Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Setting default-ssl config for hsts |
|
| Author |
|
athena
Joined: 22 Jul 2015
Posts: 5
Location: USA, Princeton
|
 Posted: Wed 22 Jul '15 16:32 Post subject: Setting default-ssl config for hsts |
 |
|
Hello,
I am getting a syntax error from the hsts setting in the default-ssl config file in the /etc/apache2/sites-available folder. This is a setting for Owncloud. I am a novice in this field. OC manual suggests
| Code: |
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName MyServer.com:443
Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
...
|
when Apache is started throws this error
| Quote: |
root@Raspberrypi-3:/etc/apache2/sites-available# service apache2 restart
[Tue Jul 21 17:07:03 2015]
...
Syntax error on line 6 of /etc/apache2/sites-enabled/default-ssl:
Invalid command 'Strict-Transport-Security', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
failed!
|
The OC manual suggests the following:
| Code: |
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
|
But this isn't working either.
what is teh correct syntax.? Thank you.[/code] |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 22 Jul '15 17:18 Post subject: |
|
|
Yepp that command does exist, while header does
| Code: |
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName MyServer.com:443
Header always set Strict-Transport-Security "max-age=15553000; includeSubDomains; preload"
...
|
However you may add that header in de global context (httpd.conf or apache2.conf) indead of the default ssl vhost
| Code: |
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; includeSubDomains; preload"
</IfModule>
|
|
|
| Back to top |
|
athena
Joined: 22 Jul 2015
Posts: 5
Location: USA, Princeton
|
| Posted: Wed 22 Jul '15 17:46 Post subject: |
|
|
Hello James,
Great. It worked. Thank you. |
|
| Back to top |
|
athena
Joined: 22 Jul 2015
Posts: 5
Location: USA, Princeton
|
| Posted: Wed 22 Jul '15 18:43 Post subject: |
|
|
Hello James,
I believe, your suggestion corrected the error message but the website is still reporting the STS is not set:
| Quote: |
Security & setup warnings
The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.
|
Is it possible that in my system (Raspbian), the "mod_headers extension" is not installed (<IfModule mod_headers.c> may not be true, in that case the STS command will not be accessed). If so, how can I install it? Step by step instructions will be desirable. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Thu 23 Jul '15 0:09 Post subject: |
|
|
| Use max-age=15768000 (or 31536000) and test again. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 23 Jul '15 11:45 Post subject: |
|
|
You can enable mod_headers with
| Code: | | sudo a2enmod headers |
and restart apache |
|
| Back to top |
|
|
|
|
|
|
