Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: mophilly on September 05, 2015, 09:58:46 PM
-
Working with a freshly configured SME 9, all updates applied.
Updated owncloud 8.0.4 to 8.1.1. The owncloud config check says "The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds.".
I cannot find anything on Strict-Transport-Security in the wiki or the forums.
Can this be solved with a template fragment to amend the http for the specific ibay?
Is it more involved than that?
-
On my SME9 server the headers module is already being loaded into apache (httpd-e-smith).
After that you need to end up with this directive in the <VirtualHost... declaration responsible for your owncloud instance, immediately after the ServerAlias declarations:
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
For testing you can add this manually to the desired section of /etc/httpd/conf/httpd.conf then restart the web server with sv t httpd-e-smith, but the changes will go away the next time you reconfigure or execute any of several signal-events (domain-modify, remoteaccess-update, etc).
You might be able to add this directive to all of your Virtualhosts by creating this file with the content shown above:
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/04StrictTransportSecurity
How to add it to only owncloud would depend on how your owncloud is currently configured (is it an ibay or a domain or a subdirectory of the Primary ibay?).
-
@ALL :
/!\ before to activate this feature, read and try to understand the RFC (especially with a self-signed cert.):
- RFC 6797 (https://www.rfc-editor.org/rfc/rfc6797.txt)
- For french reader, an excellent post from this AFNIC expert (http://www.bortzmeyer.org/6797.html)
- Enforce Web Policy with HTTP Strict Transport Security (HSTS) (https://blog.cloudflare.com/enforce-web-policy-with-hypertext-strict-transport-security-hsts/)
to test if a module is loaded :
apachectl -t -D DUMP_MODULES 2>&1 | grep header
some examples from the french wikipedia (https://fr.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
to test your apache config. before to restart apache with sv :
apachectl configtest
A+
-
@ALL :
/!\ before to activate this feature, read and try to understand the RFC (especially with a self-signed cert.):
- RFC 6797 (https://www.rfc-editor.org/rfc/rfc6797.txt)
- For french reader, an excellent post from this AFNIC expert (http://www.bortzmeyer.org/6797.html)
- Enforce Web Policy with HTTP Strict Transport Security (HSTS) (https://blog.cloudflare.com/enforce-web-policy-with-hypertext-strict-transport-security-hsts/)
to test if a module is loaded :
apachectl -t -D DUMP_MODULES 2>&1 | grep header
some examples from the french wikipedia (https://fr.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
to test your apache config. before to restart apache with sv :
apachectl configtest
A+
This does not answer the question. Please be careful when crossing the street kinda thing. Please add specifically to the question.
-
This does not answer the question. Please be careful when crossing the street kinda thing. Please add specifically to the question.
because you are a great expert, you will answer the question then...what was the question?
my advice is just : be carefull if you activate this feature for your apache server but one more time RequestedDeletion i will leave you the last word !
bye.
PS: have you read the RFC RequestedDeletion? maybe no !
-
Thank you for the replies. Very helpful. I found the links posted by Xavier.A very interesting (after translation. :-) )
On my SME9 server the headers module is already being loaded into apache (httpd-e-smith).
[SNIP]
How to add it to only owncloud would depend on how your owncloud is currently configured (is it an ibay or a domain or a subdirectory of the Primary ibay?).
If the headers module is not loaded by default in SME 9 then it isn't loaded in this case. That said, I see "LoadModule headers_module modules/mod_headers.so" in httpd.conf. The apache query suggested by Xavier.A returns " headers_module (shared)". Do either or both of these indicate the necessary module is loaded?
Presently, owncloud is in an ibay and referenced by the URL "mydomain.com/owncloud/". I added the directive to the httpd.conf and restarted httpd. The Strict-Transport-Security warning no longer appears in the owncloud config check.
The only remaining error in the owncloud check is mention of missing basic authentication headers. Can both the Strict-Transport-Security and basic auth headers be added with a single template fragment?
-
Mophilly could you add a new section to the wiki page of owncloud, or review the existing, with all some specific settings needed by owncloud8. I mean about php version (from scl I hope), apache tricks and all needed.
Thank in advance.
-
Mophilly :
Thank you for the replies. Very helpful. I found the links posted by Xavier.A very interesting (after translation. :-) )
thanks to you
This does not answer the question. Please be careful when crossing the street kinda thing. Please add specifically to the question.
but all these bad behaviour are boring, i'm fed up !
bye
-
Mophilly could you add a new section to the wiki page of owncloud, or review the existing, with all some specific settings needed by owncloud8. I mean about php version (from scl I hope), apache tricks and all needed.
Thank in advance.
Yes, I will do what I can.
You wrote "from scl I hope". Please define "scl", I am not famaliar with (or not recognizing) the acronym.
-
So the test of adding the directive to the httpd.conf succeeded in eliminating the error message. What remains is to write a template fragment. It has been a couple of years since i have touched the templates.
mmccarn suggested adding the Strict-Transport-Security directive to all of the Virtualhosts by creating this file with the content shown above:
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/04StrictTransportSecurity
I recall seeing a bit of perl to filter on specific ibay names. If I can find the example, that might be a safe approach. I am not sure what impact Strict-Transport-Security would have on other web apps.
Also, I need to modify the headers to have the webDAV stuff (basic auth) added. Is possible and/or wise to pile all that into a single template document? Are the serverAlias sections built separately from the directory headers. For this I am considering following either the ModDav contrib or the PHP selection contrib as a model.
UPDATE after posting I found the custom template "99allow_url_fopen" that is installed by the sme owncloud contrib package. That seems like the best place to put the basic auth directives. I will look to that and if it works submit a proposed addition to the contrib.
-
Yes, I will do what I can.
merci :p
You wrote "from scl I hope". Please define "scl", I am not famaliar with (or not recognizing) the acronym.
You can not upgrade safely php on sme9, the only way to go is to use the software collection of Redhat (https://www.softwarecollections.org/en/). In fact you install others php version in /opt, without removing the php53. I did a contrib for that -> http://wiki.contribs.org/PHP_Software_Collections
-
I did a contrib for that -> http://wiki.contribs.org/PHP_Software_Collections
That is what I used to install alternate versions of PHP. It is very helpful and convenient. Thanks for building it.
-
If I'm reading this file correctly:
...
my $templatePath = $domain->prop('TemplatePath') || 'VirtualHosts';
...
You should be able change only your owncloud domain like this:
1) copy everything from the default virtualhost template folder to a new folder
2) Add the new template fragment in the Owncloud folder
3) set db variable for TemplatePath for your owncloud domain
4) signal-event remoteaccess-update
cd /etc/e-smith/templates/etc/httpd/conf/httpd.conf/
'cp' -r VirtualHosts/ Owncloud/
cd Owncloud
echo ' Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"' > 04StrictTransportSecurity
db domains setprop owncloud.blah.tld TemplatePath Owncloud
signal-event remoteaccess-update
* The 'echo...' line goes off the screen to the right (on my system)
* Replace owncloud.blah.tld with the domain name you use for owncloud
* Un-do using db domains delprop owncloud.blah.tld TemplatePath
signal-event remoteaccess-update
-
Thank you for taking the time to write up a step by step guide. I appreciate your generosity very much. :)
If I'm reading this file correctly:
You should be able change only your owncloud domain like this:
1) copy everything from the default virtualhost template folder to a new folder
2) Add the new template fragment in the Owncloud folder
3) set db variable for TemplatePath for your owncloud domain
4) signal-event remoteaccess-update
Regarding item 3; I understand that will work well for a domain but this install of owncloud is in an iBay. We access it with a URL like "subdomain.mydomain.tld/owncloud", where subdomain points to particular server and owncloud is in an ibay on that server. I realize this may outside the scope of the forum and so I am more than happy to take this off list if appropriate.
Anyway, I would like to add the apache directive on a "per ibay" basis.
UPDATE: just after posting (why does it always work like that?) I came across the webshare contrib which includes an example of the "per ibay" switch. Perhaps that is a good model.
-
FYI http://wiki.contribs.org/Webapps-common
-
If you would require any other directives, I suggest you ask Daniel to include it. Ask nicely ;-)
-
Thank you, RequestedDeletion, for the link to the webapps common info.
It turns out the HTTP basic auth error is a bug in the owncloud distro and its sabreDAV config. I am going to wait and see what happens.
So, with that and the Strict-Transport-Security issue taken care of, it appears this issue is resolved. For the record, I used mmccarn's suggest of a template that add the directive to every ibay. It works fine today and I will keep an eye on it if we expand the use of this particular server.
Thanks to all. I appreciate the suggestions and information very much.
-
Mophilly could you add a new section to the wiki page of owncloud, or review the existing, with all some specific settings needed by owncloud8. I mean about php version (from scl I hope), apache tricks and all needed.
I amended the wik page. I haven't written a custom template to apply the apache directive to specific ibay, so that is something that could be added later.
-
I did some more digging and discovered this page describing how to set Strict-Transport-Security in .htaccess:
https://serverpilot.io/community/articles/how-to-enable-http-strict-transport-security-hsts.html
I tested this in two ways, both of which successfully eliminate the Owncloud error about Strict-Transport-Security.
First, I added the recommended directive to .htaccess in the root of the Owncloud installation, near the top of the file, in an existing section that sets some other Headers. The resulting section looks like the code block below. I don't know if there are security implications to doing it this way (that is, I don't know why the Owncloud devs aren't doing it this way), and you're likely to need to re-add it after each Owncloud update.
<IfModule mod_env.c>
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Frame-Options "SAMEORIGIN"
Header set Strict-Transport-Security "max-age=15768000" env=HTTPS
SetEnv modHeadersAvailable true
</IfModule>
My test install of Owncloud is in a sub-folder of my Primary i-bay; I also verified that adding the code below in the root of the ibay (/home/e-smith/files/ibays/Primary/html/.htaccess) also eliminates the warning from my Owncloud admin screen.
<IfModule mod_env.c>
# Add security and privacy related headers
Header set Strict-Transport-Security "max-age=15768000" env=HTTPS
SetEnv modHeadersAvailable true
</IfModule>