The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS

It actually worked

Hi

Did you solve it at IONOS webspace?
IF Yes PLS let me know How-To
THX

If you are running Nextcloud in a docker container on Unraid and get this error, navigate to appdata/nextcloud/nginx/site-confs. There is a file called default. If you open it in a text editor. Uncomment line 20 “add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;” always;” Save the file and restart Nextcloud. The error should go away.

thank you my fellow unraid friend…

This “Strict-Transport-Security” problem and the 4 infamous .well-known/carddav, caldav, webfinger, nodeinfo are bugging me for a year now. I dropped them after a while as thinking it’s not the end of the world. But today I finally found the solution. First is some background info: OS is Debian 10.12. And I have full root access to the OS which may not apply to everyone.

• Short version: change AllowOverride None to AllowOverride All in the <Directory /var/www/> of the apache2.conf or httpd.conf so it will become something like this:

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>

As of Debian 10 the apache2.conf is in the /etc/apache2/ directory. I don’t know about httpd.conf (ubutu?).
Sidenote: copy and paste AllowOverride All in all the nextcloud.conf, 000-default.conf, 000-default-le-ssl.conf and nextcloud-ssl.conf etc… don’t works at all.

• Long version or the roundabout way it took me to fix 5 long-standing problems in my NextCloud by just a simple edit:

1. First I was finding the carddav solution in the doc.nextcloud.com and came across this line:

For the first case the .htaccess file shipped with Nextcloud should do this work for you when you’re running Apache. You need to make sure that your Web server is using this file.

2. A quick google about .htaccess not working I found this:

.htaccess needs to be enabled with AllowOverride
This is the first thing that should be verified. If the AllowOverride directive is set to None then this will disable all .htaccess files. In order to verify this, you must open the Apache configuration file (typically either called httpd.conf or apache.conf) and check that the AllowOverride directive is set to AllowOverride All. If you needed to make changes to your Apache config, remember to save the file and restart Apache. sudo service apache2 restart

Well, you can see that the solution for Strict-Transport-Security is dead simple, and yet it is obscured in another instruction for an unrelate problem. Which is why I have to agree with LincH here. Both the instructions and the answers are unclear, which make people asking the same thing over and over again. And for me it’s cost one year for an simple edit to fix the problem.

OK, a quick update: the fix in the previous post I forgot to mention that it need to insert this line: Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" on the top of the .htaccess. But if you update Nextcloud, it will reset and the warning comeback.
So I was looking for a more reliable fix and came to a shocking reveal: the setting for the Enable HTTP Strict Transport Security is incorrect order. I don’t know if it was caused by apache update or debian update or something else. But here’s the fix:

• So instead of this setting

<VirtualHost *:443>
     ServerName cloud.nextcloud.com
     <IfModule mod_headers.c>
          Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
     </IfModule>
 </VirtualHost>

Now we have to do it like this:

<IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
     <VirtualHost *:443>
           ServerName cloud.nextcloud.com
     </VirtualHost>
</IfModule>

Tested this on my server and it works as expected.
Now we need more people testing this method and confirm this working. Then finally we can edit the wiki and put an end to this mess.

It’s not. I have set it up like in your first example for years and never had any issues. Not sure what caused your issue, but you definitely don’t have to make every line of your VirtualHost config conditional to the precense of the headers module, except maybe if you want the whole config not to work anymore, in case the headers module got disabled. https://httpd.apache.org/docs/2.4/en/mod/core.html#ifmodule

Here are my working VirtualHosts based on this tutorial: (German)… I use this same exact config for a few years now and never had any issues:

<VirtualHost *:80>
Servername cloud.mydomain.tld
DocumentRoot /var/www/html/nextcloud

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.mydomain.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cloud.mydomain.tld
DocumentRoot /var/www/html/nextcloud

<Directory /var/www/html/nextcloud/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
Satisfy Any
</Directory>

<IfModule mod_dav.c>
Dav off
</IfModule>

<Directory /var/nextcloud-data/>
Require all denied
</Directory>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [R=405,L]

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud

<IfModule mod_reqtimeout.c>
RequestReadTimeout body=0
</IfModule>

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/cloud.mydomain.tld/fullchain.pem
SSLCACertificateFile /etc/letsencrypt/live/cloud.mydomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.mydomain.tld/privkey.pem

SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLOpenSSLConfCmd Curves X448:secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
</VirtualHost>
SSLUseStapling on
SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>

Well, the config works for you and didn’t works for me then. It could cause by different OS, different versions, settings etc. Thing is, if the tutorial config is wrong in first place then everyone would have had to complaint by now, not just by a few people including me trying to get an answer. So if you could please humour me by reverse the config and confirm the reverse config still works for you then we have a fix that works for both of us rather than for one person. Sound good?
One more thing, the link
for admin_manual (Introduction — Nextcloud latest Administration Manual latest documentation) doesn’t work anymore. Strange.

Well and that’s ecactley the point. There is no one fits them all solution. It depends on which OS you are using and how you have set things up. The config snipets in the Nextcloud documentation are meant as examples and have to be adapted to you’re specific needs / setup.

Sorry I don’t feel like messing with my working setup. I have multiple sites running on my server all with their own VirtualHost config files and I don’t see a reason to put the HSTS directive outside the VirtualHost section. I’m also not sure how that would behave. It would probably apply to all subsequent VirtualHosts as well, which I don’t need to happen because I prefer each virtualhost to have it’s own seperate config.

Well and that’s ecactley the point. There is no one fits them all solution. It depends on which OS you are using and how you have set things up. The config snipets in the Nextcloud documentation are meant as examples and have to be adapted to you’re specific needs / setup.

That’s why I my work here is almost done: give an alternative way for the snippet code example, because that’ll help the newbies tremendously and not to make them has to ask around like in this thread.

Sorry I don’t feel like messing with my working setup
It’s fine. I thought you have a single NAS server so you can quickly testing something. But if it’s involve multi servers then just ignore my request, no problem.

I’m not a professional or expert when it comes to web servers but from my basic understanding, on a default Apache installation on Debian, with only one site it shouldn’t really matter where you put this directive as long as it is processed after the redirection from HTTP to HTTPS. Unfortunately I don’t know why it doesn’t work in your specific case when the directive is placed inside the VirtualHost section.

I could test it on my test server and I’m almost sure it would work. Maybe I’m gonna try it later… But I don’t think it’s suitable as a general recomandation because I think your variant is rather the exeption than the norm and I would probably try to find the root cause, why you had do it like that in the first place.

I tested it on my test instance and at least for Nextcloud, it makes no difference whether I place it inside or outside the VirtualHost section.

Thank you for your time, I appreciate it. If I have time I’ll try to get to the root of this weird behaviour, rather than doing something non-standard config like this.

This also worked for me. Dedicated IP account. Shared Hosting on Bluehost

image1328×265 13.9 KB

Still the same error on
IONOS Webspace
NO access to the server files !
The Cloud URL is pointing to this NextCloud folder
I only see the folders, I think after var/xxx/xxx/xxx/NectCloud/

image120×543 6.71 KB

So I think I have the only chance to put
- BUT WHAT - exactly in my .htaccess or other file in folder where NextCloud is installed (Pls. see Tree above)
Or execute some
OCC command - BUT WHICH ONE - exactly

IF YOU NEED more Info to solve this now Pls. Let me know!

Hope for a final solution now!

At least till the next update

PS: should I better start a new thread with this concerning only hosted webspace?
What do you think?

This took me forever to figure this out, but if you are using Cloudflare you will probably need to enable hsts in the Cloudflare dashboard as well.

After a lot of searching for the right answer I finally discovered that it had nothing to do with the virtual host or where to put in the code. It had to do with switching the headers on (as to put it in my own words). So after putting the next command into the terminal it worked. Hope it will work for you too.

sudo a2enmod headers

I have no acess to the server on hosted webspace
I only can do occ comands!!

You point to the document, but the document does not state where the conf file is located. The documents are incomplete and need to be updated. I am trying to figure this out myself and simply pointing to the document is completely worthless unless there are good directions in the document

You have to add it to your already existing web server config. If you don’t know where that config file is located, how did you setup Nextcloud in the first place?