Do you run your own server actually or Nextcloud on a shared hosting? In the latter case you cannot add the required setting yourself, but the hoster would need to.
If HSTS can be enabled on directory bases, it could also be added to .htaccess, never thought about that . Ah it always is valid for the whole domain. So nothing for shared hostings on a per-user basis as long as there is a shared domain available as well which shall not get HSTS.
Stop using 1&1 this company is total garbage.
Shared Hosting means you don’t have the hand on your server and you share it with other fellows… you can’t activate HSTS correctly most of the time.
You better find a provider for a VPS or dedicated server or build your own server.
Shared Hosting is really a bad decision for a NextCloud server because of lack of power, management, and confidentiality
Basically, if possible, adding the following to a .htaccess in the webroot of your shared hosting dir would do it:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
If Nextcloud is placed right into your webroot, you can add it to the end of Nextclouds .htaccess as well, but it might lead to integrity check warnings and might be lost on updates and when doing occ maintenance:update:htaccess.
However depending on how the shared hosting is organised, if there is a proxy which forwards users subdomains to their webroot, 1&1 might internally remove this header to not have HSTS enabled for their domains.
You can test it e.g. via curl: curl -IL you.domain.org
This prints all headers received by the client.
You know why this question keeps being asked over and over again? Because the answer isn’t clear. Everyone keeps copying and pasting the same answer and not answering the question, or wants to waste time with arrogant remarks like “Why don’t you know this stuff by now”?
If you don’t want to help, then don’t chime in.
The issue is that every answer keeps saying add it to your “virtualhost” file.
Well, I don’t have a file named “virtualhost”. Is it called something else?
Am I supposed to create this file?
If so, in which directory?
I’ve tried creating it. Didn’t work. I’ve tried adding to other .conf files as directed…not the right answer still showing the alert.
So it keeps being asked because apparently the answers are not clear or working for everyone.
Hi,
I am getting the exact smae issue and I have followed the manual example by adding
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
to my default vhosts ssl conf file in /etc/apaches/vhosts.d
AND
I still get the same issue. I even tried adding the line indicated above to the .htaccess file no improvement.
# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName REMOVED
ServerAdmin root@localhost
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# OCSP Stapling:
# Enable/Disable OCSP for this virtual host.
SSLUseStapling on
# You can use per vhost certificates if SNI is supported.
#SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined
SSLCertificateFile /etc/letsencrypt/live/REMOVED/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/REMOVED/privkey.pem
→ ``` (three back ticks, quotes or whatever you call it) will do. before and after. in a single line.
this formatting is called markdown. google knows more details.
If you are running Nextcloud in a docker container on Unraid and get this error, navigate to appdata/nextcloud/nginx/site-confs. There is a file called default. If you open it in a text editor. Uncomment line 20 “add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;” always;” Save the file and restart Nextcloud. The error should go away.
This “Strict-Transport-Security” problem and the 4 infamous .well-known/carddav, caldav, webfinger, nodeinfo are bugging me for a year now. I dropped them after a while as thinking it’s not the end of the world. But today I finally found the solution. First is some background info: OS is Debian 10.12. And I have full root access to the OS which may not apply to everyone.
Short version: change AllowOverride None to AllowOverride All in the <Directory /var/www/> of the apache2.conf or httpd.conf so it will become something like this:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
As of Debian 10 the apache2.conf is in the /etc/apache2/ directory. I don’t know about httpd.conf (ubutu?).
Sidenote: copy and paste AllowOverride All in all the nextcloud.conf, 000-default.conf, 000-default-le-ssl.conf and nextcloud-ssl.conf etc… don’t works at all.
Long version or the roundabout way it took me to fix 5 long-standing problems in my NextCloud by just a simple edit:
For the first case the .htaccess file shipped with Nextcloud should do this work for you when you’re running Apache. You need to make sure that your Web server is using this file.
.htaccess needs to be enabled with AllowOverride
This is the first thing that should be verified. If the AllowOverride directive is set to None then this will disable all .htaccess files. In order to verify this, you must open the Apache configuration file (typically either called httpd.conf or apache.conf) and check that the AllowOverride directive is set to AllowOverride All. If you needed to make changes to your Apache config, remember to save the file and restart Apache. sudo service apache2 restart
Well, you can see that the solution for Strict-Transport-Security is dead simple, and yet it is obscured in another instruction for an unrelate problem. Which is why I have to agree with LincH here. Both the instructions and the answers are unclear, which make people asking the same thing over and over again. And for me it’s cost one year for an simple edit to fix the problem.
OK, a quick update: the fix in the previous post I forgot to mention that it need to insert this line: Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" on the top of the .htaccess. But if you update Nextcloud, it will reset and the warning comeback.
So I was looking for a more reliable fix and came to a shocking reveal: the setting for the Enable HTTP Strict Transport Security is incorrect order. I don’t know if it was caused by apache update or debian update or something else. But here’s the fix:
Tested this on my server and it works as expected.
Now we need more people testing this method and confirm this working. Then finally we can edit the wiki and put an end to this mess.
It’s not. I have set it up like in your first example for years and never had any issues. Not sure what caused your issue, but you definitely don’t have to make every line of your VirtualHost config conditional to the precense of the headers module, except maybe if you want the whole config not to work anymore, in case the headers module got disabled. https://httpd.apache.org/docs/2.4/en/mod/core.html#ifmodule
Here are my working VirtualHosts based on this tutorial: (German)… I use this same exact config for a few years now and never had any issues: