-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce HTTPS via .htaccess edit #132
Comments
@LukasReschke You can already force HTTPs in the config/config.php file.
|
The forcessl-lines in config.php do not have an effect in my installation. |
They aren't present anymore since some versions - it was removed in 8.1 owncloud/core#14651 |
@MorrisJobke Oh, well it's still in the documentation. |
I can't find it on that page anymore 🙈 Could you check again? I searched for forcessl. |
Awesome, its been removed |
enabling https redirecting directly in .htaccess via checkbox in Adminarea would be really nice :) https://forum.owncloud.org/viewtopic.php?f=21&t=34397&p=110792#p110792
maybe setting up via checkbox in the Adminarea if this works :
and resetting up the HASH'es and correcting them .. best regards |
i have simply done this in my webserver configuration (nginx). If we introduce a GUI checkbox in admin panel, we should make sure, that the user is able to access the installation via https (iframe with a token?!). Otherwise you may get locked out of your installation, once you enable that checkbox. |
This integrity check error also happens when you need to enable/modify the HTTP Strict Transport Security header in htaccess, see https://docs.nextcloud.com/server/9/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security. How about adding this option to the GUI in the same run? |
Why was the checkbox removed with 8.1 😕 ..I think it caused bugs? @LukasReschke |
+1 😕 .. a more easy possible would it be, change the .htaccess'es and make 2 of them, by check a checkbox change they are and change the hashes also.. as a suggestion for have the possible also use every a ssl protocol by any addresses and move it to https in any case, by checking the Checkbox '[X] Every using a Https Protocol '. best regards |
Hi there, So, does Nextcloud 10 now check also the .htaccess files and how can I successfully implement my code?
Someone got an idea? Thanks in advance! |
I do have the same problem with the .htaccess file. I would really like to have this checkbox in the admin area 👍 |
In NextCloud 9.53 i have made the same adjustments in the .htaccess and the integrity check was OK. |
humm.. :
|
Oh what a pit, I am hosting on HostEurope and also use a rewrite rule in .htaccess for HTTPS support. The integrity hint gives me the actual hash of my changed .htaccess file. Any way to correct the expected hash value manually? Best Regards, Martin |
nope, i have the same problem and looking over away for have a https automatical .. |
A quick summary as of today and under a freshly installed Nextcloud 10.0:
As the default installation is currently unsecure by default, I'd suggest reconsidering the priority assigned to this issue. |
Manual workaround is that after adding the two extra lines for enforcing https (see @blackcrack comment above) just do this: |
Well, that will not realy work... `Technical informationThe following list covers which files have failed the integrity check. Please read Results
So, this is not a fine solution for out Problem... |
I did this on Nextcloud stable version 10.0.1 and actually did the editing locally. So I have downloaded .htaccess and core/signature.json and then uploaded them back after editing. Your output does not specify the file that failed the hash check, but instead says that the signature is invalid. So very likely your hash is not a valid sha512 hash (typo during editing?). Maybe check if your editor changes end of line or if that you copied only the hash output from sha512sum? Example: Then you only need the I have no errors either on the UI or when running signature check manually on the terminal (./occ integrity:check-core). |
Yes, thats what i did. Error-Message:
|
this .htaccess file should be twice exist one with https and one without redirect. please, can this do anybody who can php/Java, best regards |
You can add |
Yeah, that works!
Now, with the original .htaccess and the 'overwriteprotocol' => 'https', line in the config.php, Do anyone know a solution? And thanks a lot to boTux for the overwriteprotocol Solution! |
Any progress here? As |
Hi, 'forcessl' => true, like further on top described ^^ in config.php it is a good choice it is enabled again in vers 13. of Nextcloud best regards |
Hi, I switched from owncloud 8.x to a fresh install of nextcloud 12.0.3 on my webspace (Hetzner Level 4). While "installation" (unzipping) and https is working fine I can't get rid of the HSTS warning on the nextcloud admin page. Over the last four hours I have tried EVERY single tipp but with no success. I would like to see a default setup with correct HTTPS and HSTS settings when the install routine was started from a https-link. Maybe these setting can be in the config.php because the .htaccess entries show no effect in my case (again: Hetzner Level 4). best regards |
If the .htaccess does have any effect, quickly contact your hosting provider to enable |
I really hope this setting comes back again, in best case with a setting for plain redirect and HSTS each. while HSTS isnt a bad thing in general it's kinda annoying when you screw up soemthing with your certs, and the browsers dont give you a "thanks I know, I trust this cert anyway" option. while HSTS is truly a godsend for things that are open to the public, a closed party like my cloud where only I have access anyway I prefer to say how I like my stuff, in this case with a plain redirect (like back in OC6) and no HSTS. but for now the overwriteprotocol setting is pretty awesome. thanks. |
Add this Redirect with your url on nextclouds virtualhost: |
not everyone has the ability to change their vhost config. |
Then alternative in .htaccess: RewriteCond %{HTTPS} off |
@kakhavk Further reading: https://httpd.apache.org/docs/2.4/rewrite/avoid.html
|
It worked great for me. Thanks ! |
One could add some flags, e.g.: https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule
AFAIK |
Having just
is a silent misconfiguration. Since "RewriteEngine" is by default set to off, it is a must to add "RewriteEngine on" in configuration file, if we want to enable the functionality of "RewriteCond" and "RewriteRule". Here is the related Apache source code snippet:
|
Thanks ! |
Good hint, however, it is enabled anyway by the current |
As suggested several times
should work but on my web host I had to add
between the two lines, for some reason (otherwise I get an error "bad redirection" in my browser). I just put it here in case it could help someone. |
I guess in cases where the client connection was HTTPS already but a proxy terminates that connection and uses plain HTTP to connect to the final webserver. |
As this sounds like a nice feature, the requests for this are quite low. Currently there are no plans to implement such a feature. Thus I will close this ticket for now. This does not mean we don't want this feature, but it is simply not on our roadmap for the near future. If somebody wants to implement this feature nevertheless we are happy to assist and help out. |
Also offer GUI checkbox, check https://help.nextcloud.com/t/enforce-https-via-htaccess-file-integrity-check-error/663/4
The text was updated successfully, but these errors were encountered: