EdgarWallace

That is done. /mnt/user/system/docker/appdata/onlyoffice/DocumentServer/data is existing (however it is empty) but I created the /mnt/user/system/docker/appdata/onlyoffice/DocumentServer/data/certs folder which contains: -rwxr-xr-x 1 110 114 424 Dec 9 12:04 dhparam.pem* -rwxr-xr-x 1 110 114 1298 Dec 9 12:03 onlyoffice.crt* -rwxr-xr-x 1 110 114 1078 Dec 9 12:02 onlyoffice.csr* -rwxr-xr-x 1 110 114 1679 Dec 9 12:01 onlyoffice.key* I changes the template towards: https://[IP]:[PORT:4432] which is now successfully showing the Welcome Screen. Other than that no success. I will patiently waiting 🙂 Thank you very much!!

That doesn't work and I can't see any log messages. I have attached the setting of my container. http://192.168.178.28:8082/ is providing the welcome screen and the message, that onlyoffice is running https://192.168.178.28:4432/ is providing an error mesage - website not accessible http://server.com:8082/ is providing an error mesage - website not accessible https://server.com:4432/ is providing an error mesage - website not accessible

Yes - otherwise the demo server would not work I guess.

Sorry, in Nextcloud setting under onlyoffice you can try the demo server. I have installed Nextcloud and Let's Encrypt docker containers. Is there anything required regarding these settings?

Thanks a lot @Jidovu Marius Adrian for this docker. I was looking for a way to edit documents on my iPad without using MS Office/Word etc. Your guide is excellent and I was successfull installing the docker. Opening documents by using the demo server is working well. My only remaining issue is accessing my own server rather than the demo server. creating the onlyoffice network was successful http://192.168.178.28:8082/welcome/ ist showing: Document Server is running -rw-rw-rw- 1 root root 424 Dec 9 12:04 dhparam.pem -rw-rw-rw- 1 root root 1298 Dec 9 12:03 onlyoffice.crt -rw-rw-rw- 1 root root 1078 Dec 9 12:02 onlyoffice.csr -r-------- 1 root root 1679 Dec 9 12:01 onlyoffice.key https://192.168.178.28:4432/ isn't showing anything - just an error message There is only one error in the log: ==> /var/log/onlyoffice/documentserver/nginx.error.log <== but when I enter the container, the file is empty. Where should I look next? Thanks a lot.

Thanks @saarg Modifying default under /mnt/user/system/docker/appdata/letsencrypt/nginx/site-confs is having an effect: The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗. However I guess you are correct that the issues are generated by Nextcloud (this time in English): The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗. The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗. Strange enough, that my default is an exact copy of the Nginx configuration manual from Nextcloud.....that was the reason that I was asked to raise the question here.

I used the guide here to update my Nextcloud Docker: PSA: Nextcloud & CVE-2019-11043. Since then I am getting onyl an A security grade and some warnings: Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern. Der „X-Robots-Tag“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern. Der „X-Download-Options“-HTTP-Header ist nicht so konfiguriert, dass er „noopen“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern. Der „X-Permitted-Cross-Domain-Policies“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern. Der "Referrer-Policy" HTTP-Header ist nicht gesetzt auf "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" oder "same-origin". Dadurch können Verweis-Informationen preisgegeben werden. Siehe die W3C-Empfehlung Seems that the "default" file for Nextcloud is ok as no one in the Nextcloud forum identified any issues with my file @saarg gave me the advise to check here if the "default" file of the Letsencrypt container could generate these warnings. All three "default" files are attached below. default.original is the file that I was using initially and that caused no warnings default.regenerated is the file that was generated after having done the updates mentioned above default.letsencrypt is selfexplanatory...... Thanks a lot for your help. default.letsencrypt default.original default.regenerated

Well, @bastl, there is a section in /mnt/user/system/docker/appdata/letsencrypt/nginx/site-confs/default: ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer always; However, all the settings are according to the requirements.

Yes - restarted after every change. Meanwhile I used the original configuration from the Nextcloud admin guide and adjusted server_name, root, ssl_certificate and ssl_certificate_key.....without any luck. Server is still giving warnings. Anyhow, I am going to use my "old" default file. Thanks a lot @bastl default

Sure @bastl, it is basically what I posted above but please see below... The initial file is the "default" from a few posts above. default.regenerated

Thanks @bastl, however that was not the nessessary fix. I checked the admin manual 1000000 times (https://docs.nextcloud.com/server/16/admin_manual/installation/nginx.html) and still having no clue where the issue is sitting. @andreidelait, sure I am running 16.0.5 which is being provides by using the update channel "stable".

@saarg, I followed the guide that you posted so thanks a lot. After "default" was regenerated I discovered some security warnings (sorry for the German log but I do think that you know these messages :-)): Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern. Der „X-Robots-Tag“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern. Der „X-Download-Options“-HTTP-Header ist nicht so konfiguriert, dass er „noopen“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern. Der „X-Permitted-Cross-Domain-Policies“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern. Der "Referrer-Policy" HTTP-Header ist nicht gesetzt auf "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" oder "same-origin". Dadurch können Verweis-Informationen preisgegeben werden. Siehe die W3C-Empfehlung. I don't get an A+ grade and no security warnings by using my "default" file. Have I done anything wrong and what's your advise moving forward? Thanks a lot. default default.regenerated

Thanks @knex666 I was hoping that there was anything I overlooked so far. I am going to assign a second mariaDB docker to openHAB and will use br0 with a seperate IP address.

I received the "Urgent security issue in NGINX/php-fpm" recently. My setup runs rock solid since years now (I used this guide: https://blog.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/). 1.) Seems that the php package need to be updated and I am confident that this will happen via Docker update. 2.) Secondly two changes needed in the nginx config a.) the removal of $request_uri b.) the addition of the $try_files $fastcgi_script_name =404; 2b.) is done but I wasn't able to find 2a.). so seems that I am safe. Any further suggestions? Thanks a lot.