I am new to Truenas Scale. This is my first time setting up a server. I am using Nextcloud and have managed to access it remotely and securely using Traefik and Cloudflared. However, when I login to Nextcloud and check the Overview tab, I get the The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds statement. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗
On the Nextcloud documentation page it says -
To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 status code. When using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts configuration:
<VirtualHost *:80>
ServerName cloud.nextcloud.com
Redirect permanent / https://cloud.nextcloud.com/
</VirtualHost>
While redirecting all traffic to HTTPS is good, it may not completely prevent man-in-the-middle attacks. Thus administrators are encouraged to set the HTTP Strict Transport Security header, which instructs browsers to not allow any connection to the Nextcloud instance using HTTP, and it attempts to prevent site visitors from bypassing invalid certificate warnings.
This can be achieved by setting the following settings within the Apache VirtualHost file:
<VirtualHost *:443>
ServerName cloud.nextcloud.com
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>
Warning
We recommend the additional setting ; preload to be added to that header. Then the domain will be added to a hardcoded list that is shipped with all major browsers and enforce HTTPS upon those domains. See the HSTS preload website for more information. Due to the policy of this list you need to add it to the above example for yourself once you are sure that this is what you want. Removing the domain from this list could take some months until it reaches all installed browsers.
This example configuration will make all subdomains only accessible via HTTPS. If you have subdomains not accessible via HTTPS, remove includeSubDomains.
Unfortunately, I do not know how to change the commands in the Apache Virtual Host. I don't know how to even get to the Apache VirtualHost file to change them with Truenas Scale. HOW DO I DO THIS? I learned how to edit ngix file with Truenas Core when I had core with the Shell and iocage console nextcloud, but I don't know how to do this with Scale. Any assistance that anyone can give a newbie would be greatly appreciated. Thank you so much!
On the Nextcloud documentation page it says -
Redirect all unencrypted traffic to HTTPS
To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 status code. When using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts configuration:
<VirtualHost *:80>
ServerName cloud.nextcloud.com
Redirect permanent / https://cloud.nextcloud.com/
</VirtualHost>
Enable HTTP Strict Transport Security
While redirecting all traffic to HTTPS is good, it may not completely prevent man-in-the-middle attacks. Thus administrators are encouraged to set the HTTP Strict Transport Security header, which instructs browsers to not allow any connection to the Nextcloud instance using HTTP, and it attempts to prevent site visitors from bypassing invalid certificate warnings.
This can be achieved by setting the following settings within the Apache VirtualHost file:
<VirtualHost *:443>
ServerName cloud.nextcloud.com
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>
Warning
We recommend the additional setting ; preload to be added to that header. Then the domain will be added to a hardcoded list that is shipped with all major browsers and enforce HTTPS upon those domains. See the HSTS preload website for more information. Due to the policy of this list you need to add it to the above example for yourself once you are sure that this is what you want. Removing the domain from this list could take some months until it reaches all installed browsers.
This example configuration will make all subdomains only accessible via HTTPS. If you have subdomains not accessible via HTTPS, remove includeSubDomains.
Unfortunately, I do not know how to change the commands in the Apache Virtual Host. I don't know how to even get to the Apache VirtualHost file to change them with Truenas Scale. HOW DO I DO THIS? I learned how to edit ngix file with Truenas Core when I had core with the Shell and iocage console nextcloud, but I don't know how to do this with Scale. Any assistance that anyone can give a newbie would be greatly appreciated. Thank you so much!
