NextCloud bulletproof
To increase the security of the NextCloud instance, we work on some points of the test website internet.nl and thus ensure a smooth and secured operation of our cloud.
What do we want to achieve?
A cloud that is as secure as possible on the Internet to keep our data safe and private.
This requires several steps.
This section takes care of the part HTST and Key Exchange parameters and thus an essential part of the security.
After optimizing all parts we have a cloud with 100% rating of the test platform internet.nl.
HTST and Key Exchange Parameter
The open source project NextCloud is a very popular and widespread productivity platform.
Very versatile and widely extensible and with a large community.
We also use NextCloud for our communication and collaboration.
To further increase the security of the self-hosted installation, the following additions can be made to the Apache2 configuration:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off
For this purpose, the following setting should be changed: change max-age to the value 31536000.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
With these two changes, the HTST and Key Exchange parameters are done. We continue with the DNSSEC and Dane options.