ClearOS Feature Request


0 votes
Would it be possible to add Strict-Transport-Security to 443 definitions? (or at least the option to turn it on and define the period? It's noticeable that NextCloud installations (not sure about the app version) always complain that it's inactive whenever flex-443.conf is touched and it's a real bind having to keep adding it by hand!
Sunday, September 06 2020, 11:05 AM
Share this post:
Responses (3)
  • Accepted Answer

    Sunday, September 06 2020, 01:07 PM - #Permalink
    0 votes
    What I'd like to see, if it works, is that every virtualhost and directory section to have an include e.g:
    <VirtualHost *:80>
    DocumentRoot /var/www/virtual/
    ErrorLog /var/www/virtual/
    CustomLog /var/www/virtual/ combined
    include /etc/httpd/conf.d/user_vhost/

    <Directory /var/www/virtual/>
    Options +Indexes +FollowSymLinks -IncludesNOExec
    AllowOverride All
    <FilesMatch \.php$>
    SetHandler "proxy:fcgi://"
    Require local
    Require ip
    include /etc/httpd/conf.d/user_dir/
    The users should then be able to use their custom directives in the /etc/httpd/conf.d/user_vhost/ and include /etc/httpd/conf.d/user_dir/ files. I don't know if this would work and don't know the effect of missing or empty included files. It was just a suggestion of mine. Unfortunately there is little chance if this being looked at in the near future.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 06 2020, 12:45 PM - #Permalink
    0 votes
    Basically - Yup (Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains").

    At the moment, I have to manually add it to the website site definition in flex-443 (I don't use the app; I get the original direct from NextCloud servers). NB: the redirect isn't necessary if ProxyPass is used as it already has the option to redirect http accesses to https.

    I get that I could manually add a virtual host conf file (and create the various directories separately, but it would be much cleaner to leave the site definition/configuration at webconfig level and just have the option of enabling Transport Security at the same time - and as I say, if the period is definable, it makes the mechanism portable to any other site definition that may need it at a different rate. It could fall into the same category as the ability to define the version of php in use on the site.

    It strikes me that it should now really be a default for https definitions as the whole point of providing the ability to create https sites is security, and this is all about combatting man-in-the-middle attacks.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 06 2020, 11:52 AM - #Permalink
    0 votes
    The NC app has:
      <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000"
    in its httpd configlet so it is probably fine. Is this how you are turning it on?

    I can add it to the feature requests. There is already a feature request to add an http to https redirect.
    The reply is currently minimized Show
Your Reply