Nextcloud and the HSTS issue

Apps & App Center
#1

Hi, despite the fact of setting the UCS variables for HSTS, by using the recommendations and posts on this forum, it stays saying that it’s not enabled.

root@k4ucs:~# ucr search hsts                                                                                                                                                       
apache2/hsts/includeSubDomains: yes
 Applies HSTS policy also to subdomains if set to 'yes'.

apache2/hsts/max-age: 15552000
 Time in seconds of how long web browsers will cache and enforce the HSTS policy on the host. Defaults to '10886400' - which are 18 weeks.

apache2/hsts: yes
 Enable HTTP Strict Transport Security (HSTS) by setting this variable to 'yes'. 'apache2/force_https' should be enabled additionally to take full advantage of HSTS.

On the Nextcloud Settings page:

* The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the [security tips ↗](https://docs.nextcloud.com/server/15/go.php?to=admin-security).

* Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the [documentation](https://docs.nextcloud.com/server/15/go.php?to=admin-setup-well-known-URL).
* Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the [documentation](https://docs.nextcloud.com/server/15/go.php?to=admin-setup-well-known-URL).

On the reference file:
root@k4ucs:~# cat /etc/apache2/sites-enabled/default-ssl.conf

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
#       /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
# 

<IfModule mod_ssl.c>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
        SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

        #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        ### To enable special log format for HTTPS-access
        # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
        # CustomLog /var/log/apache2/access.log combinedssl     ## with port number

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>


        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud


        ProxyPass /wordpress https://127.0.0.1:40002/wordpress retry=0
        ProxyPassReverse /wordpress https://127.0.0.1:40002/wordpress



</VirtualHost>
</IfModule>

Anyone has some idea how to solve this permanently?
Regards
JG

#2

Ich habe das gleiche Problem festgestellt

#3

My guess is that this is simply a false positive on Nextcloud’s end; it probably cannot detect that the proxy server (Apache on the Docker host) is adding those headers.

Mastodon