[SOLVED] Nextcloud TrueCharts in SCALE: how to enable HSTS header to at least "155520000"

[sos_nz]

So, I've got Nextcloud Truecharts 25.0.2_19.0.51 up and running in SCALE 22.12.2. All working 100%, behind HAProxy.

But, on the Administration page security setting check, it shows:

• The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Question: how do I adjust those settings? I've tried editing the .htaccess file in the Nextcloud and nginx pod using the shell access provided, inserting the following:

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</ifModule>

But on restarting the Nextcloud app, the security note remains.

I'm aware there's a similar thread, with the same question here:

Fixing The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds.

I am new to Truenas Scale. This is my first time setting up a server. I am using Nextcloud and have managed to access it remotely and securely using Traefik and Cloudflared. However, when I login to Nextcloud and check the Overview tab, I get the The "Strict-Transport-Security" HTTP header...

www.truenas.com

But an answer wasn't forthcoming. If TrueCharts is setting that header in their app, it's not effectively being picked up by Nexcloud.

 

[Sepol]

TrueCharts has not updated Nextcloud for 2 months. Since the change on build channels, the creation of Nextcloud charts just stoped. I still run it, but thinking on drop it.

 

[danb35]

TrueCharts has not updated Nextcloud for 2 months.

TrueCharts hasn't updated anything for two months due to the change in their common chart (which required almost all users to reinstall almost all apps, resulting in much weeping and gnashing of teeth). Now that that's settled, they're resuming software updates. See:

Updates recontinued, common-migration mostly done | TrueCharts

We're glad to finally announce the end of our code-freeze. Since a few days we've re-enabled our automatic updates and within a few weeks everything should balance out again automatically!

truecharts.org

 

[Sepol]

@danb35, I see, thank you for the heads-up. I will wait for the updates !

 

[LarsR]

If i remember correctly they also Plan a bigger overhaul of nextcloud and then move it from the stable to Enterprise train. I would wait with reinstalling/updating until that is done since you'd have to reinstall it again when the train is moved

 

[victort]

I hope they implement a better host path data storage plan. Currently only the user data can be mounted outside, which isn’t the best when doing a redeploying of the app.

The official one allows you to delete the app, redeploy and point it back at your data without having to do anything else.

 

[danb35]

I hope they implement a better host path data storage plan.

I know they have reasons for preferring PVCs over host paths for most purposes. I don't think I understand the underlying technology well enough to understand those reasons, though.

 

[sos_nz]

SOLVED: You can workaround this using OPNsense's HAProxy settings.

In HAProxy, open/edit your Public service. Under "SSL Offloading" enable Advanced Settings.

From the further options which appear, check "Enable HSTS", "HSTS IncludeSubDomains" and "HSTS preload". Finally, set "HSTS max age" to something larger than "155520000". Save & Apply.

Reload your nextcloud page, check administration, and enjoy the green tick of happyness!

 

[danb35]

...and if you were behind HAProxy all along, that shows that the configuration of the TrueCharts apps was and is irrelevant. But keep in mind that HSTS can lock you out of your Nextcloud (or other app) installation if there's a problem with your SSL cert. There's good reason to not enable it, at least early on.

 

[sos_nz]

No - I wasn't behind HA Proxy - until yesterday I'd only read about it, but yesterday learnt all about its awesomeness for self-hosted services :)

It's very nice that it's so well included / implemented on OPNsense.

And yes, I've been running HSTS on my webserver for a few years, along with LE certs. It's all gravy!

Anyway, v. pleased to have solved this one.