Hi,

Glad to help.

Cheers.

On Sunday, February 8, 2015, deltaxfx <nginx-forum@nginx.us> wrote:

> dewanggaba, your hint was correct. Even though I am using the NGINX config
> supplied by ownCloud, there was still a setting in the admin panel to force
> HTTPS, which also sends an HSTS header. But the kicker is, if force HTTPS
> (in PHP) is set to off (and just forced through the server config),
> ownCloud
> sends an HSTS header for max-age=0!
> This is ownCloud 7.0.4 (stable).
> Here is the relevant code in case it helps anyone who might be searching
> for
> the same thing in the future:
>
>
> public static function checkSSL() {
> // redirect to https site if configured
> if (\OC::$server->getSystemConfig()->getValue('forcessl',
> false)) {
> // Default HSTS policy
> $header = 'Strict-Transport-Security:
> max-age=31536000';
> // If SSL for subdomains is enabled add ";
> includeSubDomains" to the
> header
>
> if(\OC::$server->getSystemConfig()->getValue('forceSSLforSubdomains',
> false)) {
> $header .= '; includeSubDomains';
> }
> header($header);
> ini_set('session.cookie_secure', 'on');
> if (OC_Request::serverProtocol() <> 'https' and
> !OC::$CLI) {
> $url = 'https://' .
> OC_Request::serverHost() .
> OC_Request::requestUri();
> header("Location: $url");
> exit();
> }
> } else {
> // Invalidate HSTS headers
> if (OC_Request::serverProtocol() === 'https') {
> header('Strict-Transport-Security:
> max-age=0');
> }
> }
> }
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,256508,256513#msg-256513
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <javascript:;>
> http://mailman.nginx.org/mailman/listinfo/nginx
>


--
Sent from iDewangga Device
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx