Not recognizing HSTS settings

🚧 Installation
1

I was working on changing my PHP install to php-fpm on a working host. After configuring php-fpm and adding the following line to my enabled apache2 site Nextcloud is no longer recognizing my HSTS setting. Thoughts?

Line I added to my apache2 config:

ProxyPassMatch ^/(..php(/.)?)$ unix:/run/php/php7.3-fpm.sock|fcgi://localhost/var/www/html/

My whole apache2 config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName nextcloud.{removed}.com

    ServerAdmin {removed}
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.3-fpm.sock|fcgi://localhost/var/www/html/

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

<Directory /var/www/html/>
Options +FollowSymlinks
AllowOverride All
Require all granted
<IfModule mod_headers.c>
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
</IfModule>
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/html
SetEnv HTTP_HOME /var/www/html
</Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/nextcloud.{removed}.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.{removed}.com/privkey.pem
</VirtualHost>
</IfModule>

Nextcloud now says:

There are some warnings regarding your setup.

  • The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.

Recommendations on how I can resolve this?

2

Well, you have placed the headers inside the “Directory” directive.
Try to remove the following:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
</IfModule>

And add the following right below where you set the private key:
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

No, ifmodule is not needed really, I assume that you already have “Headers” loaded.