Enable HTTP Strict Transport Security

Discussion in 'Installation/Configuration' started by zkvvoob, Aug 7, 2015.

  1. zkvvoob

    zkvvoob Member

    Hello,
    I just updated my OwnCloud installation to the newest version 8.1 and the admin panel warns me that
    Code:
    The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.
    According to their security tips, I am supposed to add the following directive within the Apache VirtualHost file:
    Code:
    <VirtualHost *:443>
       ServerName cloud.owncloud.com
       Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    </VirtualHost>
    Should I go and alter the corresponding vhost file manually in terminal or is there a more elegant way to add this directive through the ISPConfig interface?
    Thank you!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Never edit a vhost file manually, all manual changes will get removed automatically. if you want to add a config snippet into the vhost, then do this trough the apache directives of the website or by modifying the global vhost master template.
     
  3. zkvvoob

    zkvvoob Member

    Hi Till,
    I figured as much about manually editing the vhost files. However, when I entered the whole <Virtual Host> directive (with the corresponding changes for my domain) and proceeded to restart Apache, the process failed and said that said directive cannot be added within a virtual host.
    Then I only added the line "Header always add..." outside any tags, but that didn't seem to affect ownCloud, as the red warning that HSPS was not enabled.
    Could you give me a hint how to properly add this?
    Thanks!
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The line that needs to be added is:

    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
     
  5. LyrX

    LyrX New Member

    Same problem here.
    Adding Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    in Apache Directives ist not working. Ispconfig creates a host.vhost.err file and falls back to the old vhost-file.

    Content of my Apache Directives:
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) h ttps://%{SERVER_NAME}/$1 [R,L]

    As sure without the gap betwenn h and t. But howtoforge dont allow me to post "links".

    PHP-Modul is Fast-CGI.
    Didnt found a solution till now.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you enable the apache header module and reloaded apache afterward?
     
  7. LyrX

    LyrX New Member

    I forgot this. Working now. Thank you.
     
  8. renky

    renky New Member

    Hi
    Ok, this works for me, too over http-- but is there a possibility to get it working with the .htaccess-file?
    There are many examples on the internet but nothing of them works in my installation.
    Is this possible to set Strict-transport-security in htaccess at all?
    best regards
    dm
     
  9. inside83

    inside83 Member HowtoForge Supporter

    Could you please tell us how to enable the apache header module?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    a2enmod header
    service apache2 restart
     
  11. inside83

    inside83 Member HowtoForge Supporter

    @till
    Thank you but:

    Code:
    [email protected]:~# a2enmod header
    ERROR: Module header does not exist!
     
  12. Jesse Norell

    Jesse Norell Active Member

    a2enmod headers
     
    till and inside83 like this.
  13. inside83

    inside83 Member HowtoForge Supporter

    @Jesse Norell
    Thank you!
    But my ownCloud still says:
    I've put:
    Code:
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    in my Apache Directives.
    What am I missing?
     
  14. inside83

    inside83 Member HowtoForge Supporter

    I'm getting:
    Code:
    Cannot modify header information - headers already sent by (output started at /var/www/clients/client1/web3/web/3rdparty/sabre/http/lib/Sapi.php:70) at /var/www/clients/client1/web3/web/3rdparty/sabre/http/lib/Sapi.php#58
    after putting:
    Code:
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    in Apache Directives
     
  15. inside83

    inside83 Member HowtoForge Supporter

    Actually, one shout put:
    Code:
    <IfModule mod_headers.c>
          Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        </IfModule>
    in Apache Directives
     
    Jesse Norell likes this.
  16. mattltm

    mattltm Member

    I just wanted to add that the code above also allows sending the HSTS header over HTTP which is not recommended. It should only be sent over HTTPS. You can do this by adding
    Code:
    env=HTTPS
    to the end of the directive. The complete directive should look like this...
    Code:
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" env=HTTPS
    This will remove the warning about sending the HSTS header over HTTP if you are trying to add a site to Chromes preload list.
     
    Jesse Norell likes this.

Share This Page