how to deal with the "Strict-Transport-Security" problem of nextcloud?

[LV52]

I have installed nextcloud 25 in truenas scale and use traefik to ingress https services, it all works well.
Today, i tried to use nginx proxy manager to ingress the https services of nextcloud, and turn on the "HSTS" option in accident.
Then i found the nginx proxy manager didn't work well, I cannot use my domain name to access the nextcloud, so I uninstall the nginx proxy manager in truenas scale.
After that, I install the nginxwebui to ingress the https services of nextcloud, my domain name can access to the nextcloud by https, but something weird.

In nextcloud services, the system occur a warning: The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
Furthermore, I can't upload any files to the nextcloud, the nextcloud will displays an error: An unknown error has occurred

I am very confuse that, the HSTS option is no longer turned on anywhere, but nextcloud services are still affected. And when I used the same domain name to ingress other services, neither the browser nor the service would prompt any information about HSTS.

What's even weirder is that when I turn back to used traefik to ingress the nextcloud, everything was fine. Nextcloud didn't alert the warning of HSTS and I could upload files as usual.

I also reinstall another new nextcloud service and use the nginxwebui to ingress https, it still occur the HSTS warning. What happend? The two nextcloud services are not associated in any way, but still occur the HSTS warning.

Does anyone know how to solve this problem? Thanks!

 

[jgreco]

That's the entire point of HSTS. You are not supposed to set up HSTS until you have a stable and reliable system, because once you set up HSTS, it is literally the thing that HSTS is supposed to do to prevent connections that do not appear to match.

If you have accidentally (or perhaps "accidentally") turned on HSTS, you have limited options. Once a client has connected to your server, HSTS requires it to behave in a certain way, and there is very little you can do on the server side to un-screw it up. You can change the domain name in use, which gives you a new shot at HSTS, or you can clear the HSTS data out of your client (web browsers typically have a fairly easy way to do this). You cannot just "turn off" HSTS.

 

[LV52]

That's the entire point of HSTS. You are not supposed to set up HSTS until you have a stable and reliable system, because once you set up HSTS, it is literally the thing that HSTS is supposed to do to prevent connections that do not appear to match.

If you have accidentally (or perhaps "accidentally") turned on HSTS, you have limited options. Once a client has connected to your server, HSTS requires it to behave in a certain way, and there is very little you can do on the server side to un-screw it up. You can change the domain name in use, which gives you a new shot at HSTS, or you can clear the HSTS data out of your client (web browsers typically have a fairly easy way to do this). You cannot just "turn off" HSTS.

Yes, that's what I thought at first, that if I cleared the browser's HSTS cache, it would work. But that's not the case.

I went to the Chrome HSTS Settings（chrome://net-internals/#hsts）, and there was actually a HSTS record for my hostname, then I deleted it. But the HSTS problems remain.

The domain name with the problem is www.aa.com. After clearing the browser HSTS record with ineffective, I changed to a subdomain abc.aa.com to ingress nextcloud service, but there still has HSTS problem.

Finally, I tried to proxy the www.aa.com and abc.aa.com domains to ingress other services, such as qbittorrent and onlyoffice, and everything worked fine.

This always leads me to think it's a configuration issue with nextcloud, but reinstalling nextcloud still doesn't solve the problem. It's weird.

By the way, I do not use the domain name itself to proxy nextcloud service, I use the way of domain name plus port to proxy(such as www.aa.com:23000), including qbittorrent and onlyoffice. Will the way of domain name plus port affect the identification of HSTS?