The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS

ℹ️ Support
36

This also worked for me. Dedicated IP account. Shared Hosting on Bluehost

37

image
image1328×265 13.9 KB

Still the same error on
IONOS Webspace
NO access to the server files !
The Cloud URL is pointing to this NextCloud folder
I only see the folders, I think after var/xxx/xxx/xxx/NectCloud/

image
image120×543 6.71 KB

So I think I have the only chance to put
- BUT WHAT - exactly in my .htaccess or other file in folder where NextCloud is installed (Pls. see Tree above)
Or execute some
OCC command - BUT WHICH ONE - exactly

IF YOU NEED more Info to solve this now Pls. Let me know!

Hope for a final solution now!

At least till the next update :frowning_face:

PS: should I better start a new thread with this concerning only hosted webspace?
What do you think?

1 Like
38

This took me forever to figure this out, but if you are using Cloudflare you will probably need to enable hsts in the Cloudflare dashboard as well.

1 Like
39

After a lot of searching for the right answer I finally discovered that it had nothing to do with the virtual host or where to put in the code. It had to do with switching the headers on (as to put it in my own words). So after putting the next command into the terminal it worked. Hope it will work for you too.

sudo a2enmod headers

1 Like
40

I have no acess to the server on hosted webspace
I only can do occ comands!!

1 Like
41

You point to the document, but the document does not state where the conf file is located. The documents are incomplete and need to be updated. I am trying to figure this out myself and simply pointing to the document is completely worthless unless there are good directions in the document

42

You have to add it to your already existing web server config. If you don’t know where that config file is located, how did you setup Nextcloud in the first place?

43

You do realize that there install scripts that are available for use where you are not going into each and every config file and altering them. To think otherwise is beyond belief.

If everyone in the “HELP FORUMS” knew what the problem was and how to fix the problem, then there would be no need for the forums. The fact that this has to be verbalized is beyond belief.

If someone is asking for help, I am pretty sure that they are not wanting some troll to come along and bash their statement and give them some crappy response of, “well how did you install this in the first place if you don’t know where a config file is.”

44

This is exactly the reason why the documentation is rather generic, because it is impossible to include every possible installation type and distribution.

You didn’t ask for help. You were demanding things, and you were complaining about other users who tried to help here voluntarily. Imagine someone does hijack an old thread, just to complain that the posts in it, which were addressed to completely different people, did not help with their own issue… Would you be motivated to help that person?

Anyways… If you’re still interested in getting help, I suggest you open a new thread and provide as much information as you can. The bare minimum would be a link to that installation script you used… Good Luck.

45

you may try chatgpt. the answer is quite good. imho.

image
image583×852 31.5 KB

46

Hi ALL
This thread is getting totally messy
We are all talking of different configurations

  1. Nextcloud on own server
    v.s
  2. Nextcloud on Hosted Webspace!

I think it would be great to have an own category for Nextcloud on Hosted Webspace to get finally to a solution for the problem for different setups!

What do you think?
To whom to turn to create this new Category?
PS: also the TAG dropdown needs cleanup!

47

<VirtualHost :80>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
RewriteRule ^(.)$ https://%{HTTP_HOST}$1 [R=301,L]
RewriteCond %{SERVER_NAME} =www.nextcloud.com [OR]
RewriteCond %{SERVER_NAME} =nextcloud.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" DocumentRoot "/var/www/nextcloud.com" ServerName nextcloud.com ServerAlias www.nextcloud.com 
<Directory "/var/www/nextcloud.com/">
    Options MultiViews FollowSymlinks
    AllowOverride All
    Order allow,deny
    Allow from all

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/nextcloud.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.com/privkey.pem

# enable HTTP/2, if available
Protocols h2 http/1.1

TransferLog /var/log/apache2/nextcloud.com_access.log
ErrorLog /var/log/apache2/nextcloud.com_error.log
# modern configuration SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 SSLHonorCipherOrder off SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache “shmcb:logs/ssl_stapling(32768)”

48

@ theshadowfang

OK but can you pls. Explain what to do with these lines on hosted installation?

49

Hi

Where did you put the line ?
I dont have a uncomment line?

Version 2023/04/13 - Changelog: History for root/defaults/nginx/site-confs/default.conf.sample - linuxserver/docker-nextcloud · GitHub

Set the immutable cache control options only for assets with a cache busting v argument

map $arg_v $asset_immutable {
“” “”;
default “immutable”;
}

server {
listen 80 default_server;
listen [::]:80 default_server;

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

server_name _;

include /config/nginx/ssl.conf;

root /config/www/nextcloud/;

# display real ip in nginx logs when connected through reverse proxy via docker network
set_real_ip_from 172.0.0.0/8;
real_ip_header X-Forwarded-For;
50

Nginx users can follow these instructions to solve this problem:

In summary, it involves adding a line like this to your /etc/nginx/sites-available/my_nc_site config:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

51

what is the link, to many answer, not sure which one can solve the issue

52

Same here, maybe someone can be so kind and sum up the thread with a final solution
Many THX to all specialists!

53

Like @Witzker , my nextcloud is hosted at Ionos (Germany) which is shared hosting.
nextcloud is installed in a subdirectory …/htdocs/nextcloud. Access is via the subdomain cloud.domainxy.de
For the main domain I can configure HSTS with the .htaccess. That works.
If I remove the .htaccess in subdir. /nextcloud/ HSTS works also for the subdomain cloud.domainxy.de (but in this case not CSP) (tested with observatory.mozilla.org).
With .htaccess in sub directory /nextcloud/, no matter what I add, I cannot get HSTS to work for the subdomain.
Any idea, what breaks the actually working HSTS-Header "Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” in the top-level htaccess?

54

Yes.
This is strange
I asked the forum to get a separate group for Nextcloud on webspace but no answer.

I think for us will be good to have a separate group.
How can this be done in this forum.
Yesterday I started a search for IONS to find others with the same problems, what IONOS is concerned - It’s not the only one.
e.g

If you are interested, let me know to find a way how we could huddle together and solve the IONOS problems.
What do you think?

PS: there is a TAG IONOS, but I don’t know how to get this in the post.
When you start a new thread and go to
image
maybe this is a way to reach the reach people ???

also fin it in the search

image
image971×451 29.3 KB

But I forgot This!!

55

You are a wizard. Had this transport error for well over a year and tried tons of supposed “fixes”, follow the documentation responses, etc. none of them worked. The key truly was to run “sudo a2enmod headers”