[Support] Linuxserver.io - Nextcloud


Recommended Posts

Hi! I am using latest stable letsencrypt and nextcloud dockers.

My problem is that in security tab I see only the internal docker ip so it does not work properly.

 

How can I pass clients real IP to nextcloud?

 

Also I get those minor errors
 

Quote

 

There are some warnings regarding your setup.

The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.

Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

 

Quote

Login failed: xxx (Remote IP: 172.18.0.4)

 

My nextcloud.subdomain.conf

 

# make sure that your dns has a cname set for nextcloud
# assuming this container is called "letsencrypt", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['letsencrypt'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name xxxxxxx.*;
    add_header X-Robots-Tag "none";
    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
	
	location = /.well-known/carddav {
       proxy_pass https://$upstream_nextcloud:443/remote.php/dav;
    }
    location = /.well-known/caldav {
       proxy_pass https://$upstream_nextcloud:443/remote.php/dav;
    }
}

My proxy.conf

 

## Version 2019/10/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/proxy.conf

client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# TLS 1.3 early data
proxy_set_header Early-Data $ssl_early_data;

# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;

My nextcloud nginx conf

upstream php-handler {
  server 127.0.0.1:9000;
# server unix:/var/run/php/php7.0-fpm.sock;
}

server {
  listen 80;
  server_name _;
  # enforce https
#  return 301 https://$server_name$request_uri;
  add_header X-Frame-Options "SAMEORIGIN";
}

server {
  listen 443 ssl;
  server_name _;

  ssl_certificate /config/keys/cert.crt;
  ssl_certificate_key /config/keys/cert.key;

  # Add headers to serve security related headers
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  #add_header X-Frame-Options "SAMEORIGIN";
  add_header Referrer-Policy "no-referrer";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  # Path to the root of your installation
  root /config/www/nextcloud/;
  # set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

  # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  index index.php;
  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;

  #rewrite ^/.well-known/caldav  /config/www/nextcloud/remote.php/dav/ permanent;
  #rewrite ^/.well-known/carddav  /config/www/nextcloud/remote.php/dav/ permanent;

  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

  location = /.well-known/carddav {
      return 301 $scheme://$host:6443/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:6443/remote.php/dav;
    }
  
  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

   
  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }

  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  location / {

    rewrite ^/remote/(.*) /remote.php last;

    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

    try_files $uri $uri/ =404;
  }

  location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
  }

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the location ~ \.php(?:$|/) { block
  location ~* \.(?:css|js)$ {
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;
  }

  # Optional: Don't log access to other assets
  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
    access_log off;
  }
}

 

Link to comment

I'm interested in setting this up, but I'm curious what the RAM requirements would be for a single user implementation (with possible growth to 5 or so users if I bring my family onboard). That would be the RAM for both the nextcloud docker as well as the required MariaDB instance. Right now, my unraid server only has 8GB total, averaging about 3GB free/cached.

Link to comment

 

 

Hey sorry if noob question.   I just finished following SpaceInvaders setup.   Got everything working  with some modifcation 

But was wondering should I not be doing something to secure the OpenOfficedocument server. 

 

I can see that in Nextcloud there is a space for a secret Key but not sure where to configure this in open office... 

 

I ask as I am not wanting anyone who gets access to my   onlyoffice.reverseproxy.me   type of site to have access... to my docker  

Sorry in advance if this is a mute question due to other means of being secure. 

Link to comment
2 hours ago, Aceriz said:

Hey sorry if noob question.   I just finished following SpaceInvaders setup.   Got everything working  with some modifcation 

But was wondering should I not be doing something to secure the OpenOfficedocument server. 

 

I can see that in Nextcloud there is a space for a secret Key but not sure where to configure this in open office... 

 

I ask as I am not wanting anyone who gets access to my   onlyoffice.reverseproxy.me   type of site to have access... to my docker  

Sorry in advance if this is a mute question due to other means of being secure. 

when i used the external official onlyoffice doc server docker with lsio nextcloud i added those 2 variables from the readme

image.thumb.png.0be8bc7006915a01c209e8d4cba7a522.png

  • Like 1
  • Thanks 2
Link to comment

Is the issue with community document server still there or is there a fix for it now?  I looked around but havent seen anything. 

 

I do realize that spaceinvaderone's video goes on to explain how to get it working by adding another container and whatnot, but I dont want to add another container for something that should be fixed soon (i hope?) by the nextcloud devs or wherever the problem lies.

 

I am just curious if the actual problem is being addressed, or already has?

  • Like 1
Link to comment

Hey! Yesterday I did manage to install NextCloud and everything went fine. Today I tryed to access and this error happened:

 

"Internal Server Error The server encountered an internal error and was unable to complete your request. Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report. More details can be found in the server log."

 

The last logs are "[services.d] starting services [services.d] done." so I don't know what has gone wrong.

Link to comment

I can't remember if it was the same error message, but I did find once that the database IP address changed in the docker and I had to set it back.  The same can happen with the nextcloud docker too - but you'd likely not be getting an error message like that if it had.  So possibly the former, but it's just a guess.  Also, that might be the docker log you've provided, not the server log - you'd need to look into the docker container or possibly in the docker folder on unraid to find the server log I suspect.  That's what I'd do anyway - just to check all the logs.

Link to comment

Hello, I am hoping someone can get me a quick answer. I've locked myself out of the admin account. I set up U2F on the admin. Unbeknownst to me I was not aware that if I use that same key on another user account it will render the admin useless. Now the admin login will not recognize the U2F key. I need to disable the U2F feature on the admin account so that I can get back in. How can I do this?

Link to comment
1 hour ago, BrunoVic said:

Hello, I am hoping someone can get me a quick answer. I've locked myself out of the admin account. I set up U2F on the admin. Unbeknownst to me I was not aware that if I use that same key on another user account it will render the admin useless. Now the admin login will not recognize the U2F key. I need to disable the U2F feature on the admin account so that I can get back in. How can I do this?

If you generated your backup codes you can use one of those to get back into your account.

Link to comment
11 minutes ago, Taddeusz said:

If you generated your backup codes you can use one of those to get back into your account.

A little too late for that. Fortunately after trial and error and extensive Googling I found that this command helps disable the U2F auth on the account.

 

"docker exec -it nextcloud sudo -u abc php /config/www/nextcloud/occ twofactorauth:disable “user” u2f"

Link to comment
10 minutes ago, BrunoVic said:

A little too late for that. Fortunately after trial and error and extensive Googling I found that this command helps disable the U2F auth on the account.

 

"docker exec -it nextcloud sudo -u abc php /config/www/nextcloud/occ twofactorauth:disable “user” u2f"

Once you get back in make sure you generate and save backup codes.

  • Like 1
Link to comment

I'm having an issue with Only Office. I followed spaceinvaderone's video. OnlyOfficeDocumentServer docker is set up. When i go to my "documentserver.mydomain.com" it shows "Document Server is running" with a green checkmark. I install the Only Office app in Nextcloud, i added the "documentserver.mydomain.com" to the Only Office options. It accepts it and saves. I create a document and go inside and i just get a blank screen. No errors (Using Firefox)

 

The only clue I have, using Chrome i notice i get an error message in the middle of the screen only if i hover my mouse over which says "documentserver.mydomain.com refused to connect". I triple checked my nextcloud settings, my letsencrypt settings.. the documentserver subdomain conf file. I've removed and re-added both the docker and the only office app. Nextcloud, Let's Encrypt and the DocumentServer docker are on my proxynet network.

 

Any one got any ideas?

Edited by Kewjoe
Link to comment
4 hours ago, andreidelait said:

I'm not so sure about this.

I've installed the official docker using the latest tag and onlyoffice works out of the box on that one.

Nextcloud was nice enough to include a binary that is glibc only. Since we use alpine and that is musl based, it will not work in our container. They also don't have any arm versions of the binary either as far as I know.

Link to comment
59 minutes ago, saarg said:

Nextcloud was nice enough to include a binary that is glibc only. Since we use alpine and that is musl based, it will not work in our container. They also don't have any arm versions of the binary either as far as I know.

Thanks for the succinct explanation - somehow I missed that previously.  I take it it's a binary which has no published source code - i.e. completely impossible to fix, or is it just that nobody has compiled it yet - i.e. possible to fix at some point?

 

Thanks.

Link to comment
1 hour ago, saarg said:

Nextcloud was nice enough to include a binary that is glibc only. Since we use alpine and that is musl based, it will not work in our container. They also don't have any arm versions of the binary either as far as I know.

Thank you for making this clear.

I was poking trough the files to trace the issue and compare both containers. So I will install the onlyoffice container in this case.

Link to comment

Problem: Internal Server Error When Opening WebUI

 

This problem started a few months ago but it hasn't been a priority to fix because everything still syncs fine to my other computers. 

 

When I open the WebUI I get an Internal Server Error. The error then states "The server was unable to complete your request". I made a video of the problem, shown below. Any thoughts? 

(diagnostics attached)
 

 

tower-diagnostics-20200219-2126.zip

Edited by PeeBee
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.