[Support] Linuxserver.io - Nextcloud


Recommended Posts

10 hours ago, Smooth Beaver said:

I am trying to setup fail2ban with the nextcloud, letsencrypt and OnlyOffice Document Server dockers, (Nextcloud, letsencrypt & ONLYOFFICE currently work perfectly)  When I look at Nextcloud's log file it shows all logins are coming from a single IP, probably because of the letsencrypt reverse proxy. So I found this page but it says I need a subscription to view it.

 

692901391_ScreenShot2019-10-27at4_24_14PM.thumb.png.057161f6b73679b7428abf0e923383ee.png

 

 

Can anyone help with allowing the reverse proxy to pass the client IP so I can configure fail2ban to work using this as a rough guide:

 

https://dennisnotes.com/note/20180831-nextcloud-docker-nginx-reverse-proxy/

 

Are these the lines that I need to add to the letsencrypt conf file for nextcloud that will do the client IP passthrough?

 


proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Do I need to add all three or just one or etc? I am not exactly sure what they do which is why I don't want to add them....

 

Why not use fail2ban in the letsencrypt container? It's built in.

Link to comment
5 hours ago, saarg said:

 

Why not use fail2ban in the letsencrypt container? It's built in.

I am, but it doesn't appear to offer brute force protection, am I wrong on this?  (I know Nextcloud offers it natively but I cannot set anything, a tried like 5 times to login with wrong information and never got blocked, I want it to like 3 attempts and blocked) I added the filter, and I was gonna add the jail but once I looked at the nextcloud logs all logins are coming from the same IP so it won't work....

Link to comment
I am, but it doesn't appear to offer brute force protection, am I wrong on this?  (I know Nextcloud offers it natively but I cannot set anything, a tried like 5 times to login with wrong information and never got blocked, I want it to like 3 attempts and blocked) I added the filter, and I was gonna add the jail but once I looked at the nextcloud logs all logins are coming from the same IP so it won't work....
Post your proxy config.

I don't use F2B in the container because phone app or sharing can't get around it so I use the one built into nextcloud but I had to add from there app store.

Sent from my Pixel 4 XL using Tapatalk

Link to comment
8 minutes ago, H2O_King89 said:

Post your proxy config.

I don't use F2B in the container because phone app or sharing can't get around it so I use the one built into nextcloud but I had to add from there app store.

Sent from my Pixel 4 XL using Tapatalk
 

Here is my Nextcloud proxy config:

 

# make sure that your dns has a cname set for nextcloud
# assuming this container is called "letsencrypt", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['letsencrypt'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

Here is my ONLYOFFICE Document Server Proxy conf:

 

server {
    listen 443 ssl;

    server_name oods.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;


    location / {
		            include /config/nginx/proxy.conf;
		            resolver 127.0.0.11 valid=30s;
        set $upstream_oods OnlyOfficeDocumentServer;
		            proxy_pass https://$upstream_oods:443;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

 

Link to comment

I'm confused if the required Nextcloud changes need to be applied to the Letsencrypt site-confs or Nextcloud site-confs or both.

 

I do have a default file in the Letsencrypt site-confs folder and a default file in the Nextcloud site-confs folder. Both are completely different. In fact I did recreate the Nextcloud default file. The Nextcloud specific settings are in it's own file located within Letsencrypts site-confs.

 

There are no warnings on Nextclouds security page and no warnings on the Nextcloud Check-Website.

 

Any help is highly appreciated.

 

 

Edited by hawihoney
Link to comment
12 hours ago, hawihoney said:

I'm confused if the required Nextcloud changes need to be applied to the Letsencrypt site-confs or Nextcloud site-confs or both.

 

I do have a default file in the Letsencrypt site-confs folder and a default file in the Nextcloud site-confs folder. Both are completely different. In fact I did recreate the Nextcloud default file. The Nextcloud specific settings are in it's own file located within Letsencrypts site-confs.

 

There are no warnings on Nextclouds security page and no warnings on the Nextcloud Check-Website.

 

Any help is highly appreciated.

 

 

https://blog.linuxserver.io/2019/10/26/psa-nextcloud/

Link to comment
45 minutes ago, hawihoney said:

Sorry, but there's not a single hint regarding my question on that site. Does "containers" refer to the Letsencrypt container and/or the Nextcloud container?

 

A "default" file does exist in exact the same location in both containers (/config/nginx/site-confs/default).

 

When I wrote the article, I'm purely talking about the nextcloud container, Nothing else.

Link to comment

Hi,

 

I have a very specific scenario happening with my Nextcloud instance.
If I upload a large file using a shared link, my docker image fills up. Only using a shared link.
If I upload the same file as a logged in user this does not happen.

 

I tought I might be able to find what directory keeps the temporary data and export it outside of the container but I'm not able to find it.

I ran watch du -sh against every directory inside the container with no success. It looks like it doesn't happen there.

 

Any help is apreciated.

Link to comment

I received the "Urgent security issue in NGINX/php-fpm" recently. My setup runs rock solid since years now (I used this guide: https://blog.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/).

 

1.) Seems that the php package need to be updated and I am confident that this will happen via Docker update.

2.) Secondly two changes needed in the nginx config

a.) the removal of $request_uri

b.) the addition of the $try_files $fastcgi_script_name =404;

 

2b.) is done but I wasn't able to find 2a.). so seems that I am safe. Any further suggestions? Thanks a lot.

Link to comment
5 hours ago, EdgarWallace said:

I received the "Urgent security issue in NGINX/php-fpm" recently. My setup runs rock solid since years now (I used this guide: https://blog.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/).

 

1.) Seems that the php package need to be updated and I am confident that this will happen via Docker update.

2.) Secondly two changes needed in the nginx config

a.) the removal of $request_uri

b.) the addition of the $try_files $fastcgi_script_name =404;

 

2b.) is done but I wasn't able to find 2a.). so seems that I am safe. Any further suggestions? Thanks a lot.

In addition, is there a way to confirm if the system is update appropriately for this vulnerability?

I just followed a SpaceInvader guide and I don't even know where to start looking to confirm things.

It also looks like the Docker was recently updated on my system - maybe it's all patched up already?

Link to comment
3 hours ago, nraygun said:

In addition, is there a way to confirm if the system is update appropriately for this vulnerability?

I just followed a SpaceInvader guide and I don't even know where to start looking to confirm things.

It also looks like the Docker was recently updated on my system - maybe it's all patched up already?

It's already patched. Check the link I posted a couple of posts ago.

  • Like 2
Link to comment

Hey guys, 

 

My nextcloud stopped working a while back and I am just starting to look at it again. I cannot load the nextcloud webui at all. Where should I start??

 

Browser gives me error ERR_CONNECTION_REFUSED

Found my letsencrypt docker was orphaned and not running. 

 

Found the guide. Let me confirm everything is ok first. oops

 

 

Thanks

Edited by jsoonias
Added Information
Link to comment
On 10/29/2019 at 8:32 AM, saarg said:

@saarg, I followed the guide that you posted so thanks a lot. After "default" was regenerated I discovered some security warnings (sorry for the German log but I do think that you know these messages :-)):

Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Robots-Tag“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Download-Options“-HTTP-Header ist nicht so konfiguriert, dass er „noopen“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Permitted-Cross-Domain-Policies“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.

Der "Referrer-Policy" HTTP-Header ist nicht gesetzt auf "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" oder "same-origin". Dadurch können Verweis-Informationen preisgegeben werden. Siehe die W3C-Empfehlung.

I don't get an A+ grade and no security warnings by using my "default" file. Have I done anything wrong and what's your advise moving forward? Thanks a lot.

default default.regenerated

Link to comment
56 minutes ago, EdgarWallace said:

@saarg, I followed the guide that you posted so thanks a lot. After "default" was regenerated I discovered some security warnings (sorry for the German log but I do think that you know these messages :-)):


Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Robots-Tag“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Download-Options“-HTTP-Header ist nicht so konfiguriert, dass er „noopen“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Permitted-Cross-Domain-Policies“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.

Der "Referrer-Policy" HTTP-Header ist nicht gesetzt auf "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" oder "same-origin". Dadurch können Verweis-Informationen preisgegeben werden. Siehe die W3C-Empfehlung.

I don't get an A+ grade and no security warnings by using my "default" file. Have I done anything wrong and what's your advise moving forward? Thanks a lot.

default 2.2 kB · 0 downloads default.regenerated 3.22 kB · 0 downloads

Make sure the following is set in your "default" site-conf

 

add_header X-Content-Type-Options "nosniff" always;
add_header X-Robots-Tag "none" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Referrer-Policy "no-referrer" always;

 

Link to comment
1 hour ago, EdgarWallace said:

@saarg, I followed the guide that you posted so thanks a lot. After "default" was regenerated I discovered some security warnings (sorry for the German log but I do think that you know these messages :-)):


Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Robots-Tag“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Download-Options“-HTTP-Header ist nicht so konfiguriert, dass er „noopen“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Permitted-Cross-Domain-Policies“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.

Der "Referrer-Policy" HTTP-Header ist nicht gesetzt auf "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" oder "same-origin". Dadurch können Verweis-Informationen preisgegeben werden. Siehe die W3C-Empfehlung.

I don't get an A+ grade and no security warnings by using my "default" file. Have I done anything wrong and what's your advise moving forward? Thanks a lot.

default 2.2 kB · 0 downloads default.regenerated 3.22 kB · 0 downloads

Be sure to run latest stable version of Nextcloud to get an A+.

For now it's 16.0.5.

Link to comment

Thanks @bastl, however that was not the nessessary fix. I checked the admin manual 1000000 times (https://docs.nextcloud.com/server/16/admin_manual/installation/nginx.html) and still having no clue where the issue is sitting.

 

@andreidelait, sure I am running 16.0.5 which is being provides by using the update channel "stable".

Link to comment

Yes - restarted after every change. Meanwhile I used the original configuration from the Nextcloud admin guide and adjusted server_name, root, ssl_certificate and ssl_certificate_key.....without any luck.

Server is still giving warnings. Anyhow, I am going to use my "old" default file. Thanks a lot @bastl

 

Edited by EdgarWallace
Link to comment

If you use letsencrypt as your reverse proxy you should look at that nginex config not nextvloud. I do not remeber editing any nginx fi;e in nextcloud docker. I've only edited

/mnt/user/appdata/nextcloud/www/nextcloud/config/config.php

and

/mnt/user/appdata/letsencrypt/nginx/site-confs/default

 

If you think you need to have a look at my files I can post them in a few hours.

Link to comment

Well, @bastl, there is a section in /mnt/user/system/docker/appdata/letsencrypt/nginx/site-confs/default:

    ###Extra Settings###                                                                                                            
    ssl_prefer_server_ciphers on;                                                                                                   
    ssl_session_cache shared:SSL:10m;                                                                                               
                                                                                                                                    
    ### Add HTTP Strict Transport Security ###                                                                                      
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";                                                     
    add_header Front-End-Https on;                                                                                                  
    add_header X-Content-Type-Options nosniff;                                                                                      
    add_header X-XSS-Protection "1; mode=block";                                                                                    
    add_header X-Robots-Tag none;                                                                                                   
    add_header X-Download-Options noopen;                                                                                           
    add_header X-Permitted-Cross-Domain-Policies none;                                                                              
    add_header Referrer-Policy no-referrer always; 

However, all the settings are according to the requirements.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.