Where is my Apache configuration

Hello,
I would like to fix the warning message Strict-Transport-Security” HTTP header is not configured to at least “15552000” seconds. I read the documentation and all the nextcloud subjects about this message. Everywhere, I read that I should modify my apache configuration. I tried to modify files I think be apache configuration but apparently it is not the good file because it changes nothing.
I use nexcloud on a raspberry with apache2 installed with the command sudo apt-get install apache2.
I enabled a2enmod headers
I unziped nextcloud in /var/www/html/nextcloud
I followed exactly theses instructions : https://pimylifeup.com/raspberry-pi-nextcloud-server/

Solution:

I use Let’s encrypt.
I added a bad command just add the following code at end of file /etc/apache2/sites-available/default-ssl.conf.

<IfModule mod_headers.c>
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

Thanks a lot.

1 Like

Hi there,

First i woul recommend that you read about what HSTS means

In short: If your user was connectet to your https site at least once in the lase 6 month (15552000sec = 6Month) it will redirect yout http connection to a https connection. It may be overrided be clearing the browsercache, but notheless hinders testing to some extend.

I give you this link for further read, but be aware of the implications:

https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

if you have a strict *.80 to *.443 redirection in place, you may also completley ignore that message. But that is just my opinion, others will say otherwise,…

1 Like

Did you set up Apache with LetsEncrypt? I recently had the same issue, and managed to solve it by modifying the LetsEncrypt SSL configuration file.

No doubt you have seen this snippet by now:

<IfModule mod_headers.c>
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

Add that to the 000-default-le-ssl.conf (mine was located here: /etc/apache2/sites-available/), under this line:

“Include /etc/letsencrypt/options-ssl-apache.conf”

Caution – I’m a bit of a newbie, too. If an expert could weigh in, that’d be great.

1 Like

The most important one is already mentioned:

  • Add the mentioned lines to e.g. /etc/apache2/sites-available/default-ssl.conf or the config you used to set up the ssl certificates etc. following your guide.

Btw:

  • The guide gives steps to enable self-signed certificates. I strongly recommend to switch to letsencryt/certbot. The benefit is, that it automatically enables a stronger ssl configuration and users won’t face the “untrusted” warnings within their browsers when visiting your cloud.
  • Just apt install python-certbot-apache and certbot --apache --rsa-key-size 4096 and type in your domain info… done. It asks also if it should enable HSTS for you.
  • The guide offers to move data directory post-installation. Note that this can cause problems that way and it is strongly recommended to do it already inside the web installation wizard. So the database is not set up wrong first. I mention all about that here: Howto: Change / Move data directory after installation
  • Also the way the guides does, Nextcloud is installed with SQLite database. It is strongly recommended to use MySQL or better MariaDB for it on production systems. You need to set up the database first or use an automated occ installation command. But more on this if you need.
  • To be true, there are better guides out there and here in the forum or docs.nextcloud.com :wink:. If you have login there for comments, you could mention the hints there :slight_smile:.
2 Likes