Hi, despite the fact of setting the UCS variables for HSTS, by using the recommendations and posts on this forum, it stays saying that it’s not enabled.
root@k4ucs:~# ucr search hsts
apache2/hsts/includeSubDomains: yes
Applies HSTS policy also to subdomains if set to 'yes'.
apache2/hsts/max-age: 15552000
Time in seconds of how long web browsers will cache and enforce the HSTS policy on the host. Defaults to '10886400' - which are 18 weeks.
apache2/hsts: yes
Enable HTTP Strict Transport Security (HSTS) by setting this variable to 'yes'. 'apache2/force_https' should be enabled additionally to take full advantage of HSTS.
On the Nextcloud Settings page:
* The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the [security tips ↗](https://docs.nextcloud.com/server/15/go.php?to=admin-security).
* Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the [documentation](https://docs.nextcloud.com/server/15/go.php?to=admin-setup-well-known-URL).
* Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the [documentation](https://docs.nextcloud.com/server/15/go.php?to=admin-setup-well-known-URL).
On the reference file:
root@k4ucs:~# cat /etc/apache2/sites-enabled/default-ssl.conf
# Warning: This file is auto-generated and might be overwritten by
# univention-config-registry.
# Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
# univention-config-registry ueberschrieben werden.
# Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
#
<IfModule mod_ssl.c>
<VirtualHost *:443>
IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
### To enable special log format for HTTPS-access
# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
# CustomLog /var/log/apache2/access.log combinedssl ## with port number
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
ProxyPass /wordpress https://127.0.0.1:40002/wordpress retry=0
ProxyPassReverse /wordpress https://127.0.0.1:40002/wordpress
</VirtualHost>
</IfModule>
Anyone has some idea how to solve this permanently?
Regards
JG