Topic: owncloud 8.1,1, Strict-Transport-Security and SME 9

[Mophilly]

Working with a freshly configured SME 9, all updates applied.
Updated owncloud 8.0.4 to 8.1.1. The owncloud config check says "The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds.".

I cannot find anything on Strict-Transport-Security in the wiki or the forums.
Can this be solved with a template fragment to amend the http for the specific ibay?
Is it more involved than that?

[mmccarn]

On my SME9 server the headers module is already being loaded into apache (httpd-e-smith).

After that you need to end up with this directive in the <VirtualHost... declaration responsible for your owncloud instance, immediately after the ServerAlias declarations:

Code: [Select]

Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
For testing you can add this manually to the desired section of /etc/httpd/conf/httpd.conf then restart the web server with sv t httpd-e-smith, but the changes will go away the next time you reconfigure or execute any of several signal-events (domain-modify, remoteaccess-update, etc).

You might be able to add this directive to all of your Virtualhosts by creating this file with the content shown above:
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/04StrictTransportSecurity

How to add it to only owncloud would depend on how your owncloud is currently configured (is it an ibay or a domain or a subdirectory of the Primary ibay?).

[Xavier.A]

@ALL :
/!\ before to activate this feature, read and try to understand the RFC (especially with a self-signed cert.):

• RFC 6797
• For french reader, an excellent post from this AFNIC expert
• Enforce Web Policy with HTTP Strict Transport Security (HSTS)

to test if a module is loaded :

Code: [Select]

apachectl -t -D DUMP_MODULES 2>&1 | grep header

some examples from the french wikipedia

to test your apache config. before to restart apache with sv :

Code: [Select]

apachectl configtest

A+

[guest22]

@ALL :
/!\ before to activate this feature, read and try to understand the RFC (especially with a self-signed cert.):

• RFC 6797
• For french reader, an excellent post from this AFNIC expert
• Enforce Web Policy with HTTP Strict Transport Security (HSTS)

to test if a module is loaded :

Code: [Select]

apachectl -t -D DUMP_MODULES 2>&1 | grep header

some examples from the french wikipedia

to test your apache config. before to restart apache with sv :

Code: [Select]

apachectl configtest

A+

This does not answer the question. Please be careful when crossing the street kinda thing. Please add specifically to the question.

[Xavier.A]

This does not answer the question. Please be careful when crossing the street kinda thing. Please add specifically to the question.

because you are a great expert, you will answer the question then...what was the question?
my advice is just : be carefull if you activate this feature for your apache server but one more time RequestedDeletion i will leave you the last word !

bye.

PS: have you read the RFC RequestedDeletion? maybe no !

[Mophilly]

Thank you for the replies. Very helpful. I found the links posted by Xavier.A very interesting (after translation. )

On my SME9 server the headers module is already being loaded into apache (httpd-e-smith).
[SNIP]
How to add it to only owncloud would depend on how your owncloud is currently configured (is it an ibay or a domain or a subdirectory of the Primary ibay?).

If the headers module is not loaded by default in SME 9 then it isn't loaded in this case. That said, I see "LoadModule headers_module modules/mod_headers.so" in httpd.conf. The apache query suggested by Xavier.A returns " headers_module (shared)". Do either or both of these indicate the necessary module is loaded?

Presently, owncloud is in an ibay and referenced by the URL "mydomain.com/owncloud/". I added the directive to the httpd.conf and restarted httpd. The Strict-Transport-Security warning no longer appears in the owncloud config check.

The only remaining error in the owncloud check is mention of missing basic authentication headers. Can both the Strict-Transport-Security and basic auth headers be added with a single template fragment?

[stephdl]

Mophilly could you add a new section to the wiki page of owncloud, or review the existing, with all some specific settings needed by owncloud8. I mean about php version (from scl I hope), apache tricks and all needed.

Thank in advance.

[Xavier.A]

Mophilly :

Thank you for the replies. Very helpful. I found the links posted by Xavier.A very interesting (after translation. )

thanks to you

This does not answer the question. Please be careful when crossing the street kinda thing. Please add specifically to the question.

but all these bad behaviour are boring, i'm fed up !

bye

[Mophilly]

Mophilly could you add a new section to the wiki page of owncloud, or review the existing, with all some specific settings needed by owncloud8. I mean about php version (from scl I hope), apache tricks and all needed.

Thank in advance.

Yes, I will do what I can.

You wrote "from scl I hope". Please define "scl", I am not famaliar with (or not recognizing) the acronym.

[Mophilly]

So the test of adding the directive to the httpd.conf succeeded in eliminating the error message. What remains is to write a template fragment. It has been a couple of years since i have touched the templates.

mmccarn suggested adding the Strict-Transport-Security directive to all of the Virtualhosts by creating this file with the content shown above:
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/04StrictTransportSecurity

I recall seeing a bit of perl to filter on specific ibay names. If I can find the example, that might be a safe approach. I am not sure what impact Strict-Transport-Security would have on other web apps.

Also, I need to modify the headers to have the webDAV stuff (basic auth) added. Is possible and/or wise to pile all that into a single template document? Are the serverAlias sections built separately from the directory headers. For this I am considering following either the ModDav contrib or the PHP selection contrib as a model.
UPDATE after posting I found the custom template "99allow_url_fopen" that is installed by the sme owncloud contrib package. That seems like the best place to put the basic auth directives. I will look to that and if it works submit a proposed addition to the contrib.

[stephdl]

Yes, I will do what I can.

merci :p

You wrote "from scl I hope". Please define "scl", I am not famaliar with (or not recognizing) the acronym.

You can not upgrade safely php on sme9, the only way to go is to use the software collection of Redhat. In fact you install others php version in /opt, without removing the php53. I did a contrib for that -> http://wiki.contribs.org/PHP_Software_Collections

[Mophilly]

I did a contrib for that -> http://wiki.contribs.org/PHP_Software_Collections

That is what I used to install alternate versions of PHP. It is very helpful and convenient. Thanks for building it.

[mmccarn]

If I'm reading this file correctly:

...
        my $templatePath = $domain->prop('TemplatePath') || 'VirtualHosts';
...

You should be able change only your owncloud domain like this:
1) copy everything from the default virtualhost template folder to a new folder
2) Add the new template fragment in the Owncloud folder
3) set  db variable for TemplatePath for your owncloud domain
4) signal-event remoteaccess-update

Code: [Select]

cd /etc/e-smith/templates/etc/httpd/conf/httpd.conf/
'cp' -r VirtualHosts/ Owncloud/
cd Owncloud
echo ' Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"' > 04StrictTransportSecurity
db domains setprop owncloud.blah.tld TemplatePath Owncloud
signal-event remoteaccess-update

* The 'echo...' line goes off the screen to the right (on my system)

* Replace owncloud.blah.tld with the domain name you use for owncloud

* Un-do using

Code: [Select]

db domains delprop owncloud.blah.tld TemplatePath
signal-event remoteaccess-update

[Mophilly]

Thank you for taking the time to write up a step by step guide. I appreciate your generosity very much. 

If I'm reading this file correctly:
You should be able change only your owncloud domain like this:
1) copy everything from the default virtualhost template folder to a new folder
2) Add the new template fragment in the Owncloud folder
3) set  db variable for TemplatePath for your owncloud domain
4) signal-event remoteaccess-update

Regarding item 3; I understand that will work well for a domain but this install of owncloud is in an iBay. We access it with a URL like "subdomain.mydomain.tld/owncloud", where subdomain points to particular server and owncloud is in an ibay on that server. I realize this may outside the scope of the forum and so I am more than happy to take this off list if appropriate.

Anyway, I would like to add the apache directive on a "per ibay" basis.

UPDATE: just after posting (why does it always work like that?) I came across the webshare contrib which includes an example of the "per ibay" switch. Perhaps that is a good model.

[guest22]

FYI http://wiki.contribs.org/Webapps-common