Wonderfall Sous Apache 2.4 avec Quickbox cela serait conforme pour le module Strict Transport Security (HSTS) compatible nextcloud v11 ?:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection: 1; mode=block
Header set X-Robots-Tag: none
Header set X-Frame-Options: SAMEORIGIN
</IfModule>
j'ai mis ceci en plus pour la redirection en http vers https :
Dans ce fichier
nano /etc/apache2/sites-enabled/000-default-le-ssl.conf
<VirtualHost *:80>
ServerName votredomaine.fr
Redirect permanent / https://votredomaine.fr/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection: 1; mode=block
Header set X-Robots-Tag: none
Header set X-Frame-Options: SAMEORIGIN
</IfModule>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /srv/rutorrent/home/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/votredomaine.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/votredomaine.fr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName votredomaine.fr
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>
Voici le fichier (include):
nano /etc/letsencrypt/options-ssl-apache.conf
# Baseline setting to Include for SSL sites
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log
# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
Pourtant j'ai toujours l'erreur sur Nextcloud v11: "L'en-tête HTTP "Strict-Transport-Security" n'est pas configurée à "15552000" secondes. Pour renforcer la sécurité nous recommandons d'activer HSTS comme décrit dans notre Guide pour le renforcement et la sécurité.", Apache 2.4 semble bien fonctionné en redémarrage et j'ai que le "A" en évaluation.
Sous nginx avec bonobox cela marchait "A+" et HSTS avec cette configuration.
Quelqu'un serait-il d'où vient le soucis ?