OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs

[Wuensch-AG-Adm]

Dear community,

I've setup a web application firewall with OPNWAF (Business) and ACME Letsencrypt. It works well, but I cannot obtain on SSL Labs the A+ because there's an invalid HSTS policy.
I don't want to deploy the certificates on every Nextcloud and we are using the service ACME Client on the OPNsense firewall with a wildcard. Is there a possibility to setup Nextcloud and OPNWAF to act as reverse proxy to solve this problem? I would like that SSL Labs check the HSTS from the OPNWAF and not from the Nextcloud to keep the easy aspect of the self-signed on every system.
Is there any other possibility with OPNsense?
I've no clue anymore.

Thanks an advance for your help.

Regards,

Joel T.

[Monviech (Cedrik)]

The HSTS and other security headers are a contract between the web application itself, and the browser accessing it.

Manipulating these headers with a reverse proxy should be avoided whenever possible.

The webserver that serves the Nextcloud has to add these headers. These headers should pass the reverse proxy unaltered.

[Wuensch-AG-Adm]

I understand this point. Is there a possibility to distribute / deploy the wildcard Letsencrypt certificate from the OPNsense to the diverse systems in the DMZ? To simplify the process and don't have every system requesting a renewal every time.

Thank you ahead.

Regards,

Joel T.