Topic: owncloud 8.1,1, Strict-Transport-Security and SME 9

[guest22]

If you would require any other directives, I suggest you ask Daniel to include it. Ask nicely

[mophilly]

Thank you, RequestedDeletion, for the link to the webapps common info.

It turns out the HTTP basic auth error is a bug in the owncloud distro and its sabreDAV config. I am going to wait and see what happens.

So, with that and the Strict-Transport-Security issue taken care of, it appears this issue is resolved. For the record, I used mmccarn's suggest of a template that add the directive to every ibay. It works fine today and I will keep an eye on it if we expand the use of this particular server.

Thanks to all. I appreciate the suggestions and information very much. 

[mophilly]

Mophilly could you add a new section to the wiki page of owncloud, or review the existing, with all some specific settings needed by owncloud8. I mean about php version (from scl I hope), apache tricks and all needed.

I amended the wik page. I haven't written a custom template to apply the apache directive to specific ibay, so that is something that could be added later.

[mmccarn]

I did some more digging and discovered this page describing how to set Strict-Transport-Security in .htaccess:
https://serverpilot.io/community/articles/how-to-enable-http-strict-transport-security-hsts.html

I tested this in two ways, both of which successfully eliminate the Owncloud error about Strict-Transport-Security.

First, I added the recommended directive to .htaccess in the root of the Owncloud installation, near the top of the file, in an existing section that sets some other Headers.  The resulting section looks like the code block below.  I don't know if there are security implications to doing it this way (that is, I don't know why the Owncloud devs aren't doing it this way), and you're likely to need to re-add it after each Owncloud update.

Code: [Select]

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Strict-Transport-Security "max-age=15768000" env=HTTPS
    SetEnv modHeadersAvailable true
  </IfModule>


My test install of Owncloud is in a sub-folder of my Primary i-bay;  I also verified that adding the code below in the root of the ibay (/home/e-smith/files/ibays/Primary/html/.htaccess) also eliminates the warning from my Owncloud admin screen.

Code: [Select]

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set Strict-Transport-Security "max-age=15768000" env=HTTPS
    SetEnv modHeadersAvailable true
  </IfModule>