NC does not load after I set up HTTP Strict Transport Security

hook · June 10, 2018, 2:53pm

Nextcloud version (eg, 12.0.2): 13.0.2
Operating system and version (eg, Ubuntu 17.04): Debian GNU/Linux 9.4 (stretch) (Armbian version)
Apache or nginx version (eg, Apache 2.4.25): Nginx 1.10.3
PHP version (eg, 7.1): 7.0.27

The issue you are facing:

With HSTS enabled (in Nginx) I cannot access my Nextcloud instance through the website any more.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

I tried to get rid of the following warning/error:

The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips.

by following the advice on the security tips link (together with NC examples for setting up Nginx).
I uncommented in my Nginx Nextcloud config file both lines that say:
```
add_header Strict-Transport-Security "max-age=15768000;
```
reload/restart Nginx
Error I get in Chrome (in Firefox, the page just does not even start loading):
```
ERR_SPDY_PROTOCOL_ERROR
```

The output of your Nextcloud log in Admin > Logging:

Didn’t see anything relevant. If there is something I should watch out for, do let me know and I’m happy to reproduce.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '###REDACTED###',
  'passwordsalt' => '###REDACTED###',
  'secret' => '###REDACTED###,
  'trusted_domains' =>
  array (
    0 => 'thatfunkyplace.wheremymonkeyis.at',
    1 => 'explorethe7seas.wheremymonkeyis.at',
  ),
  'datadirectory' => '/srv/nextcloud_data',
  'overwrite.cli.url' => 'http://localhost',
  'dbtype' => 'pgsql',
  'version' => '13.0.2.1',                                                                                                                      [20/953]
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '5432',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'www-data',
  'dbpassword' => ''###REDACTED###',
  'logtimezone' => 'Europe/Ljubljana',
  'installed' => true,
  'memcache.local' => '\OC\Memcache\APCu',
#  'memcache.local' => '\OC\Memcache\Redis',
#  'redis' => array (
#   'host' => '/var/run/redis/redis.sock',
#   'port' => 0,
#   ),
#  'memcache.locking' => '\OC\Memcache\Redis',
  'maintenance' => false,
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\Preview\Image',
    1 => 'OC\Preview\MP3',
    2 => 'OC\Preview\TXT',
    3 => 'OC\Preview\MarkDown',
    4 => 'OC\Preview\Epub',
    5 => 'OC\Preview\PDF',
  ),
  'theme' => '',
  'loglevel' => 0,
  'mail_domain' => ''###REDACTED###',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpsecure' => 'ssl',
  'mail_from_address' => ''###REDACTED###',
  'mail_smtpauth' => 1,
  'mail_smtphost' => ''###REDACTED###',
  'mail_smtpport' => '465',
  'mail_smtpname' => ''###REDACTED###',
  'mail_smtppassword' => ''###REDACTED###',
  'updater.release.channel' => 'stable',
);

The output of your Apache/nginx/system log in /var/log/____:

Didn’t see anything relevant. If there is something I should watch out for, do let me know and I’m happy to reproduce.

Happy to re-produce and add the above files if needed.

MeiRos · June 11, 2018, 6:11am

Test in incognito mode. If it works, then it’s your browser cache. Delete cache and it should work.

hook · June 11, 2018, 6:50am

When I tried it in Chromium, it was the first time ever that I went to that URL in that browser.

I also tried it in Firefox’ incognito mode and it also didn’t load.

It doesn’t seem to be the browser cache.

MeiRos · June 11, 2018, 4:09pm

Can you post your nginx Nextcloud config?
If it’s not browser cache, I bet it’s the config.

hook · June 12, 2018, 10:25am

Yeah, i found the culprit – typo in the nginx config file (the add_header line was not closed properly). /me stupid

Currently it works with the following line:

        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;";
        # preload;";

But I wonder if it would make sense to also include the preload part:

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

On one hand it seems to be The Proper Way™, on the other all the warnings that I see about it not being default, I wonder how much I can mess up.

MeiRos · June 12, 2018, 4:12pm

That happens.

I’m not using preload, because it may take a long time to remove domain from the preload list, if needed. And my server is only for my family, so I think that will not make it much more secure.

hook · June 20, 2018, 12:09pm

Same here