How to Strict-Transport-Security for Proxy Implementations

vClouds · February 3, 2017, 1:24pm

Caddy server is acting as central proxy for multiple backends, for example;

https://docs.domain.com {
tls admin@domain.com
proxy / https://192.168.1.200 { transparent insecure_skip_verify }
}

the above directive is pointing to apache backend serving nextcloud platform which properly configured so that all secuirty checks passed including the HSTS Strict-Transport-Security “max-age=31536000;” when accessed directly (i.e. apache).

While accessing through caddy the security checks shows the HSTS warning.
Please hint on including header values within proxy directive as the below documents still confusing about what to do.
https://caddyserver.com/docs/header

stp · February 3, 2017, 6:27pm

Caddy doesn’t by default remove any server headers and therefore, if the headers are set with apache they should be there with caddy.

Does only the check fail or are the server headers actually not there?

Does Nextcloud know it is being accessed via a proxy?

vClouds · February 3, 2017, 7:09pm

@stp
Thanks for help
Some proxy configurations have been adjusted for nextcloud as per https://docs.nextcloud.com/server/11/admin_manual/configuration_server/config_sample_php_parameters.html#proxy-configurations
and now all security checks by accessing through caddy are passed.

matt · February 4, 2017, 3:32pm

You need line breaks between { transparent insecure_skip_verify }… I’m kinda surprised it even started without errors. Have you seen examples/nextcloud at master · caddyserver/examples · GitHub - it might be of help!

vClouds · February 5, 2017, 1:17pm

@matt
It just works! without line breaks

Yes, I checked out caddy configurations for nextcloud and others, but I stick to apache due to the following,

Caddy systemd for ubuntu 16.04 is driving me crazy.
Caddy is on a separate central machine playing maestro