NextCloud - HTTP Strict Transport Security (HSTS)

nicosea · April 10, 2017, 1:38pm

I have installed Nextcloud on a Banana Pi and on a Raspberry Pi3 successfully with Dietpi. Nevertheless I got a secuirty warning on Admin - Settings page:
HTTP “Strict-Transport-Security” has not been configure with a value at least equal to “15552000” seconds.

If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com.

This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.

The HTTP Strict Transport Security (HSTS) feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

To enable HTST, edit the Lighttpd configuration file:

nano /etc/lighttpd/lighttpd.conf

Add the following code:

server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; ") }

Save it with [CTRL + X ] and than [Y]

And restart Lighttpd:

/etc/init.d/lighttpd restart

I found how to do that at the following webpage:
https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
At the above link there are also instructions for Apache and Nginx, in case you use them instead of lighttpd (I have not tested them).

I hope it will help

k-plan · April 10, 2017, 2:50pm

Hi,

excellent write-up nicosea, move it to Community Tutorials. It will be the better place.

Thanks for sharing

cu
k-plan

WarHawk · September 8, 2017, 8:33am

Same for Apache2?

Mainly because I got my Orange Pi PC setup as a home NextCloud server in it’s own 3d printed case and a 1TB harddrive that I made
I want to open it up to the web so my family can sync their photos to the drive while out and about rather than just in the local network, and I want it to be secure.

https://www.thingiverse.com/thing:2468854

NutsAboutPI · April 9, 2018, 6:55pm

Hi Guys,

So im using the Lighttpd route. Do you need to create a key before doing this tutorial as its not working for me. i still cant https://192.168.0.2 into my nextcloud.

MichaIng · April 11, 2018, 8:42pm

Hey guys,

of course for HSTS you need HTTPS working, thus a self-signed certificate at least, or to avoid browser warnings or even declines, a SSL certificate from trusted CA.

To realize all this and automate HSTS configuration as well, I recommend LetsEncrypt/CertBot as free of charge solution, implemented via DietPi to fully support all webservers we offer.
Just start “dietpi-software”, choose your preferred webserver (by default Lighttpd), install Nextcloud and CertBot (LetsEncrypt). Then start “dietpi-letsencrypt”, choose HTTPS redirection and HSTS besides domain info etc. and start LetsEncrypt certificate creation and automated key + cert installation + configuration of your webserver .

This HSTS implement for Lighttpd is btw the same as provided by @nicosea , so jep, this will work, if you already have working SSL/HTTPS for your webserver: https://github.com/Fourdee/DietPi/blob/testing/dietpi/dietpi-letsencrypt#L181-L192