Hello. Thank you very much for your explanation. Am I understood correct: after creating this config, the old one which is: /etc/apache2/conf-available/nextcloud.conf
?
Could you please check my current config?
100-nextcloud.conf
<VirtualHost 10.17.16.9:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName bla.bla.com.ua
ServerAdmin webmaster@localhost
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Use HTTPS only, all http requests will be redirected
Redirect permanent / https://bla.bla.com.ua/
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
<IfModule http2_module>
ProtocolsHonorOrder On
Protocols h2 h2c http/1.1
</IfModule>
RewriteEngine on
RewriteCond %{SERVER_NAME} =bla.bla.com.ua
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule mod_ssl.c>
<VirtualHost 10.17.16.9:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName bla.bla.com.ua
ServerAdmin webmaster@localhost
DocumentRoot /var/www/nextcloud
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/nextcloud">
Options +FollowSymLinks
AllowOverride All
SSLRenegBufferSize 10486000
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_Home /var/www/nextcloud
</Directory>
<Directory "/var/www/nextcloud/data/">
# just in case if .htaccess gets disabled
Require all denied
</Directory>
## Please enable this manually, if needed. See also
## https://docs.nextcloud.com/server/11/admin_manual/issues/general_troubleshooting.html#troubleshooting-contacts-calendar
#Redirect 301 /.well-known/carddav /remote.php/dav
#Redirect 301 /.well-known/caldav /remote.php/dav
#Redirect 301 /ocm-provider /ocm-provider/
#Redirect 301 /ocs-provider /ocs-provider/
<IfModule http2_module>
ProtocolsHonorOrder On
Protocols h2 h2c http/1.1
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/bla.bla.com.ua/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bla.bla.com.ua/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set Referrer-Policy no-referrer
</IfModule>
</VirtualHost>
</IfModule>
After creating and enabling it I checked and got A+ at last.
But the one thing: now I have the one security warning in Administration - Overview:
The āReferrer-Policyā HTTP header is not set to āno-referrerā, āno-referrer-when-downgradeā, āstrict-originā, āstrict-origin-when-cross-originā or āsame-originā. This can leak referer information. See the W3C
As you can see in my 100-nextcloud.conf
, it has line:
Header always set Referrer-Policy no-referrer
But anyway the warning still exists.
Also in my .htaccess
file there is a following section existing:
<IfModule mod_env.c>
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
SetEnv modHeadersAvailable true
</IfModule>
But for some reason the warning message is present. Any ideas?
Thanks you very much again.