HSTS for Apache / Nextcloud under Virtualmin 7.20.2

A while back, I had an instance of Nextcloud running in a TrueNAS Jail, with Virtualmin acting as a Proxy to that app. Everything was set up and working perfectly.

I recently migrated my TrueNAS to a newer / different edition (from CORE to SCALE), meaning I had to rebuild my Nextcloud instance. I went through that, and while most of it is working well, there’s one outstanding issue. When I look in the Admin panel in Nextcloud, I see the following warning:

There are some warnings regarding your setup.

Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation.

Now, I know I ran into this before, so I did some checking before posting. I found this link:

I checked my Apache configs, and I do see that setting in the config files - it’s already there from last time.

What I do NOT see is the Apache Modules option in the Webmin panel. How can I tell (under the current version of Virtualmin) if the module is present and active?

Hello,

This option is only available for Debian and its derivatives; it’s not available on EL systems.

To make sure it works, check if the “headers” module is loaded by running:

httpd -M | grep headers

root@www:~# httpd -M | grep headers
headers_module (shared)
root@www:~#

OK, so it looks like it’s loaded.

I did some double-checking… the line:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

was under the http config, but not https. Once I added it there, the error vanished.

Thank you for the help and guidance!

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.