NextCloud - HTTP Strict Transport Security (HSTS)

Guides and tutorials for various stuff. Posted by DietPi users.

NextCloud - HTTP Strict Transport Security (HSTS)

Postby nicosea » Mon Apr 10, 2017 1:38 pm

I have installed Nextcloud on a Banana Pi and on a Raspberry Pi3 successfully with Dietpi. Nevertheless I got a secuirty warning on Admin - Settings page:
HTTP "Strict-Transport-Security" has not been configure with a value at least equal to "15552000" seconds.

If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com.

This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.

The HTTP Strict Transport Security (HSTS) feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

To enable HTST, edit the Lighttpd configuration file:
Code: Select all
nano /etc/lighttpd/lighttpd.conf

Add the following code:
Code: Select all
server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; ") }

Save it with [CTRL + X ] and than [Y]

And restart Lighttpd:
Code: Select all
/etc/init.d/lighttpd restart


I found how to do that at the following webpage:
https://raymii.org/s/tutorials/HTTP_Str ... httpd.html
At the above link there are also instructions for Apache and Nginx, in case you use them instead of lighttpd (I have not tested them).

I hope it will help :-)
nicosea
 
Posts: 4
Joined: Wed Mar 29, 2017 7:08 am

Re: NextCloud - HTTP Strict Transport Security (HSTS)

Postby k-plan » Mon Apr 10, 2017 2:50 pm

Hi,

excellent write-up nicosea, move it to Community Tutorials. It will be the better place.

Thanks for sharing

cu
k-plan
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.
User avatar
k-plan
 
Posts: 263
Joined: Sun Feb 28, 2016 4:28 pm

Re: NextCloud - HTTP Strict Transport Security (HSTS)

Postby WarHawk » Fri Sep 08, 2017 8:33 am

Same for Apache2?

Mainly because I got my Orange Pi PC setup as a home NextCloud server in it's own 3d printed case and a 1TB harddrive that I made
I want to open it up to the web so my family can sync their photos to the drive while out and about rather than just in the local network, and I want it to be secure.

https://www.thingiverse.com/thing:2468854
Image
User avatar
WarHawk
 
Posts: 84
Joined: Thu Jul 20, 2017 6:55 am


Return to Community Tutorials

Who is online

Users browsing this forum: No registered users and 2 guests