Completely nextcloud installation

nemo87 · January 26, 2025, 5:36pm

I completed the migration from owncloud to nextcloud, finally no errors, now when I open the panel: “summary” I get this message:
Security and configuration alerts
It is important for the security and performance of your instance that everything is configured correctly. To help you with this, we are running some automatic checks. See the linked documentation for more information.

There are errors related to your configuration.
An error occurred while checking the server configuration
The “Strict-Transport-Security” HTTP header is not configured with a value of at least “15552000” seconds. To improve security, we recommend enabling HSTS as described in Security Tips .

in owncloud I had already configured the permanent redirect in the file: /etc/apache2/sites-available/000-default.conf

Looking at the article on the error I can’t understand where I should set the redirect, could you give me some advice?

Vincent_Stans · January 26, 2025, 7:16pm

is your 000-default.conf pointing to your Nextcloud installation. and does it contain

                <IfModule mod_headers.c>
                          Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
                </IfModule>

you place this in the config pointing to your NC installation
example

<virtualhost *:443> 
        DocumentRoot /var/www/nextcloud
      	ServerName cloud.example.tld
        ....
        ....

                <IfModule mod_headers.c>
                          Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
                </IfModule>
</virtualhost>

nemo87 · January 26, 2025, 8:01pm

Sorry, this is my file, I can’t find the line you indicated, should I add it?

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port t>
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/nextcloud
    Redirect permanent / https://192.xxx.x.x/

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

Vincent_Stans · January 26, 2025, 8:12pm

Yes you should add it.

if you do not use HTTPS you can add it under

<VirtualHost *:80>

but consider using HTTPS if your cloud is available on the WWW

If you do use HTTPS you can add it under

<VirtualHost *:443>

This is explained in the manual Hardening and security guidance — Nextcloud latest Administration Manual latest documentation

nemo87 · January 26, 2025, 8:44pm

I changed it but I still get the error mentioned at the beginning

<VirtualHost *:443>

Header always set Strict-Transport-Security “max-age15768000; includeSubDomains”

# The ServerName directive sets the request scheme, hostname and port t>
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/nextcloud
    Redirect permanent / https://192.168.1.9/

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

Vincent_Stans · January 27, 2025, 6:08am

You did not placed it under

<IfModule mod_headers.c>

Close it with

</IfModule>

Also the header module must be installed and enabled.

apachectl -M | headers

After the change also reload apache.

a2enmod headers
apache2 -k graceful

nemo87 · January 27, 2025, 8:41am

by setting <VirtualHost *:443> when I go to load the nextcloud page I receive this message: safari cannot open the page because it cannot establish a connection with: 192.168.xx.x…
I then brought it back to <VirtualHost *:80>
with the line you suggested, I still get the error message

<VirtualHost *:80>

Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains”

# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/nextcloud
    Redirect permanent / https://192.xxx.x.x/

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

and they are there, I don’t know why they are not displayed here but by going to “edit” they are inserted, they are in the file

bb77 · January 27, 2025, 4:11pm

…which would make absolutely no sense at all.

This is because the HSTS header is designed to instruct browsers to only connect to a website over HTTPS for a certain period of time, ensuring that all communication is encrypted. However, if the response is sent over HTTP, it means the browser has already received an unencrypted version of the page, so the browser would ignore or not apply the HSTS rule correctly in this case.

See here: Strict-Transport-Security - HTTP | MDN

I can agree with that!

@nemo87 If your Nextcloud instance is publicly accessible, you should not only consider HTTPS, but definitely set it up. If it’s just a local (test) instance and you only use unencrypted HTTP connections, you don’t need to issue a HSTS header and can ignore the warning.

bb77 · January 27, 2025, 4:47pm

The redirect directive to HTTPS only makkes sense under <VirtualHost *:80>, as <VirtualHost *:443> is already the HTTPS config and therefore no further redirect is needed there.

Also, it seems that you’re connecting to your Nextcloud via a local IP address only, meaning the HSTS header wouldn’t do anything, as HSTS only works with domain names, not IP addresses.

nemo87 · January 27, 2025, 7:15pm

yes, nexcloud is installed on a local server (I use it exclusively at home) so I leave <VirtualHost *:80> alone,
From what you said, that line would be superfluous, but I still get the error message

bb77 · January 28, 2025, 5:57am

We are talking about two different things here. The redirect to HTTPS and the “Strict-Transport-Security” HTTP header.

The redirect to HTTPS redirects every request on port 80 (HTTP) to port 443 (HTTPS). This also works with IP addresses and self-signed certificates.
The “Strict-Transport-Security” HTTP header instructs the browser that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be upgraded to HTTPS. This doesn’t work with IP addresses, but only with domain names.

So in your case, adding a redirect directive to HTTPS in the virtual host listening on port 80 makes sense if the virtual host listening on port 443 that it redirects to is correctly configured for HTTPS. You’ll get a security warning in the browser because of the self-signed certificates, but the connections will still be encrypted.

The HSTS header on the other hand doesn’t really make sense in your case, as it has no effect on IP addresses. However, you can still add it if the error message in Nextcloud bothers you, or you can just ignore the message

If you want to get ridd of the message you can add the following under <VirtualHost *:443>:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000"
</IfModule>

and make sure the headers module is enabled:

sudo a2enmod headers

Of course, this only affects HTTPS connections, so you need to make sure that HTTPS is properly configured using self-signed certificates, and you also need to make sure that the redirect directive under <VirtualHost *:80> works to ensure that HTTPS is used, even if you don’t explicitly put https:// in front of the IP address when accessing your Nextcloud.

nemo87 · January 28, 2025, 8:21am

I was rereading the steps made during the installation, I noticed that in owncloud, that same line of code is added to the file: .htaccess
I tried to do the same thing and now I no longer get any error messages, So I think I had the wrong file to edit

bb77 · January 28, 2025, 9:25am

Probably. The .htaccess file is processed after the configuration files in /etc/apache2/sites-available respectively sites-enabled, so yes, adding it to the .htaccess file should work in any case.

A possible disadvantage of this is that the .htaccess file may be overwritten during Nextcloud updates. So you may need to make the change again after a Nextcloud update.