Nextcloud fedora 38 install many problems remain without answer… HSTS

frpatte · August 28, 2023, 10:07am

After installing nextcloud on fedora 38, I get this message:

The HTTP header “Strict-Transport-Security” is not set to at least “15552000” seconds. For enhanced security, it is recommended to activate HSTS as indicated in the security elements .

So I followed the security recommendation (when the link works…) : I added this in /etc/httpd/conf.d/virtualhost.conf file:

<VirtualHost :443>
ServerName nextcloud************

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

And… nothing has changed!

jtr · August 31, 2023, 4:11pm

Do you have a proxy (Cloudflare counts) at all in front or is this VirtualHost entry the sole termination point for HTTPS connections?

I assume you restarted Apache after making the above change?

frpatte · September 1, 2023, 5:05pm

I don’t understand what you mean with “Do you have a proxy (Cloudflare counts) …”

And, of course, I restart apache when I add a config!

Thak you.

F.P.

sebastiank · September 1, 2023, 5:18pm

Hi @frpatte,

What @jtr is asking is do you have a proxy service setup in front of your Apache server, like Nginx, Caddy, Cloudflare, etc? For instance if you are using the Nextcloud AIO setup, it automatically sets up a proxy in front of apache, you would then need to change the HSTS on the proxy.

Also have you checked your VirtualHost file? To make sure HSTS is set to 15552000?

Also browsers are lazy, they cache a lot of information, instead of re downloading it, so changes you make might not show in the browser for a few hours/days. Try clearing your cache.

Sebastian

frpatte · September 2, 2023, 10:32am

No, I haven’t any proxy… nginx if off (masked) and my VirtualHost.conf is:

<VirtualHost :443>
ServerName nextcloud*******

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

and module mod_header is loaded:
httpd -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)

headers_module (shared)

Of course, I restarted httpd …

F.P.

sebastiank · September 2, 2023, 12:41pm

Morning @frpatte

Is the headers module installed and turned on?

Here is a guide:

Sebastian

frpatte · September 4, 2023, 5:01pm

Of course! I sent the result of httpd -M | grep headers

headers_module (shared)