Strict-Transport-Security error.....I'm lost

Mike12421 · June 14, 2020, 2:44pm

Hello all,

I am at my wits end trying to fix this error however after spending the whole weekend on it, I am no further along.

I have NextCloud running in a Docker on my Synology DS916+. Everything is running great, I can access it remotely and have a Letsencrypt certificate installed.

My issue however is on the Overview page, I get the following error;

“The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described…”

I have read every page relating to this error I can find along with the official documentation that NextCloud provides, but nothing seems to work. A number of pages make reference to amending the htaccess file in Apache, however I can not locate this, as my system would appear to be using Nginx.

Can anyone please point me in the right direction before I lose it.

devnull · June 14, 2020, 3:00pm

Read

https://www.xolphin.com/support/Apache_FAQ/Apache_-_Configuring_HTTP_Strict_Transport_Security

Mike12421 · June 14, 2020, 3:11pm

Hello,

Thank you for replying so quickly, however I do not have Apache on my system, it would appear only Nginx, there is no Apache folder under /etc.

I have tried running the first command to active the headers however I get;
“-ash: LoadModue: command not found”

Apologies, Linux is very new to me.

devnull · June 14, 2020, 3:14pm

Search similar for nginx.

Mike12421 · June 14, 2020, 3:38pm

Hello,

I have looked on numerous sites, this being one of them;

…however still no luck.

Under /etc/apache I have a “sites-enabled” folder but not a “sites-available” folder.

In the “sites-enabled” folder however, there is a “synowstransfer.conf” however inside that is;

Lastly, I have tried the command; curl -I https://yourdomain.com and I get the following (the last line however does show the Strict-Transport-Security max age as what it should be?

Mike12421 · June 14, 2020, 3:51pm

In the /etc/Nginx folder there is a “Nginx.conf” file,inside that is the following;

However I can not see the server block to add;
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”;

Reiner_Nippes · June 14, 2020, 5:15pm

grep -ir Strict-Transport-Security /etc/nginx/* might be helpful.

Mike12421 · June 14, 2020, 5:25pm

Hello,

Thank you for replying, you all clearly know more than me regarding this stuff.

I tried your suggestion and received the following;

Coincidentally, that’s the same number of services I have running via reverse-proxy;
20200614_182310

Reiner_Nippes · June 14, 2020, 6:18pm

that could be a hint that the “max-age” is defined somewhere else.

nevertheless. use your favorite editor to edit /etc/nginx/app.d/server.ReverseProxy.conf and restart nginx.

Mike12421 · June 15, 2020, 8:47am

Hello,

Apologies for the late reply, I ended up falling asleep trying to fix this.

Thought I would quickly try again before work.

I opened up the conf file you suggested and can confirm that all eight reverse proxy services are listed, including NextCloud. Unfortunately however, they all already have the above Strict Transport Security entries;

Thank you again for taking the time to reply and help.