Line 93: |
Line 93: |
| The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. | | The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. |
| | | |
− | A resolution for this was presented in forum thread [http://forums.contribs.org/index.php/topic,51916.0.html owncloud 8.1,1, Strict-Transport-Security and SME 9], in which mmccarn suggested to minor changes. | + | A resolution for this was presented in forum thread [http://forums.contribs.org/index.php/topic,51916.0.html owncloud 8.1,1, Strict-Transport-Security and SME 9], in which mmccarn suggested a couple of minor changes that handle the task nicely. |
| | | |
| First, verify that the Apache headers module is loaded. You can look in the file httpd.conf for "LoadModule headers_module modules/mod_headers.so". Also, Xavier.A offered the command, | | First, verify that the Apache headers module is loaded. You can look in the file httpd.conf for "LoadModule headers_module modules/mod_headers.so". Also, Xavier.A offered the command, |
Line 99: |
Line 99: |
| apachectl -t -D DUMP_MODULES 2>&1 | grep header | | apachectl -t -D DUMP_MODULES 2>&1 | grep header |
| | | |
− | as a way to check for the module. | + | as a way to check for the module. The command returns "headers_module (shared)" if the header module is loaded. |
| | | |
− | The French Wikipedia page, [https://fr.wikipedia.org/wiki/HTTP_Strict_Transport_Security HTTP Strict Transport Security] provides a good description. The English page is not as detailed, unfortunately, but there are handy page translation tools avaialble on the web. | + | Next, create custom template to add the header directive. The custom template is placed in /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/. Name the template file "04StrictTransportSecurity". This important as the file name also dictates the order of loading. Put the following directive in the file: |
| + | |
| + | ### added to support ownCloud 8 ### |
| + | Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" |
| + | |
| + | You may test this approach by modifying the httpd.conf file directly, and adding the directive in the ServerAlias section. However, this will be overwritten when the server is updated or reconfigured. |
| + | |
| + | With the template in place, upgrade and reboot the system. |
| + | |
| + | signal-event post-upgrade; signal-event reboot; |
| + | |
| + | When the system is up and running again, check the ownCloud admin panel to verify the warning no longer appears. |
| + | |
| + | =====Further Reading===== |
| + | The French Wikipedia page, [https://fr.wikipedia.org/wiki/HTTP_Strict_Transport_Security HTTP Strict Transport Security] provides a good description. The English page is not as detailed, unfortunately, but there are handy page translation tools availalble on the web. |
| | | |
| ===User login and permissions=== | | ===User login and permissions=== |