NextCloud - HTTP Strict Transport Security (HSTS)

Guides and tutorials for various stuff. Posted by DietPi users.
Post Reply
nicosea
Posts: 5
Joined: Wed Mar 29, 2017 8:08 am

NextCloud - HTTP Strict Transport Security (HSTS)

Post by nicosea » Mon Apr 10, 2017 2:38 pm

I have installed Nextcloud on a Banana Pi and on a Raspberry Pi3 successfully with Dietpi. Nevertheless I got a secuirty warning on Admin - Settings page:
HTTP "Strict-Transport-Security" has not been configure with a value at least equal to "15552000" seconds.

If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com.

This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.

The HTTP Strict Transport Security (HSTS) feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

To enable HTST, edit the Lighttpd configuration file:

Code: Select all

nano /etc/lighttpd/lighttpd.conf
Add the following code:

Code: Select all

server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; ") } 
Save it with [CTRL + X ] and than [Y]

And restart Lighttpd:

Code: Select all

/etc/init.d/lighttpd restart
I found how to do that at the following webpage:
https://raymii.org/s/tutorials/HTTP_Str ... httpd.html
At the above link there are also instructions for Apache and Nginx, in case you use them instead of lighttpd (I have not tested them).

I hope it will help :-)

User avatar
k-plan
Posts: 403
Joined: Sun Feb 28, 2016 4:28 pm

Re: NextCloud - HTTP Strict Transport Security (HSTS)

Post by k-plan » Mon Apr 10, 2017 3:50 pm

Hi,

excellent write-up nicosea, move it to Community Tutorials. It will be the better place.

Thanks for sharing

cu
k-plan
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.

User avatar
WarHawk
Posts: 254
Joined: Thu Jul 20, 2017 7:55 am

Re: NextCloud - HTTP Strict Transport Security (HSTS)

Post by WarHawk » Fri Sep 08, 2017 9:33 am

Same for Apache2?

Mainly because I got my Orange Pi PC setup as a home NextCloud server in it's own 3d printed case and a 1TB harddrive that I made
I want to open it up to the web so my family can sync their photos to the drive while out and about rather than just in the local network, and I want it to be secure.

https://www.thingiverse.com/thing:2468854
Image

NutsAboutPI
Posts: 3
Joined: Mon Apr 09, 2018 7:00 pm

Re: NextCloud - HTTP Strict Transport Security (HSTS)

Post by NutsAboutPI » Mon Apr 09, 2018 7:55 pm

Hi Guys,

So im using the Lighttpd route. Do you need to create a key before doing this tutorial as its not working for me. i still cant https://192.168.0.2 into my nextcloud.

User avatar
MichaIng
Legend
Posts: 211
Joined: Sat Nov 18, 2017 5:21 pm

Re: NextCloud - HTTP Strict Transport Security (HSTS)

Post by MichaIng » Wed Apr 11, 2018 9:42 pm

Hey guys,

of course for HSTS you need HTTPS working, thus a self-signed certificate at least, or to avoid browser warnings or even declines, a SSL certificate from trusted CA.

To realize all this and automate HSTS configuration as well, I recommend LetsEncrypt/CertBot as free of charge solution, implemented via DietPi to fully support all webservers we offer.
Just start "dietpi-software", choose your preferred webserver (by default Lighttpd), install Nextcloud and CertBot (LetsEncrypt). Then start "dietpi-letsencrypt", choose HTTPS redirection and HSTS besides domain info etc. and start LetsEncrypt certificate creation and automated key + cert installation + configuration of your webserver 8-).

This HSTS implement for Lighttpd is btw the same as provided by @nicosea :D, so jep, this will work, if you already have working SSL/HTTPS for your webserver: https://github.com/Fourdee/DietPi/blob/ ... #L181-L192

Post Reply