Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HSTS header app not working #7

Closed
SarahDela opened this issue Jul 23, 2020 · 12 comments
Closed

HSTS header app not working #7

SarahDela opened this issue Jul 23, 2020 · 12 comments

Comments

@SarahDela
Copy link

SarahDela commented Jul 23, 2020

My nextcloud web site is https://d-cloud.ch

I’m trying to get your HSTS header app to work with Nextcloud, but keep on getting this error:
ERROR 1

Also added these lines to config.php
config

I still get no-HSTS header
here: https://securityheaders.com/
And here https://hstspreload.org/

Any help would be welcome
Kind regards

@sualko
Copy link
Owner

sualko commented Jul 29, 2020

Which server do you use? In case you are using apache, is the headers module available?

@SarahDela
Copy link
Author

Plesk shared server with Nginx MariaDB

@ehcloninger
Copy link

I have the same problem on my nextcloud (https://cloninger.cloud). App is installed and enabled in NC, but does not show in headers. Running Apache 2.4.43.

Do not have mod_headers as /etc/ is not writable by me. (virtual Linux host). Can't sudo, cannot restart Apache.

Thanks

@sualko
Copy link
Owner

sualko commented Aug 25, 2020

Weird. It would be nice if you could add some debug code to the app, so that we can get the reason for this malfunction.

Just add the following to the end of appinfo/app.php and log for the messages in your log (enable debug log):

\OC::$server->getLogger()->debug(isModHeadersAvailable() ? 'Mod Headers is available' : 'Mod Headers is NOT available');
\OC::$server->getLogger()->debug(isHTTPS() ? 'Served via httpS' : 'Served via http');

@SarahDela
Copy link
Author

If it is a server side config then session var session.use_strict_mode is set to 0 on my servers

@ehcloninger
Copy link

@sualko I made the change as shown in appinfo/app.php at the bottom. Logging was already on.

There is no log message appearing. What would trigger the message?

I loaded in a private instance and nothing showed in the logs.
Logged out as admin and back in again. Nothing.
Disabled, then enabled HSTS Header (0.5.0)
Used securityheaders.com to load the site and still getting HSTS notice. Nothing in the logs.
Moved the message to the top of app.php, thinking maybe a return or exception happened. No message in logs.

Is it possible the app isn't loading at all? I'm assuming this goes into the log at nextclouddata/nextcloud.log?

I'm running 19.0.1 (Stable channel). PHP 7.4.8. I don't really have a lot of apps installed. At the moment, it's just a Proof of Concept for myself.

@SarahDela
Copy link
Author

SarahDela commented Aug 25, 2020

Just added these lines to .htaccess

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000; preload"
</IfModule>

Case closed for me, no need for module.
@sualko thank you

@ehcloninger
Copy link

@SarahDela I can confirm that also works for me. Thank you!

@sualko It appears that my .htaccess also has this bit, so that may be why it wasn't working.

<IfModule mod_env.c>
    SetEnv modHeadersAvailable true
</IfModule>

@sualko
Copy link
Owner

sualko commented Aug 25, 2020

ModHeaders is always the preferred method, therefore this app will not add any header if the module is available. If you can add it via htaccess, everything is fine.

@sualko sualko closed this as completed Aug 25, 2020
@PrzemekSkw
Copy link

Hello @sualko I have in my /var/www/nextcloud/.htaccess added:

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000; preload"
</IfModule>

I disable:
#SetEnv modHeadersAvailable true
I install HSTS app from Nextcloud Appstore but still have that warning. What can I do to make it work?
Regards.

@sualko
Copy link
Owner

sualko commented Nov 10, 2021

@PrzemekSkw

ModHeaders is always the preferred method, therefore this app will not add any header if the module is available. If you can add it via htaccess, everything is fine.

@PrzemekSkw
Copy link

Hi @sualko I have option in Dietpi OS to enable HSTS without eny other operations. I forget about it. Sorry.
Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants