Been trying to set a nextcloud instance. Had a problem that might be related to another problem.
First the easy one. Been getting that strict-transport doesnât have a long enough max-age. However, the htaccess has a line for almost twice that. Turns out that nextcloud mangles the headers.
If i curl to an nonexistent page (cloud.server.com/error.php), I get the following, that shows the strict-transport line
My second issue might just be related to the same problem. Even though nextcloud sets up a htaccess file, it probably is ignoring it. When I try to upload a file to a shared folder (with file drop and hide download), it pops a login window (seems like a htaccess request, and not a password request from nextcloud).
Any idea on how to make nextcloud not alter the headers?
Not sure it is a problem with the vm. If that was the case the nonexistent page would also have trouble. It is when nextcloud serves the page that I have trouble.
The headers from the nonexistent page (one that nextcloud doesnât modify) is what I would expect to see. However, when nextcloud serves the page, it adds headers and changes others (ie the strict-transport and probably the Authorization)
The admin:overview reports this:
There are some warnings regarding your setup.
The PHP memory limit is below the recommended value of 512MB.
The âStrict-Transport-Securityâ HTTP header is not set to at least â15552000â seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips .
No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.
Since myserver.com has the includeSubDomains clause, it probably is more an annoyance than an issue. Guess nextcloud doesnât check if the base domain is correct.
My biggest concern isnât the strict-transport, but the trouble with Authorization. It pops up a login window when I try to upload a file to a public dropbox folder. Guess both are related to what nextcloud is doing to the headers.
If I search the code, I find 18 instances of Content-Security-Policy. So nextcould is modifying the headers. These header items are not provided by the server, but nextcloud, and the strict-transport is gone
Turns out there is some problem with the htaccess file that nextcloud creates. I added the following lines to the file, and at least now I can upload files without a login window popping up
Seems that the conditions for the original code werenât being met, and these lines never got executed. Added the AuthBasicAuthoritative just for good measure
AuthBasicAuthoritative Off
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
Still not getting the strict-transport line to appear, since nextcloud is mangling it somehow when it sets the headers. However, donât think it is an issue, since the main domain has includeSubDomains
Donât think there is much difference between these and what I had posted before. Also included all the transaction, maybe that was what you were looking for, though the part that showed how nextcould changes the headers was shown before
Also arenât cookies lasting till Dec-2100 a bit extravagant?