Hi, Glad to help.
Cheers. On Sunday, February 8, 2015, deltaxfx <[email protected]> wrote: > dewanggaba, your hint was correct. Even though I am using the NGINX config > supplied by ownCloud, there was still a setting in the admin panel to force > HTTPS, which also sends an HSTS header. But the kicker is, if force HTTPS > (in PHP) is set to off (and just forced through the server config), > ownCloud > sends an HSTS header for max-age=0! > This is ownCloud 7.0.4 (stable). > Here is the relevant code in case it helps anyone who might be searching > for > the same thing in the future: > > > public static function checkSSL() { > // redirect to https site if configured > if (\OC::$server->getSystemConfig()->getValue('forcessl', > false)) { > // Default HSTS policy > $header = 'Strict-Transport-Security: > max-age=31536000'; > // If SSL for subdomains is enabled add "; > includeSubDomains" to the > header > > if(\OC::$server->getSystemConfig()->getValue('forceSSLforSubdomains', > false)) { > $header .= '; includeSubDomains'; > } > header($header); > ini_set('session.cookie_secure', 'on'); > if (OC_Request::serverProtocol() <> 'https' and > !OC::$CLI) { > $url = 'https://' . > OC_Request::serverHost() . > OC_Request::requestUri(); > header("Location: $url"); > exit(); > } > } else { > // Invalidate HSTS headers > if (OC_Request::serverProtocol() === 'https') { > header('Strict-Transport-Security: > max-age=0'); > } > } > } > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,256508,256513#msg-256513 > > _______________________________________________ > nginx mailing list > [email protected] <javascript:;> > http://mailman.nginx.org/mailman/listinfo/nginx > -- Sent from iDewangga Device
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
