Installing the stable nextcloud snap which is pinned atm to 13.0.7 it does not include all the security recommendations given by nextcloud.
Because it is part of the snap’s loopback filesystem there is no real way to change it after the fact.
Best practice security changes need to either be included in the snap or be an editable variable using existing nextcloud snap configuration programs.
Hi! In the documentation of the snap you can read the instructions to enable HTTPS: https://github.com/nextcloud/nextcloud-snap/wiki/Enabling-HTTPS-(SSL,-TLS)
Sadly that still does not edit the necessary config files to enable best practices.
I believe what it is asking for is described here. This can only be done in the requisite apache config or nginx config neither of which seems accessible from the snap commands nextcloud.* scripts.
Which option did you use?
$ sudo nextcloud.enable-https self-signed?
Then I would say it’s normal to see that message.
I’ve been using the snap for almost a year with a domain I bought and using the
$ sudo nextcloud.enable-https lets-encrypt, and I see no warnings at all.
Yes… A self signed cert is made fine but as I said the requisite rule in the config is not.
# Enable HSTS only if requested
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
I assume this is just because the developer chose that as the default. But it is not best practice hence the title of post. They should be following the recommendations of the Nextcloud security advisories.
this is explicitly because you are using a self-signed certificate. use letsencrypt and hsts will be applied correctly.
HSTS and self-signed certs are not compatible; the snap won’t put you in that terrible situation. In the future, you’ll probably have more luck asking Nextcloud-snap-specific questions in the Nextcloud snap repo: