Configure Strict Transport Security

Having issues with your DietPi installation, or, found a bug? Post it here.
User avatar
ludji
Posts: 15
Joined: Wed Feb 07, 2018 1:22 pm
Location: France

Configure Strict Transport Security

Post by ludji »

I'm a novice :?

ownCloud: Configure Strict Transport Security
what are the instructions to configure on dietpie with a Simplified Solution.
my goal is to get http to https://192.168.1.200/owncloud/ for any ipad iphone device
User avatar
WarHawk
Posts: 610
Joined: Thu Jul 20, 2017 8:55 am

Re: Configure Strict Transport Security

Post by WarHawk »

That is a LAN IP address

In your home network it should connect just fine

I use OpenVPN to connect to my home network when I am out and about...and thru the VPN I can still use my LAN IP to do backups

If you want to open it thru your firewall you will have to open a port on your firewall/router and have it port forward from WAN -> LAN
Not entirely safe to open the door to the web.
User avatar
ludji
Posts: 15
Joined: Wed Feb 07, 2018 1:22 pm
Location: France

Re: Configure Strict Transport Security

Post by ludji »

Okay, but it doesn't tell me how I'm supposed to do it :idea:
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: Configure Strict Transport Security

Post by MichaIng »

Shall the server be available just via local network or are you planning to use letsencrypt/certbot to prepare for access via internet?
In the latter case I would recommend to use the current letsencrypt script from out testing branch. It contains a fix/workaround for a quite fresh security related issue on letsencrypt side, so the current (v6.1) version will not work with most webservers, their authentication requests get simply blocked by letsencrypt servers. Thus do:
dietpi-software install 92 to install CertBot,
then
wget https://github.com/Fourdee/DietPi/raw/t ... etsencrypt -O /DietPi/dietpi/dietpi-letsencrypt
then
dietpi-letsencrypt
and there you can enable HSTS (HTTP Strict Transport Security), which will be automatically configured by certbot in Apache and Nginx. On Lighttpd I am actually not sure right now. Will check and in case add tomorrow :D.

If you just want access in local network via IP or for some reason don't want/need to use certbot for SSL certificate, then please provide the webserver you use and I will give you a quick solution with self-signed certificates or in case you have some from other CA.
There is no automatic way yet included in DietPi to switch to https outside of letsencrypt/certbot.
User avatar
ludji
Posts: 15
Joined: Wed Feb 07, 2018 1:22 pm
Location: France

Re: Configure Strict Transport Security

Post by ludji »

wget https://github.com/Fourdee/DietPi/raw/t ... etsencrypt O / DietPi / dietpi / dietpi-letsencrypt
I have been on this link and what should I do and how to put your script and what is the order? :idea:
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: Configure Strict Transport Security

Post by MichaIng »

Just copy the orange wget line I posted into your terminal. It will download (wget) the raw dietpi-letsencrypt file from testing branch and move/overwrite (-O) the one on your system.
User avatar
ludji
Posts: 15
Joined: Wed Feb 07, 2018 1:22 pm
Location: France

Re: Configure Strict Transport Security

Post by ludji »

MichaIng wrote:Just copy the orange wget line I posted into your terminal. It will download (wget) the raw dietpi-letsencrypt file from testing branch and move/overwrite (-O) the one on your system.
*************************************************************************************************************************************************************************
thank you for your help I went to "https"
I have another question how to correct this red warning.

Image
User avatar
WarHawk
Posts: 610
Joined: Thu Jul 20, 2017 8:55 am

Re: Configure Strict Transport Security

Post by WarHawk »

Awesome!
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: Configure Strict Transport Security

Post by MichaIng »

@ludji:
Looks like you didn't enable HSTS within dietpi-letsencrypt? Can you check your /etc/apache2/sites-available/000-default-le-ssl.conf about it, just to be sure.

But otherwise no problem, just copy&paste those lines into your terminal:

Code: Select all

a2enmod headers
sed -i '\|DocumentRoot|aHeader always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"' /etc/apache2/sites-available/000-default-le-ssl.conf
systemctl apache2 restart
User avatar
ludji
Posts: 15
Joined: Wed Feb 07, 2018 1:22 pm
Location: France

Re: Configure Strict Transport Security

Post by ludji »

I have this mistake today how to fix it. :?:

Image
Post Reply