[Support] Linuxserver.io - Nextcloud


Recommended Posts

10 hours ago, Tolete said:

 

post your 

# HTTP response headers borrowed from Nextcloud `.htaccess`

section from your default.conf file.

This: 

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"       always;
    add_header X-Content-Type-Options               "nosniff"           always;
    add_header X-Download-Options                   "noopen"            always;
    add_header X-Frame-Options                      "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies    "none"              always;
    add_header X-Robots-Tag                         "none"              always;
    add_header X-XSS-Protection                     "1; mode=block"     always;

It looks a update was pushed out by Linuxserver mere hours ago that updates this file again; I wonder what changes were this time.

 

EDIT: changes pushed our hours ago turned the Robots tag stuff back to be correct for NC 26 it appears: https://github.com/linuxserver/docker-nextcloud/commit/c1568bac547f6f660849487ed7e443520417a1b7

Edited by blaine07
Link to comment
9 hours ago, Masterwishx said:

@Tolete @blaine07 are you using a copy of default.conf.sample in your default.conf ?

 

becose i have some old version not equal to default.conf.sample , i can just copy it to default.conf ?

 

image.thumb.png.2b0e6c7f9c1966ecf6cf83ec078b3914.png

 

 

FYI, this is not related, to any NC version updates, this is just for 'server hardening' these are extra security 'headers' you can add. The scan points out where you can improve. So just add this missing two security headers for the A+

 

double check/add to your default.conf file

# HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"               always;
    add_header X-Content-Type-Options               "nosniff"                   always;
    add_header X-Download-Options                   "noopen"                    always;
    add_header X-Frame-Options                      "SAMEORIGIN"                always;
    add_header X-Permitted-Cross-Domain-Policies    "none"                      always;
    add_header X-Robots-Tag                         "noindex, nofollow"         always;
    add_header X-XSS-Protection                     "1; mode=block"             always;

Save.

 

double check/add to your .htaccess file

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "noindex, nofollow"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

Save.

 

i use Cloudflare, so you will need to add it on there also.
so Cloudflare > YOURDOMAIN > Rules > Transform Rules > Modify Response Header 

cf.transform_rule.thumb.png.2318f418044b4e64b6011e6ac4f16614.png

Save.

restart container, then rescan.

Edited by Tolete
  • Like 1
Link to comment
4 hours ago, Tolete said:

Save.

restart container, then rescan.

 

Thanks, i think i have same headers but without 'always', also using cloudflare so will add headers to it.

Do you have same picture twice ?

I wanted to know if i can use default.conf.sample instead my default.conf and will have no problems....

Link to comment
3 hours ago, Masterwishx said:

 

Thanks, i think i have same headers but without 'always', also using cloudflare so will add headers to it.

Do you have same picture twice ?

I wanted to know if i can use default.conf.sample instead my default.conf and will have no problems....

I did. The default might break something and all you need optional security headers. I would just update, add to CF, restart and rescan, you should be golden. lmk

Edited by Tolete
  • Thanks 1
Link to comment
9 hours ago, Tolete said:

 

 

FYI, this is not related, to any NC version updates, this is just for 'server hardening' these are extra security 'headers' you can add. The scan points out where you can improve. So just add this missing two security headers for the A+

 

double check/add to your default.conf file

# HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"               always;
    add_header X-Content-Type-Options               "nosniff"                   always;
    add_header X-Download-Options                   "noopen"                    always;
    add_header X-Frame-Options                      "SAMEORIGIN"                always;
    add_header X-Permitted-Cross-Domain-Policies    "none"                      always;
    add_header X-Robots-Tag                         "noindex, nofollow"         always;
    add_header X-XSS-Protection                     "1; mode=block"             always;

Save.

 

double check/add to your .htaccess file

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "noindex, nofollow"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

Save.

 

i use Cloudflare, so you will need to add it on there also.
so Cloudflare > YOURDOMAIN > Rules > Transform Rules > Modify Response Header 

cf.transform_rule.thumb.png.2318f418044b4e64b6011e6ac4f16614.png

Save.

restart container, then rescan.

What problems might or cause for other sites I have hosted through this domain with Cloudflare? Will these be breaking changes to other services I host since I can't define "per subdomain"?

Link to comment
21 minutes ago, blaine07 said:

What problems might or cause for other sites I have hosted through this domain with Cloudflare? Will these be breaking changes to other services I host since I can't define "per subdomain"?

 

Adding security headers using transform rules in Cloudflare should not cause any direct problems for other sites hosted through the same domain. However, it is important to keep in mind that the security headers will be applied to all traffic to the domain, including traffic to subdomains. This means that if any subdomains have different security policies or settings, those services may be impacted by the new security headers.

 

I haven't seen any, but do note, the Content Security Policy (CSP) and Permissions Policy headers protect your site or in this case sites against a variety of attacks, such as cross-site scripting (XSS), code injection, clickjacking, and unauthorized access to sensitive features and APIs. CSP allows you to specify which sources of content are trusted, while Permissions Policy allows you to control which features and APIs are available to your site. By using these headers, you can improve the security of your site and reduce the risk of data breaches and other security incidents.

 

you can always add/monitor/test.

 

  • Like 1
Link to comment
52 minutes ago, Tolete said:

 

Adding security headers using transform rules in Cloudflare should not cause any direct problems for other sites hosted through the same domain. However, it is important to keep in mind that the security headers will be applied to all traffic to the domain, including traffic to subdomains. This means that if any subdomains have different security policies or settings, those services may be impacted by the new security headers.

 

I haven't seen any, but do note, the Content Security Policy (CSP) and Permissions Policy headers protect your site or in this case sites against a variety of attacks, such as cross-site scripting (XSS), code injection, clickjacking, and unauthorized access to sensitive features and APIs. CSP allows you to specify which sources of content are trusted, while Permissions Policy allows you to control which features and APIs are available to your site. By using these headers, you can improve the security of your site and reduce the risk of data breaches and other security incidents.

 

you can always add/monitor/test.

 

Thank you! 

 

Still curious as to if Nextcloud themselves can get it built in/working, too, though.

Some more info - looks like it's been in the works for a long time. 

https://github.com/nextcloud/server/pull/23825

Link to comment

I'm running this container from the standard repo: lscr.io/linuxserver/nextcloud

 

Yet its not updating. I'm still on the version I started with, 25.0.3. What am I missing here?

 

edit: WTF, that's not even a valid URL. I installed from the Apps page. 

Edited by flyize
Link to comment
6 minutes ago, flyize said:

Clearly I did not. 🤣

Yeah, it's a common thing. I'd guess perhaps 25% of the posts in this thread are asking about updates, mostly when the base container is updated to the point the app no longer runs because it's never been updated.

 

Think of containers like miniature VM's, they contain parts of the OS and support structures as well as the app itself. This specific container doesn't force update the app, just the base OS and supporting files. It's up to you to keep the app up to date. Many containers also update their main app, but NC was deemed too fragile or something, it requires a significant amount of handholding for some updates.

  • Like 1
Link to comment
On 12/9/2022 at 10:00 AM, tazire said:

Currently trying to upgrade from 25.0.1 to 25.0.2 via CLI and got the following error

 

docker exec -it nextcloud occ upgrade
Nextcloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade
Cannot write into "config" directory.
This can usually be fixed by giving the web server write access to the config directory. See https://docs.nextcloud.com/server/25/go.php?to=admin-dir_permissions. Or, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it. See https://docs.nextcloud.com/server/25/go.php?to=admin-config

Cannot write into "apps" directory.
This can usually be fixed by giving the web server write access to the apps directory or disabling the App Store in the config file.

An unhandled exception has been thrown:
Exception: Environment not properly prepared. in /config/www/nextcloud/lib/private/Console/Application.php:166
Stack trace:
#0 /config/www/nextcloud/console.php(99): OC\Console\Application->loadCommands()
#1 /config/www/nextcloud/occ(11): require_once('...')

 

I'm guessing I need to change permissions on the config and apps files as stated? or should I set it to read only? 

Did you ever get this working? I've having a very similar issue

Link to comment
1 minute ago, PassTheSalt said:

Did you ever get this working? I've having a very similar issue

Look at who owns config folder and who had owned and what rights of the old one. Last few times I’ve upgraded Nextcloud I’ve had to change owner and permissions back to “what they were”. I could look at mine later and tell you if I needed. Never the les same thing. Upgraded would fail because when following manual upgrade instructions new folder permissions and owner weren’t correct. 

Link to comment
2 minutes ago, blaine07 said:

Look at who owns config folder and who had owned and what rights of the old one. Last few times I’ve upgraded Nextcloud I’ve had to change owner and permissions back to “what they were”. I could look at mine later and tell you if I needed. Never the les same thing. Upgraded would fail because when following manual upgrade instructions new folder permissions and owner weren’t correct. 

When manually upgrading this is when I’ve had to fix owner and permissions in the process:

 

 

DD139D8E-51D3-415A-AAA6-892428C70237.jpeg

Link to comment
19 hours ago, PassTheSalt said:

Did you ever get this working? I've having a very similar issue

As blaine07 already said its an ownerr/ permissions issue. resettibg these to nobody and rw permissions solved my issue. Although I've had to do this everytime I update since first having the issue, which isnt ideal. 

Link to comment
43 minutes ago, tazire said:

As blaine07 already said its an ownerr/ permissions issue. resettibg these to nobody and rw permissions solved my issue. Although I've had to do this everytime I update since first having the issue, which isnt ideal. 

Yes, I have had to do this the last several updates to. Not quite sure why but it's kind of a nuisance.

Link to comment

Hello. I updated Unride 6.9.2 to 6.11.5. Now Nextcloud writes the following message:

 

Quote

The data directory is incorrect. Make sure the ".ocdata" file is present at the root of the data directory. The data directory is not writable. Permissions can usually be fixed by giving the web server the right to write to the root directory. Refer to https://docs.nextcloud.com/server/25/go.php?to=admin-dir_permissions.

 

I think it's a problem with the access rights to the directory, but I don't know how to fix it. Help please.

 

root@ROLS:~# ls -l /mnt/user/appdata/nextcloud/
total 104
drwxr-xr-x 1 sshd sshd   880 Dec 25 23:52 3rdparty/
-rw-r--r-- 1 sshd sshd 19327 Dec 25 23:52 AUTHORS
-rw-r--r-- 1 sshd sshd 34520 Dec 25 23:52 COPYING
drwxr-xr-x 1 sshd sshd  1182 Dec 25 23:53 apps/
drwxr-xr-x 1 sshd root   300 Jun 14  2020 config/
-rw-r--r-- 1 sshd sshd  4095 Dec 25 23:52 console.php
drwxr-xr-x 1 sshd sshd   440 Dec 25 23:53 core/
-rw-r--r-- 1 sshd sshd  6317 Dec 25 23:52 cron.php
drwxr-xr-x 1 sshd root   380 Dec 25 23:05 custom_apps/
drwxr-xr-x 1 sshd root    64 Jun 14  2020 data/
drwxr-xr-x 1 sshd sshd 10104 Dec 25 23:53 dist/
-rw-r--r-- 1 sshd sshd   156 Dec 25 23:52 index.html
-rw-r--r-- 1 sshd sshd  3456 Dec 25 23:52 index.php
drwxr-xr-x 1 sshd sshd   126 Dec 25 23:53 lib/
-rw-r--r-- 1 root root     0 Dec 25 23:52 nextcloud-init-sync.lock
-rwxr-xr-x 1 sshd sshd   283 Dec 25 23:52 occ*
drwxr-xr-x 1 sshd sshd    18 Dec 25 23:53 ocm-provider/
drwxr-xr-x 1 sshd sshd    50 Dec 25 23:53 ocs/
drwxr-xr-x 1 sshd sshd    18 Dec 25 23:53 ocs-provider/
-rw-r--r-- 1 sshd sshd  3139 Dec 25 23:52 public.php
-rw-r--r-- 1 sshd sshd  5549 Dec 25 23:52 remote.php
drwxr-xr-x 1 sshd sshd   158 Dec 25 23:53 resources/
-rw-r--r-- 1 sshd sshd    26 Dec 25 23:52 robots.txt
-rw-r--r-- 1 sshd sshd  2452 Dec 25 23:52 status.php
drwxr-xr-x 1 sshd root    26 Jun 14  2020 themes/
-rw-r--r-- 1 sshd sshd   383 Dec 25 23:53 version.php
root@ROLS:~# 

 

Edited by kavitacia
Link to comment

Hoping for some support with NextCloud.  I've been watching and following SpaceInvader One's tutorial on setting up NextCloud on Unraid - Part 1.  Everything was working as per the step by step process.  I completed the install of MariaDB, installed NextCloud, confirmed it was running set it up on the MariaDB,, setup a user, etc..  All working great. I got to about 20.50 in the lined video where the next step is to configure NextCloud to work with the personal domain.  I made all the necessary configuration changes in the config.php file and saved the file. I restarted Nextcloud container and now I am recieving the following error msg in the log file which I had not received previously.  Wondering if anyone had any thoughts / recommendations?

 

PHP Fatal error:  Uncaught Error: Typed static property OC::$server must not be accessed before initialization in /config/www/nextcloud/cron.php:192
Stack trace:
#0 {main}
  thrown in /config/www/nextcloud/cron.php on line 192

 

I attempted to look up a potential fix but honestly this is way above my head which is why I'm reaching out to the experts on this community to see if you have any advise, for a noob.   Thanks!

 

Please disregard, after opening the config.php file in a different application I see where I omitted a comma in one of the statements.  I didn't want to delete this post incase someone comes across it in the future.

Edited by Tharnax
Found and resolved the issue.
  • Thanks 1
Link to comment
31 minutes ago, Tharnax said:

Hoping for some support with NextCloud.  I've been watching and following SpaceInvader One's tutorial on setting up NextCloud on Unraid - Part 1.  Everything was working as per the step by step process.  I completed the install of MariaDB, installed NextCloud, confirmed it was running set it up on the MariaDB,, setup a user, etc..  All working great. I got to about 20.50 in the lined video where the next step is to configure NextCloud to work with the personal domain.  I made all the necessary configuration changes in the config.php file and saved the file. I restarted Nextcloud container and now I am recieving the following error msg in the log file which I had not received previously.  Wondering if anyone had any thoughts / recommendations?

 

PHP Fatal error:  Uncaught Error: Typed static property OC::$server must not be accessed before initialization in /config/www/nextcloud/cron.php:192
Stack trace:
#0 {main}
  thrown in /config/www/nextcloud/cron.php on line 192

 

I attempted to look up a potential fix but honestly this is way above my head which is why I'm reaching out to the experts on this community to see if you have any advise, for a noob.   Thanks!

 

Please disregard, after opening the config.php file in a different application I see where I omitted a comma in one of the statements.  I didn't want to delete this post incase someone comes across it in the future.

Good work figuring it out; about the story of my life too — I make a post and wham it hits me lol 

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.