HTTPS Issues - Help Wanted

help

#1

Here are a couple of errors I am getting:

The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.
No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.

I am using:
Version ownCloud 8.2.9 (stable)

I am also getting an error trying to delete a user. "Unable to delete user."

Is there anyone that can get these issues resolved? I am willing to pay to get this running properly.


#2

Hi,
Sorry for my English.

If you need help I can send you an instruction. With a script that fixes the problems. Send me your mail adress.

Cheers
Gallifrey


#3

Still no messages from anyone that can help? Offering a paid gig here! Send me a quote.


#4

These are warnings or recommendations no real errors. Next to this messages there is normally a link to the documentation how you can set this up on your webserver. Did you try this? Which webserver are you using? What did you change?

You are not the first one with such a question, you could use the forum search to get these topics (perhaps they help and are suited for your situation):



#5

Thanks for your reply tflidd....I have no doubt that with enough research I would be able to resolve the issue. I just figured there were some OwnCloud experts here that wanted to make a little money getting these issues resolved for me. I just did not want to spend the time doing this.

But thanks again for your advice!


#6

Is this your own server? If yes and it is available from the internet, you should probably acquire some more knowledge. And if you don't have the time and motivation, it's perhaps better to use owncloud-providers that do this job for you: https://owncloud.org/providers/

On webhosting environments, it is possible that you can't modify these parameters, that they do not offer your memcache, special SSL settings, ... and if they do, you perhaps need to use a special interface of your provider.


#7

@tflidd is right, if you're going to run a server you need to take responsibility for it. It's up to you to put a little effort into knowing what you're doing before you get pwnd and start spamming us!

To point you in the right direction, HSTS is something your web server needs to be configured for, not ownCloud. The following link provides examples for most web servers:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Getting HSTS working is a simple addition to a conf file. You're not making it easy for us to help you, though. You've provided no indication of what web server you're using or even what OS. Then you didn't answer @tflidd when he asked! I'm not surprised you had very little response to your question.


#8

@DarkSteve is right that it would be useful that you enter some basic details about your configuration.

If we assume you are using apache2 (that's the one I use on my raspberry π's raspbian distribution), then you should edit your config file, usually with:

sudo vim /etc/apache2/sites-available/default-ssl.conf

and enter

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

as stated in the documentation. Additionally, you need to enable the header module:

sudo a2enmod headers

such that you should get

Enabling module headers.
To activate the new configuration, you need to run:
service apache2 restart

Then restart your web server:

sudo service apache2 restart

The warning (not an error) should disappear.


#9

And just to pile on, if we assume you're using Apache 2.4 on FreeBSD (that's the one I use), then you should edit your config file, usually with:

edit /usr/local/etc/apache24/extra/httpd-ssl.conf

And somewhere within the:

<VirtualHost _default_:443>

</VirtualHost>

section, you need to add the line:

Header always set Strict-Transport-Security "max-age=15768000"

And then restart or reload the server with:

/usr/local/etc/rc.d/apache24 restart

or

/usr/local/etc/rc.d/apache24 reload

You see, @SurfYourName, it makes a massive difference what platform you're using! @meduz and I are using the same server software doing the same thing, but there's a massive difference in how we manage it!