[Support] Linuxserver.io - Nextcloud

[EdgarWallace]

I'm dealing with 2 other issues in Nextcloud.

 

Security & setup warnings

    The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

 

I followed Peter_sm's directions and fixed the Security and Setup warnings

I was also trying Peter_sm's solution but doesn't work here. Here is my default file: http://pastebin.com/vkEJktz2

[CHBMB]

OK, so I can't answer any questions on this as I am just learning nginx. 

 

Can upload files, tested with one 1.5gb sample and not getting any security warnings in nextcloud and getting an A+ on ssllabs at the moment.  Also syncs via my Android client perfectly.

 

The only changes I've made to nextcloud are an update to 10.0, the ones detailed in my guide and changed the file upload size limit via the webui.

 

 

 

server {
    server_name nextcloud.server.com;
    # sub1 config

listen 80;

listen 443 ssl;

root /config/www/nextcloud;
index index.html index.htm index.php;

server_name nextcloud.server.com;
###Set certificates ####
ssl_certificate /config/keys/server.com/1_server.com_bundle.crt;
        ssl_certificate_key /config/keys/server.com/decryptedcertificatesigningrequest.key;

        ### Add Diffie–Hellman key exchange ###
ssl_dhparam /config/keys/server.com/dhparam.pem;

### Disable SSL by enforcing TLS ###
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

### Add some ciphers and reject weaker ones ###
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
  
### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
        proxy_pass https://192.168.0.1:444/;
  }
}

[CHBMB]

I'm dealing with 2 other issues in Nextcloud.

 

Security & setup warnings

    The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

 

I followed Peter_sm's directions and fixed the Security and Setup warnings

I was also trying Peter_sm's solution but doesn't work here. Here is my default file: http://pastebin.com/vkEJktz2

 

Are you running version 10.0, because I'm not seeing any problems running on either Apache or Nginx

[CHBMB]

This config works for me with aptalca's excellent nginx-letsencrypt container accessing nextcloud on nextcloud.server.com using this container on port 444

 

Can upload files, tested with one 1.5gb sample and not getting any security warnings in nextcloud and getting an A+ on ssllabs at the moment.  Also syncs via my Android client perfectly.

 

The only changes I've made to nextcloud are an update to 10.0, the ones detailed in my guide and changed the file upload size limit via the webui.

 

 

 

server {
listen 80;

listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name nextcloud.server.com;

###SSL Certificates
ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';


        ###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    proxy_pass https://192.168.0.1:444/;
  }
}

[peter_sm]

I have this score. nginx + Letsencrypt

 

//Peter

[CHBMB]

I have this score. nginx + Letsencrypt

 

//Peter

 

Well I'm only putting configs up as some people seem to be having trouble with yours at the moment.  Are you using nextcloud.server.com or server.com/nextcloud ?  Care to post your complete default file?  Might be useful...  I'm just starting out with nginx so I'm all ears.

 

I'm dealing with 2 other issues in Nextcloud.

 

Security & setup warnings

    The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.

    The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

 

I followed Peter_sm's directions and fixed the Security and Setup warnings

I was also trying Peter_sm's solution but doesn't work here. Here is my default file: http://pastebin.com/vkEJktz2

[peter_sm]

Hi,

 

I'm using server.com/nextcloud I never tested nextcloud.server.com. Is there any benefit to do this way instead?

 

Can post the config later .....

 

//P

[CHBMB]

Hi,

 

I'm using server.com/nextcloud I never tested nextcloud.server.com. Is there any benefit to do this way instead?

 

Can post the config later .....

 

//P

 

No benefit, it's largely down to user preference, yeah I'd be grateful if you posted your config to see what the difference is. 

[EdgarWallace]

@CHBMB: adding these lines into my "default" file were removing the security warnings: 

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

 

I'm using Nextcloud 10.0 (stable) with the Nginx-letsencrypt container so that was really helpful.

 

What is the nginx directory within the Nextcloud container doing? My understanding is that it's not needed as Nginx-letsencrypt is doing the job? At least I can ignore the config files there?

 

Thanks a lot.

 

[EDIT] I am also getting the A+ on ssllabs. Good to know :-)

[CHBMB]

@CHBMB: adding these lines into my "default" file were removing the security warnings: 

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

 

I'm using Nextcloud 10.0 (stable) with the Nginx-letsencrypt container so that was really helpful.

 

What is the nginx directory within the Nextcloud container doing? My understanding is that it's not needed as Nginx-letsencrypt is doing the job? At least I can ignore the config files there?

 

Thanks a lot.

 

The nextcloud container is actually based on an nginx server.  Don't mess around with that or you'll break the container.

[CHBMB]

I've also updated to 10.0.1 using the instructions I linked to on the first page.

[peter_sm]

Hi,

 

I'm using server.com/nextcloud I never tested nextcloud.server.com. Is there any benefit to do this way instead?

 

Can post the config later .....

 

//P

No benefit, it's largely down to user preference, yeah I'd be grateful if you posted your config to see what the difference is.

Here it is, please feedback what can be better!

 

 

NgINX docker

DHLEVEL = 4096

 

server {
        listen 80;
        server_name server.com  web.server.com  www.server.com;
        return 301 https://$server_name$request_uri; #enforce https
}

server {
        listen 443 ssl http2 default_server;
        root /config/www;
        index index.html index.htm index.php;
        server_name server.com web.server.com  www.server.com ;
        #add_header Strict-Transport-Security max-age=31536000 always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        include /config/nginx/proxy.conf;
#       include /config/nginx/auth.conf;
        ssl_certificate /config/keys/fullchain.pem;
        ssl_certificate_key /config/keys/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_protocols TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128;
        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve secp384r1;

        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets on;


location / {
                include /config/nginx/auth.conf;
                try_files $uri $uri/ /index.html /index.php?$args =404;
        }

       location /nzbget/ {
                include /config/nginx/auth.conf;
                proxy_pass http://192.168.0.190:6789;
                }

        location /sabnzbd/ {
                include /config/nginx/auth.conf;
                proxy_pass http://192.168.0.190:8080;
                }

       location /nextcloud {
                proxy_pass https://192.168.0.190:446/nextcloud;
                }
}

 

 

[CHBMB]

Peter do you generate your own certs or use letsencrypt?

 

Sent from my LG-H815 using Tapatalk

 

 

[peter_sm]

Peter do you generate your own certs or use letsencrypt?

 

Sent from my LG-H815 using Tapatalk

letsencrypt

 

[Marv]

Hi,

 

I'm using server.com/nextcloud I never tested nextcloud.server.com. Is there any benefit to do this way instead?

 

Can post the config later .....

 

//P

No benefit, it's largely down to user preference, yeah I'd be grateful if you posted your config to see what the difference is.

Here it is, please feedback what can be better!

 

 

NgINX docker

DHLEVEL = 4096

 

server {
        listen 80;
        server_name server.com  web.server.com  www.server.com;
        return 301 https://$server_name$request_uri; #enforce https
}

server {
        listen 443 ssl http2 default_server;
        root /config/www;
        index index.html index.htm index.php;
        server_name server.com web.server.com  www.server.com ;
        #add_header Strict-Transport-Security max-age=31536000 always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        include /config/nginx/proxy.conf;
#       include /config/nginx/auth.conf;
        ssl_certificate /config/keys/fullchain.pem;
        ssl_certificate_key /config/keys/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_protocols TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128;
        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve secp384r1;

        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets on;


location / {
                include /config/nginx/auth.conf;
                try_files $uri $uri/ /index.html /index.php?$args =404;
        }

       location /nzbget/ {
                include /config/nginx/auth.conf;
                proxy_pass http://192.168.0.190:6789;
                }

        location /sabnzbd/ {
                include /config/nginx/auth.conf;
                proxy_pass http://192.168.0.190:8080;
                }

       location /nextcloud {
                proxy_pass https://192.168.0.190:446/nextcloud;
                }
}

 

What's the reason behind this section?

 

server {
        listen 80;
        server_name server.com  web.server.com  www.server.com;
        return 301 https://$server_name$request_uri; #enforce https
}

 

Can you just forward port 80 from your router and keep 443 closed then and still direct all traffic to https?

[CHBMB]

 

Can you just forward port 80 from your router and keep 443 closed then and still direct all traffic to https?

 

Ideally you want all traffic on 443 and any traffic on 80 to be redirected with the webserver to 443.  AFAIK you can't do this at the router level.

[Marv]

So with this setting you keep both ports open on your router or just port 80 as the webserver still redirects to 443 (without opening that port on the router)?

Or port 443 only? But then this setting would not do anything if I understand this correctly as port 80 is closed anyway

 

I also mapped port 80 from the nginx-letsencrypt container to port 81 on the host because of the unRAID webUI.

[CHBMB]

So with this setting you keep both ports open on your router or just port 80 as the webserver still redirects to 443 (without opening that port on the router)?

Or port 443 only? But then this setting would not do anything if I understand this correctly as port 80 is closed anyway

 

I also mapped port 80 from the nginx-letsencrypt container to port 81 on the host because of the unRAID webUI.

 

http requests from WAN got to port 80

https requests from WAN go to port 443

 

If a request to port 80 hits the webserver it should get redirected to 443.

 

If port 80 is closed it can never reach the webserver to get redirected.

If port 443 is closed then https requests from WAN can never reach the webserver.

[ijuarez]

I need help cause i can't get this to work correctly. I had it working and then it messed up so i just didn't mess with it. Updated to 6.2 and tried to get this going and i am meet with this. (see attached) 

 

I have remove, reinstalled, did not work, remove reinstall. over and over.

 

yes i have my binlog statement, i docker exec and fixed the custom.cnf files still get this error.

 

What are the file permissions on the custom.cnf file?

 

sorry this took a long while to reply to.

 

root@9ce0020c5a71:/config# ls -l
total 8
-rw-r--r-- 1 root root  3753 Oct  1 22:44 custom.bak.cnf
-rw-r--r-- 1 abc  users 3773 Oct  2 14:32 custom.cnf
drwxr-xr-x 1 abc  users  400 Oct  1 23:17 databases
drwxr-xr-x 1 abc  users   72 Oct  1 22:39 log

 

What about file perms in /mnt/cache/appdata/mariadb/

 

Would expect them to be the same...

 

Sorry again for the delay,

 

drwxrwxrwx  4 nobody users  168 Oct  2 14:32 mariadb/
drwxrwxrwx  2 nobody users   48 Aug 11 12:53 netdata/
drwxrwxrwx  6 nobody users  144 Oct  1 10:54 nextcloud/

[CHBMB]

Still doesn't tell me what the file perms are in the mnt/cache/appdata/mariadb folder

 

Sent from my LG-H815 using Tapatalk

 

 

[Drakknar]

Out of curiosity, if I point Nextcloud's data folder to /mnt/user/nextcloud/, can I use the terminal to create symbolic links to other folders in my array?

 

Basically I'd like to use Nextcloud as the internet-facing portal to certain files on my unRAID Server (if not most of them - like I usually do with my Synology box); while I'm happy that all my external users will add all their data in the mnt/user/nextcloud/* folder, I'd like my personal account to have access to other private folders, like my work and my Media shares, which are for example on /mnt/user/myworkfolder/ and /mnt/user/mymediafolder/. Is it something do-able? Is there any other way to achieve this?

[CHBMB]

There'a plugin you can use, away from home, so can't look it up, but something like mount external devices....

 

Sent from my LG-H815 using Tapatalk

 

 

[Drakknar]

There'a plugin you can use, away from home, so can't look it up, but something like mount external devices....

 

Sent from my LG-H815 using Tapatalk

 

Thanks, I'll look that up

 

I'm trying to install Nextcloud on my server and I'm having the infamous "SQLSTATE[HY000] [1130] Host '172.17.0.1' is not allowed to connect to this MariaDB server" error. I checked the thread history and I've seen that it was fixed somehow via pm. Do you remember by any chance how that was fixed.

 

Edit: Fixed

[CHBMB]

Yeah, it was fixed with a nuke and pave and following the guide again, was never an issue per se, more not quite following the steps.

 

Sent from my LG-H815 using Tapatalk

 

 

[CHBMB]

I need help cause i can't get this to work correctly. I had it working and then it messed up so i just didn't mess with it. Updated to 6.2 and tried to get this going and i am meet with this. (see attached) 

 

I have remove, reinstalled, did not work, remove reinstall. over and over.

 

yes i have my binlog statement, i docker exec and fixed the custom.cnf files still get this error.

 

What are the file permissions on the custom.cnf file?

 

sorry this took a long while to reply to.

 

root@9ce0020c5a71:/config# ls -l
total 8
-rw-r--r-- 1 root root  3753 Oct  1 22:44 custom.bak.cnf
-rw-r--r-- 1 abc  users 3773 Oct  2 14:32 custom.cnf
drwxr-xr-x 1 abc  users  400 Oct  1 23:17 databases
drwxr-xr-x 1 abc  users   72 Oct  1 22:39 log

 

What about file perms in /mnt/cache/appdata/mariadb/

 

Would expect them to be the same...

 

Sorry again for the delay,

 

drwxrwxrwx  4 nobody users  168 Oct  2 14:32 mariadb/
drwxrwxrwx  2 nobody users   48 Aug 11 12:53 netdata/
drwxrwxrwx  6 nobody users  144 Oct  1 10:54 nextcloud/

 

I've just done a completely fresh install to test this and I'm still not able to reproduce the problems you're having.  Five mins and I was up and running.