HTTP Strict Transport Security

luke737 · January 2, 2020, 2:07pm

Hello,

I've got traefik and nextcloud up and running. Now I would like to set the HTTP Strict Transport Security to 15552000 as recommended by nextcloud. Unfortunately this does not work. Nextcloud still shows me in the settings "The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds".
What could be the reason for this?

My docker-compose file looks like this:

version: "3.6"

services:
  traefik:
    container_name: traefik
    image: "traefik:latest"
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --api
      - "--log.level=DEBUG"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myhttpchallenge.acme.email=mail@mail.com"
      - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    labels:
      # Dashboard
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=myhttpchallenge"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.middlewares=authtraefik"
      - "traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/" # user/password

      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"

      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      #hsts
      - "traefik.http.middlewares.nextcloudHeader.headers.stsSeconds=15552000"
      - "traefik.http.middlewares.nextcloudHeader.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloudHeader.headers.stsPreload=true"
      - "traefik.http.middlewares.nextcloudHeader.headers.forceSTSHeader=true"
    restart: always

  nextcloud:
    container_name: nextcloud
    image: "nextcloud:latest"
    environment:
      - "MYSQL_DATABASE=nextcloud"
      - "MYSQL_USER=nextcloud"
      - "MYSQL_PASSWORD=password"
      - "MYSQL_HOST=database"
      - "NEXTCLOUD_ADMIN_USER=user"
      - "NEXTCLOUD_ADMIN_PASSWORD=password"
      - "NEXTCLOUD_TRUSTED_DOMAINS=subdomain.domain.com"
    labels:
      - "traefik.http.routers.nextcloud.rule=Host(`subdomain.domain.com`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=myhttpchallenge"
    restart: always

Thanks

SantoDE · January 3, 2020, 5:00pm

I would guess, because your middleware is not attached to the nextcloud router? I guess you need to add a label like that to your nextcloud service

traefik.http.routers.nextcloud.middlewares=nextcloudHeader

pascalandy · January 11, 2020, 5:33pm

It looks like @DirkieP was able to resolve this issue. Check this conversation.

SantoDE · January 13, 2020, 9:51am

Ah. Thanks!

Topic		Replies	Views
Nextcloud with Cal/Cardav routing Traefik v2 docker	9	8676	January 20, 2023
My traefik2.0 configuration slows down nextcloud download speed Traefik v2 docker	0	1094	March 19, 2021
Problem with cyphers and HSTS Traefik v2 docker	0	1656	November 25, 2019
Https requests not working for docker/nextcloud (plain http request sent to https port) Traefik v2 docker	3	5861	November 8, 2019
[Solved] Help with header security Traefik v2 docker	0	213	April 20, 2024

HTTP Strict Transport Security

Related topics