smtppassword' => ''###REDACTED###',
  '' => 'stable',

The output of your Apache/nginx/system log in /var/log/____:

Didn’t see anything relevant. If there is something I should watch out for, do let me know and I’m happy to reproduce.

Happy to re-produce and add the above files if needed.

Test in incognito mode. If it works, then it’s your browser cache. Delete cache and it should work.

When I tried it in Chromium, it was the first time ever that I went to that URL in that browser.

I also tried it in Firefox’ incognito mode and it also didn’t load.

It doesn’t seem to be the browser cache.

Can you post your nginx Nextcloud config?
If it’s not browser cache, I bet it’s the config. :slight_smile:

Yeah, i found the culprit – typo in the nginx config file (the add_header line was not closed properly). /me stupid

Currently it works with the following line:

        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;";
        # preload;";

But I wonder if it would make sense to also include the preload part:

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

On one hand it seems to be The Proper Way™, on the other all the warnings that I see about it not being default, I wonder how much I can mess up.

That happens. :slight_smile:

I’m not using preload, because it may take a long time to remove domain from the preload list, if needed. And my server is only for my family, so I think that will not make it much more secure.

Same here :slight_smile: