Add security section to admin settings to enable the HTTPS enforcement

[LukasReschke]

Currently it only allows the admin to enable or disable the HTTPS
enforcement, but in the future it could be expanded to further options.

The HTTPS enforcement only allows the admin to enforce it, if he is
connected via HTTPS. (To prevent admins to enable it without a proper
SSL setup, which would lead to a bad user experience, as he wouldn't be
able to connect to oC anymore without changing the config.php)

Users usually don't read our provided example config.php, so we should
include some options in the admin settings.

\cc @danimo

[farson2003]

Will this HTTPS enforcement work also forcing https over a proxy server, as implemented here by herbrechtsmeier: #1099 (add multiple domains reverse SSL proxy support) ?

Thx

[LukasReschke]

On Feb 4, 2013 4:29 PM, "farson2003" notifications@github.com wrote:

Will this HTTPS enforcement work also forcing https over a proxy server,
as implemented here by herbrechtsmeier: #1099 (add multiple domains reverse
SSL proxy support) ?

No.

[farson2003]

Why not!?
Wouldn't it make sense to allow an admin to enforce HTTPS via a SSL proxy server as implemented by Herbrechtsmeier??

• Many admins (and users) do want to prevent clients/users to connect/login without the use of encrypted connections.

Don't you think?! Please consider.

[herbrechtsmeier]

Pull request owncloud/core/#1872 enables forcessl support for a ssl proxy.

[karlitschek]

makes sense

[rominf]

I think it would be great if admin had possibility to enforce https only for logged in users, not for public shares. I satisfied with the self signed certificate for my server. If I enable "Force https" that's good for me, but not for other people which want to download shared files from my server: they see something like "This site is dangerous! Get out from there!" with red background and because of that, they are scared to download. But I don't need https for shared files really. But in the other hand I really want to enforce https for all owncloud users for safety.

[farson2003]

@rominf " But I don't need https for shared files really."

Well, many people and admins do need https throughout, though. I believe if you enforce HTTPS you should remain stringent on it, for the sake of not making the Devs' life to complicated: Enforce it for the whole OC instance, or leave it as a whole.

Or do the Devs see an easy way of selectively disabling https?!? It simply does not seem realistic to me.

[LukasReschke]

If I enable "Force https" that's good for me, but not for other people which want to download shared files from my server: they see something like "This site is dangerous! Get out from there!" with red background and because of that, they are scared to download.

Buy a certificate, nowadays they are even available for free...

Or do the Devs see an easy way of selectively disabling https?!? It simply does not seem realistic to me.

Not possible because of HSTS.