How to Strict-Transport-Security for Proxy Implementations

Caddy server is acting as central proxy for multiple backends, for example; {
proxy / { transparent insecure_skip_verify }

the above directive is pointing to apache backend serving nextcloud platform which properly configured so that all secuirty checks passed including the HSTS Strict-Transport-Security “max-age=31536000;” when accessed directly (i.e. apache).

While accessing through caddy the security checks shows the HSTS warning.
Please hint on including header values within proxy directive as the below documents still confusing about what to do.

Caddy doesn’t by default remove any server headers and therefore, if the headers are set with apache they should be there with caddy.

Does only the check fail or are the server headers actually not there?

Does Nextcloud know it is being accessed via a proxy?

Thanks for help
Some proxy configurations have been adjusted for nextcloud as per
and now all security checks by accessing through caddy are passed.

You need line breaks between { transparent insecure_skip_verify }… I’m kinda surprised it even started without errors. :confused: Have you seen examples/nextcloud at master · caddyserver/examples · GitHub - it might be of help!

1 Like

It just works! :slight_smile: without line breaks

Yes, I checked out caddy configurations for nextcloud and others, but I stick to apache due to the following,

  1. Caddy systemd for ubuntu 16.04 is driving me crazy.
  2. Caddy is on a separate central machine playing maestro :slight_smile: