Nextcloud - security and setup warnings

1. offizieller Beitrag

    after updating from OMV4 to OMV5, I didn't change my folder paths in my dockers from sharedfolders to absolute paths. with a lot of help from the forums here I was able to get all my containers back up and running. but I made the mistake of pulling a new image when I updated the folder paths in nextcloud container which lead to a bunch of errors


    to start I had to update nextcloud from v15 to v20, one bye one (fixed)


    then I had multiple indices, primary keys, and columns missing (fixed)


    I had to convert file cache as well (fixed)


    I was able to get all of those repaired/ warnings removed, but I still have 3 warnings left that I haven't been able to solve: (Nextcloud | settings | overview)

    Code
    There are some warnings regarding your setup.

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.

The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

    I can't seem to find an answer that solves any of these warnings


    Nextcloud Log:


    Letsencrypt Log

    from what I have read the lua errors on letsencrypt log are not a concern, but I'm still new to docker and letsencrypt


    While editing the log to remove personal information I noticed that it does say that letsencrypt is deprecated, can I use portainer and "recreate" the image and have it pull linuxserver/swag image instead?


    should I pull the new image first or solve the warnings first if they are unrealated?


    side note I'm also using letsencrypt with OMBI

    • Offizieller Beitrag

    Nextcloud Strict Transport Security


    If you get a warning in Nextcloud regarding "Strict Transport-Security" do the following:

    in "yourconfigfolder/swag/nginx" open ssl.conf and remove the "#" in front of

    #add_headerStrict-Transport-Security "max-age=63072000; includeSubDomains;preload" always;


    Then[tt]docker restart Letsencrypt[/tt] 


    Is your container built in Containers, Stacks, or in command line using docker-compose?


    I would fix my problems first and switch out to swag later.


    I don’t think I’ve ever encountered the first two problems. I’ll see what I can find and get back with you.

    System Backup Typo alert: Under the Linux section the command should be sudo umount /dev/sda1 NOT sudo unmount /dev/sda1

    Backup Data Disk to Backup Disk on Same Machine: In a Scheduled Job:rsync -av --delete /srv/dev-disk-by-uuid-f8814ed9-9a5c-4e1c-8830-426968c20ea3/ /srv/dev-disk-by-uuid-e67439d5-00a3-4942-bd5f-b84ab86aa850/ Don't forget trailing slashes, and BE CAREFUL. (HT: Getting Started with OMV5)

    Equipment - Thinkserver TS140, NanoPi M4 (v.1), Odroid XU4 (Using DietPi): PiHole

    Einmal editiert, zuletzt von Agricola ()

    Danke 1

    thanks for the reply I just took a look my /config folders for nextcloud and letsencrypt neither one of them have a swag folder.


    looking in my letsencrypt /config I found an ssl.conf file under /config/nginx/ssl.conf 


    it does contain

    #add_headerStrict-Transport-Security "max-age=63072000; includeSubDomains;preload" always;


    I tried docker restart swag but got an error Error response from daemon: No such container: swag


    should I use

    docker restart nginx

    I created them with OMV4 GUI so I think that is considered containers


    I restarted letsencrypt and that removed one of there errors... Thank you


    looking at the ssl.conf file I saw this at the bottom

    Code
    # Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests";
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header Cache-Control "no-transform" always;
#add_header Referrer-Policy "same-origin" always;

    If I un-comment #add_header X-Frame-Options "SAMEORIGIN" always; do you think that will remove the second error?

    Zitat


    The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

    • Offizieller Beitrag

    Last question: yes. If it doesn’t work just add the hash back.


    I’m sorry I didn’t check my text before I pasted it from some of my saved notes. Everywhere you see swag just change it to letsencrypt.


    On another note, since you are on OMV4 you might consider moving up to ONV5. That would be a good time to switch to swag in your container.

    sorry for the confusion, I'm already on OMV5 but I created the letsencrypt and nextcloud contianers when I was using OMV4


    I un-commented (removed #) from #add_header X-Frame-Options "SAMEORIGIN" always;


    Thendocker restart Letsencrypt


    that removed the second error,


    I spent a lot of time trying to figure out the last error (first one on the list) but didn't have any luck. most content I found on it dealt with people using subfolder (******.duckdns.org/nexcloud) none of those pointed me in the right direction


    Thank you

    Hi everyone,


    I am receiving the following security issues with my installation:

    ---------------------------------------------------------------------------------------

    There are some warnings regarding your setup.

    • The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
    • The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
    • The database is missing some primary keys. Due to the fact that adding primary keys on big tables could take some time they were not added automatically. By running "occ db:add-missing-primary-keys" those missing primary keys could be added manually while the instance keeps running.
      • Missing primary key on table "oc_federated_reshares".
      • Missing primary key on table "oc_systemtag_object_mapping".
      • Missing primary key on table "oc_comments_read_markers".
      • Missing primary key on table "oc_collres_resources".
      • Missing primary key on table "oc_collres_accesscache".
      • Missing primary key on table "oc_filecache_extended".

    --------------------------------------------------------------------------------------------


    I followed the installation video of TechnoDadLife in youtube.


    Do you have any ideas how can i fix them?


    Where do i run the command: "occ db:add-missing-primary-keys"??

    • Offizieller Beitrag
    Zitat von FragoulisNaval

    Where do i run the command: "occ db:add-missing-primary-keys"??

    Inside the container. If you are using Portainer you can open a terminal with an icon which is next to the name of the container.


    Command: RE: Nextcloud with Letsencrypt using OMV and docker-compose - Q&A


    • Offizieller Beitrag
    Zitat von FragoulisNaval

    The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

    I answered this in the second post of this thread. Depending whether you have deployed letsencrypt or swag, change the references to letsencrypt (or swag) appropriately.

    I did some more digging and testing on the last error I had left:


    Code
    The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.


    I found this nextcloud github issue and they recommend adding


    Code
    'trusted_proxies' =>
array (
0 => 'x.x.x.x',
),

    to the nextcloud config file (/config/www/nextcloud/config.php)


    Example of how It looks


    now my security and setup warnings say "All checks passed"



    Thank you guys for all your help

    • Offizieller Beitrag

    Thanks. You filled in the last missing solution. Good job.

    • Offizieller Beitrag

    I don't think I've saw this one mentioned (Never got this error before)... it might not be self explanatory to many who are reading this...


    Zitat


    The database is missing some indexes. Due to the fact that adding indexes on big tables could take some time they were not added automatically. By running "occ db:add-missing-indices" those missing indexes could be added manually while the instance keeps running. Once the indexes are added queries to those tables are usually much faster.


    Missing index "cards_abiduri" in table "oc_cards".


    bash into your nextcloud container


    docker exec -it nextcloud bash

    occ db:add-missing-indices


    Let it run. When it's done, type exit.


    Restart your nextcloud container (docker restart nextcloud)

    Zitat von macom

    Inside the container. If you are using Portainer you can open a terminal with an icon which is next to the name of the container.


    Command: RE: Nextcloud with Letsencrypt using OMV and docker-compose - Q&A



    Thank you, but i receive the following error: bash: occ: command not found. I just copy-paste the command, is my syntax wrong or i have to do something beforehand? maybe i should update/upgrade through sudo apt first?

    here's the commands I used to fix my errors,


    1.) open ssh


    2.) login as root


    3.) start maintenance mode


    4.) execute the command you need (below)


    5.) stop maintenance mode


    6.) restart nextcloud


    start maintenance mode:

    docker exec nextcloud sudo -u abc php /config/www/nextcloud/occ maintenance:mode --on


    Update Indices:

    docker exec -it nextcloud sudo -u abc php /config/www/nextcloud/occ db:add-missing-indices


    Update Primary Keys:

    docker exec -it nextcloud sudo -u abc php /config/www/nextcloud/occ db:add-missing-primary-keys


    Update Columns:

    docker exec -it nextcloud sudo -u abc php /config/www/nextcloud/occ db:add-missing-columns


    Convert Filecache-bigint

    docker exec -it nextcloud sudo -u abc php /config/www/nextcloud/occ db:convert-filecache-bigint


    Stop maintenance mode:

    docker exec nextcloud sudo -u abc php /config/www/nextcloud/occ maintenance:mode --off


    Restart nextcloud

    docker restart nextcloud

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden