[Support] Linuxserver.io - Nextcloud


Recommended Posts

LOL yep that was it, that's what I get for copying and pasting from the nextcloud site, they have it with a $ bold note section, but without it in the file section. Thanks!

 

Also it seem to run twice as fast not with the changes. not instead of 10-20 seconds delay when switching screens it like only 5 or less. :)

Edited by almulder
Link to comment
1 hour ago, almulder said:

LOL yep that was it, that's what I get for copying and pasting from the nextcloud site, they have it with a $ bold note section, but without it in the file section. Thanks!

 

Also it seem to run twice as fast not with the changes. not instead of 10-20 seconds delay when switching screens it like only 5 or less. :)

Did you have you change anything in your appdata\nginx\site-confs\default or was it just from appdata\nextcloud\site-confs\default? I tried to follow the config as well and this is what I tried changing it to but it doesn't seem to be working. Can you see if I did anything wrong?

 

Old Config:

location / {

    rewrite ^/remote/(.*) /remote.php last;

    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

    try_files $uri $uri/ =404;
  }

  location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
  }

New Config:

location / {

     rewrite ^ /index.php;
  }

  location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    try_files $fastcgi_script_name =404;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPTFILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATHINFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
   # Enable pretty urls
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
  }

 

  • Like 1
Link to comment
1 hour ago, CorneliousJD said:

My file is VASTLY different here than yours. 

 


upstream php-handler {
  server 127.0.0.1:9000;
# server unix:/var/run/php/php7.0-fpm.sock;
}

server {
  listen 80;
  server_name _;
  # enforce https
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name _;

  ssl_certificate /config/keys/cert.crt;
  ssl_certificate_key /config/keys/cert.key;

  # Add headers to serve security related headers
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  # add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  # Path to the root of your installation
  root /config/www/nextcloud/;
  # set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  index index.php;
  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;

  rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
  rewrite ^/.well-known/caldav /remote.php/dav/ permanent;

  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }

  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  location / {

    rewrite ^/remote/(.*) /remote.php last;

    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

    try_files $uri $uri/ =404;
  }

  location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
	
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
  }

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the location ~ \.php(?:$|/) { block
  location ~* \.(?:css|js)$ {
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;
  }

  # Optional: Don't log access to other assets
  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
    access_log off;
  }
}

 

You may want to look at Nextcloud's new format, your config.php is probably from and older version. My config for from the 17.0 version.

 

https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html

  • Like 1
Link to comment

When I try to open the url remotely, such as yourname.duckdns.org, I get the following:


 

Quote

 

This site is not secure

 

This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.

 

Go to your Start page

Details

Your PC doesn’t trust this website’s security certificate.
The hostname in the website’s security certificate differs from the website you are trying to visit.

Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID

Go on to the webpage (Not recommended)


 

 

I can click through it, but how do I correct it so that it doesn't show up?

Link to comment
6 minutes ago, Smooth Beaver said:

What exactly did you change? Is this a new installed old install?

This is not a new install and has been running well for over a year, perhaps longer. I mainly use it to sync various devices to a central server. However, when I do send a link to a friend, I've always encountered this issue. It's more of a nuisance than a true hindrance, but I was wondering how to completely fix it.

Link to comment
1 minute ago, levster said:

This is not a new install and has been running well for over a year, perhaps longer. I mainly use it to sync various devices to a central server. However, when I do send a link to a friend, I've always encountered this issue. It's more of a nuisance than a true hindrance, but I was wondering how to completely fix it.

When you look at the letsencrypt log are there any errors? Can you post a screen shot of your letsencrypt docker config?

Link to comment

@CorneliousJD My config looked exactly the same like yours. I did what @local.bin and @Smooth Beaver suggested.

 

1. Backup of my current running Nextcloud 17 install

2. grabbed the config template for nginx from https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html

3. adjusted a couple things so it matches the old config like

 

uncommented IPv6 access and adjusted the server_name _ without a domain name

server {
    listen 80;
    # listen [::]:80;
    # server_name cloud.example.com;
	server_name _;

adjusted the cert path

ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;

changed the path for Nextcloud

# Path to the root of your installation
root /config/www/nextcloud;

changed the max upload size to my old settings

# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;

included the full path for fastcgi_params "/etc/nginx/fastcgi_params"

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/fastcgi_params;

and finally checked if all the settings for for "Strict-Transport-Security" and "X-Frame-Options" are the same as before.

 

4. restarted Nextcoud docker

5. restarted letsencrypt docker

6. logged into Nextcloud and checked the logs and disabled the "Nextcloud announcements" app because it spammend the logs with

Symfony\Component\Routing\Exception\RouteNotFoundException: Unable to generate a URL for the named route "ocs.provisioning_api.AppsController.disable" as such route does not exist.

Looks this a known issue and will be addressed with an later update.

https://github.com/nextcloud/nextcloud_announcements/issues/54

  • Like 3
  • Thanks 1
Link to comment

Now getting this
 

The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information

and I have this in the new default.

add_header Referrer-Policy no-referrer;

found the fix here

 

Quote

Try to remove the entry in your NGINX configuration. The .htaccess includes this header already. I had to do that as well.

 

Edited by H2O_King89
found fix
Link to comment

im getting this

 

The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

 

Even with the settings included in the new config file. And strangely when i F12 in chrome on my nextcloud tab it appears to be set to SAMEORIGIN... 

 

default

Edited by tazire
Link to comment
2 hours ago, tazire said:

im getting this

 

The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

 

Even with the settings included in the new config file. And strangely when i F12 in chrome on my nextcloud tab it appears to be set to SAMEORIGIN... 

 

default 5.93 kB · 1 download

comment out the line 38 with #

  • Like 1
Link to comment
22 hours ago, Niklas said:

Since the docker image has been updated with the fix I just deleted /config/nginx/site-confs/default and restarted the container. The container will recreate it with the fixes in place.

Thanks... haha this was by FAR the easiest solution. Worked great. Can confirm the newly generated default site conf looks like it has the fixes in place! :)

 

EDIT: Although after doing this now I'm getting one small error on the security check page.

The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin".

 

But as H2O_King89 noted above, this is an easy fix.

I just commented out line #21 on the newly generated config!

 

Quote

Try to remove the entry in your NGINX configuration. The .htaccess includes this header already. I had to do that as well.

 

Edited by CorneliousJD
  • Like 1
Link to comment

I am trying to setup fail2ban with the nextcloud, letsencrypt and OnlyOffice Document Server dockers, (Nextcloud, letsencrypt & ONLYOFFICE currently work perfectly)  When I look at Nextcloud's log file it shows all logins are coming from a single IP, probably because of the letsencrypt reverse proxy. So I found this page but it says I need a subscription to view it.

 

692901391_ScreenShot2019-10-27at4_24_14PM.thumb.png.057161f6b73679b7428abf0e923383ee.png

 

 

Can anyone help with allowing the reverse proxy to pass the client IP so I can configure fail2ban to work using this as a rough guide:

 

https://dennisnotes.com/note/20180831-nextcloud-docker-nginx-reverse-proxy/

 

Are these the lines that I need to add to the letsencrypt conf file for nextcloud that will do the client IP passthrough?

 

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Do I need to add all three or just one or etc? I am not exactly sure what they do which is why I don't want to add them....

Edited by Smooth Beaver
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.