Tolete Posted March 22 Share Posted March 22 4 minutes ago, blaine07 said: How do I add it or? Reverse proxy or? all I could find: https://github.com/nextcloud/server/issues/22792 post your # HTTP response headers borrowed from Nextcloud `.htaccess` section from your default.conf file. Quote Link to comment
Masterwishx Posted March 22 Share Posted March 22 9 hours ago, darcon said: It's fixed for me with the new docker image Yes fixed with lasted image Quote Link to comment
Masterwishx Posted March 22 Share Posted March 22 @Tolete @blaine07 are you using a copy of default.conf.sample in your default.conf ? becose i have some old version not equal to default.conf.sample , i can just copy it to default.conf ? Quote Link to comment
blaine07 Posted March 22 Share Posted March 22 (edited) 10 hours ago, Tolete said: post your # HTTP response headers borrowed from Nextcloud `.htaccess` section from your default.conf file. This: # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; It looks a update was pushed out by Linuxserver mere hours ago that updates this file again; I wonder what changes were this time. EDIT: changes pushed our hours ago turned the Robots tag stuff back to be correct for NC 26 it appears: https://github.com/linuxserver/docker-nextcloud/commit/c1568bac547f6f660849487ed7e443520417a1b7 Edited March 22 by blaine07 Quote Link to comment
Tolete Posted March 22 Share Posted March 22 (edited) 9 hours ago, Masterwishx said: @Tolete @blaine07 are you using a copy of default.conf.sample in your default.conf ? becose i have some old version not equal to default.conf.sample , i can just copy it to default.conf ? FYI, this is not related, to any NC version updates, this is just for 'server hardening' these are extra security 'headers' you can add. The scan points out where you can improve. So just add this missing two security headers for the A+ double check/add to your default.conf file # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; Save. double check/add to your .htaccess file <IfModule mod_env.c> # Add security and privacy related headers # Avoid doubled headers by unsetting headers in "onsuccess" table, # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002 Header onsuccess unset Referrer-Policy Header always set Referrer-Policy "no-referrer" Header onsuccess unset X-Content-Type-Options Header always set X-Content-Type-Options "nosniff" Header onsuccess unset X-Frame-Options Header always set X-Frame-Options "SAMEORIGIN" Header onsuccess unset X-Permitted-Cross-Domain-Policies Header always set X-Permitted-Cross-Domain-Policies "none" Header onsuccess unset X-Robots-Tag Header always set X-Robots-Tag "noindex, nofollow" Header onsuccess unset X-XSS-Protection Header always set X-XSS-Protection "1; mode=block" SetEnv modHeadersAvailable true </IfModule> Save. i use Cloudflare, so you will need to add it on there also. so Cloudflare > YOURDOMAIN > Rules > Transform Rules > Modify Response Header Save. restart container, then rescan. Edited March 22 by Tolete 1 Quote Link to comment
Masterwishx Posted March 22 Share Posted March 22 4 hours ago, Tolete said: Save. restart container, then rescan. Thanks, i think i have same headers but without 'always', also using cloudflare so will add headers to it. Do you have same picture twice ? I wanted to know if i can use default.conf.sample instead my default.conf and will have no problems.... Quote Link to comment
Tolete Posted March 22 Share Posted March 22 (edited) 3 hours ago, Masterwishx said: Thanks, i think i have same headers but without 'always', also using cloudflare so will add headers to it. Do you have same picture twice ? I wanted to know if i can use default.conf.sample instead my default.conf and will have no problems.... I did. The default might break something and all you need optional security headers. I would just update, add to CF, restart and rescan, you should be golden. lmk Edited March 22 by Tolete 1 Quote Link to comment
blaine07 Posted March 22 Share Posted March 22 9 hours ago, Tolete said: FYI, this is not related, to any NC version updates, this is just for 'server hardening' these are extra security 'headers' you can add. The scan points out where you can improve. So just add this missing two security headers for the A+ double check/add to your default.conf file # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; Save. double check/add to your .htaccess file <IfModule mod_env.c> # Add security and privacy related headers # Avoid doubled headers by unsetting headers in "onsuccess" table, # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002 Header onsuccess unset Referrer-Policy Header always set Referrer-Policy "no-referrer" Header onsuccess unset X-Content-Type-Options Header always set X-Content-Type-Options "nosniff" Header onsuccess unset X-Frame-Options Header always set X-Frame-Options "SAMEORIGIN" Header onsuccess unset X-Permitted-Cross-Domain-Policies Header always set X-Permitted-Cross-Domain-Policies "none" Header onsuccess unset X-Robots-Tag Header always set X-Robots-Tag "noindex, nofollow" Header onsuccess unset X-XSS-Protection Header always set X-XSS-Protection "1; mode=block" SetEnv modHeadersAvailable true </IfModule> Save. i use Cloudflare, so you will need to add it on there also. so Cloudflare > YOURDOMAIN > Rules > Transform Rules > Modify Response Header Save. restart container, then rescan. What problems might or cause for other sites I have hosted through this domain with Cloudflare? Will these be breaking changes to other services I host since I can't define "per subdomain"? Quote Link to comment
Tolete Posted March 22 Share Posted March 22 21 minutes ago, blaine07 said: What problems might or cause for other sites I have hosted through this domain with Cloudflare? Will these be breaking changes to other services I host since I can't define "per subdomain"? Adding security headers using transform rules in Cloudflare should not cause any direct problems for other sites hosted through the same domain. However, it is important to keep in mind that the security headers will be applied to all traffic to the domain, including traffic to subdomains. This means that if any subdomains have different security policies or settings, those services may be impacted by the new security headers. I haven't seen any, but do note, the Content Security Policy (CSP) and Permissions Policy headers protect your site or in this case sites against a variety of attacks, such as cross-site scripting (XSS), code injection, clickjacking, and unauthorized access to sensitive features and APIs. CSP allows you to specify which sources of content are trusted, while Permissions Policy allows you to control which features and APIs are available to your site. By using these headers, you can improve the security of your site and reduce the risk of data breaches and other security incidents. you can always add/monitor/test. 1 Quote Link to comment
blaine07 Posted March 22 Share Posted March 22 52 minutes ago, Tolete said: Adding security headers using transform rules in Cloudflare should not cause any direct problems for other sites hosted through the same domain. However, it is important to keep in mind that the security headers will be applied to all traffic to the domain, including traffic to subdomains. This means that if any subdomains have different security policies or settings, those services may be impacted by the new security headers. I haven't seen any, but do note, the Content Security Policy (CSP) and Permissions Policy headers protect your site or in this case sites against a variety of attacks, such as cross-site scripting (XSS), code injection, clickjacking, and unauthorized access to sensitive features and APIs. CSP allows you to specify which sources of content are trusted, while Permissions Policy allows you to control which features and APIs are available to your site. By using these headers, you can improve the security of your site and reduce the risk of data breaches and other security incidents. you can always add/monitor/test. Thank you! Still curious as to if Nextcloud themselves can get it built in/working, too, though. Some more info - looks like it's been in the works for a long time. https://github.com/nextcloud/server/pull/23825 Quote Link to comment
flyize Posted March 24 Share Posted March 24 (edited) I'm running this container from the standard repo: lscr.io/linuxserver/nextcloud Yet its not updating. I'm still on the version I started with, 25.0.3. What am I missing here? edit: WTF, that's not even a valid URL. I installed from the Apps page. Edited March 24 by flyize Quote Link to comment
JonathanM Posted March 24 Share Posted March 24 16 minutes ago, flyize said: Yet its not updating. I'm still on the version I started with, 25.0.3. What am I missing here? Did you read the first post in this thread? 1 Quote Link to comment
flyize Posted March 24 Share Posted March 24 Just now, JonathanM said: Did you read the first post in this thread? Clearly I did not. 🤣 I just followed SI1's video and went about my business. Obviously the wrong way to do it. Thank you. Quote Link to comment
JonathanM Posted March 24 Share Posted March 24 6 minutes ago, flyize said: Clearly I did not. 🤣 Yeah, it's a common thing. I'd guess perhaps 25% of the posts in this thread are asking about updates, mostly when the base container is updated to the point the app no longer runs because it's never been updated. Think of containers like miniature VM's, they contain parts of the OS and support structures as well as the app itself. This specific container doesn't force update the app, just the base OS and supporting files. It's up to you to keep the app up to date. Many containers also update their main app, but NC was deemed too fragile or something, it requires a significant amount of handholding for some updates. 1 Quote Link to comment
Archonw Posted March 25 Share Posted March 25 I also updated to 26. Now i bot a message that i still use PHP 7.4.33 and should upgrade. Does anyone else have that? Gesendet von meinem Pixel 6 Pro mit Tapatalk Quote Link to comment
blaine07 Posted March 25 Share Posted March 25 2 hours ago, Archonw said: I also updated to 26. Now i bot a message that i still use PHP 7.4.33 and should upgrade. Dies anyone else have that? Gesendet von meinem Pixel 6 Pro mit Tapatalk What version of unraid are you on Quote Link to comment
Archonw Posted March 25 Share Posted March 25 I'm on 6.11.5Gesendet von meinem Pixel 6 Pro mit Tapatalk Quote Link to comment
blaine07 Posted March 25 Share Posted March 25 3 minutes ago, Archonw said: I'm on 6.11.5 Gesendet von meinem Pixel 6 Pro mit Tapatalk Unraid 6.11.4 uses PHP 7.4.33. To upgrade PHP you’ll need to figure out how/if you want to/can upgrade Unraid itself To get a newer PHP. Quote Link to comment
Kilrah Posted March 25 Share Posted March 25 This is unrelated, it's php in the container that's the probkem, seems you're forcing an old version of the container. Update it. What's on the Repository line in your container template? 1 1 Quote Link to comment
Archonw Posted March 25 Share Posted March 25 (edited) lscr.io/linuxserver/nextcloud So it should be latest, rigth? And the WebUI says it's up to date. I did a recreate via Portainer. Now the message has gone. Thanks for your time. Edited March 25 by Archonw Quote Link to comment
PassTheSalt Posted March 27 Share Posted March 27 On 12/9/2022 at 10:00 AM, tazire said: Currently trying to upgrade from 25.0.1 to 25.0.2 via CLI and got the following error docker exec -it nextcloud occ upgrade Nextcloud or one of the apps require upgrade - only a limited number of commands are available You may use your browser or the occ upgrade command to do the upgrade Cannot write into "config" directory. This can usually be fixed by giving the web server write access to the config directory. See https://docs.nextcloud.com/server/25/go.php?to=admin-dir_permissions. Or, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it. See https://docs.nextcloud.com/server/25/go.php?to=admin-config Cannot write into "apps" directory. This can usually be fixed by giving the web server write access to the apps directory or disabling the App Store in the config file. An unhandled exception has been thrown: Exception: Environment not properly prepared. in /config/www/nextcloud/lib/private/Console/Application.php:166 Stack trace: #0 /config/www/nextcloud/console.php(99): OC\Console\Application->loadCommands() #1 /config/www/nextcloud/occ(11): require_once('...') I'm guessing I need to change permissions on the config and apps files as stated? or should I set it to read only? Did you ever get this working? I've having a very similar issue Quote Link to comment
blaine07 Posted March 27 Share Posted March 27 1 minute ago, PassTheSalt said: Did you ever get this working? I've having a very similar issue Look at who owns config folder and who had owned and what rights of the old one. Last few times I’ve upgraded Nextcloud I’ve had to change owner and permissions back to “what they were”. I could look at mine later and tell you if I needed. Never the les same thing. Upgraded would fail because when following manual upgrade instructions new folder permissions and owner weren’t correct. Quote Link to comment
blaine07 Posted March 27 Share Posted March 27 2 minutes ago, blaine07 said: Look at who owns config folder and who had owned and what rights of the old one. Last few times I’ve upgraded Nextcloud I’ve had to change owner and permissions back to “what they were”. I could look at mine later and tell you if I needed. Never the les same thing. Upgraded would fail because when following manual upgrade instructions new folder permissions and owner weren’t correct. When manually upgrading this is when I’ve had to fix owner and permissions in the process: Quote Link to comment
tazire Posted March 28 Share Posted March 28 19 hours ago, PassTheSalt said: Did you ever get this working? I've having a very similar issue As blaine07 already said its an ownerr/ permissions issue. resettibg these to nobody and rw permissions solved my issue. Although I've had to do this everytime I update since first having the issue, which isnt ideal. Quote Link to comment
blaine07 Posted March 28 Share Posted March 28 43 minutes ago, tazire said: As blaine07 already said its an ownerr/ permissions issue. resettibg these to nobody and rw permissions solved my issue. Although I've had to do this everytime I update since first having the issue, which isnt ideal. Yes, I have had to do this the last several updates to. Not quite sure why but it's kind of a nuisance. Quote Link to comment
Recommended Posts
Posted by Squid,
1 reaction
Go to this post
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.