Disable Web Installation Wizard

Nextcloud version: 24.0.2
Operating system and version: Ubuntu 20.04.4
Apache version: 2.4.41
PHP version: 7.4.3

The issue you are facing: I’ve successfully been running NC since version 19. I was looking at my logs and noticed some trusted domain errors from unknown IP addresses directly to my IP (not domain name). When I open my web browser and enter my domain, I am taken to the login page for my installation. When I enter my IP address, I am taken to the web installation wizard.

Possibly I am remembering this incorrectly, but I thought there was a way to disable the web installation wizard to prevent any nefarious activities from unwanted parties. I’ve searched through the official docs, done many web searches, and searched this forum and seemingly found nothing about how to do this. Maybe I’m using the incorrect search terms, but this seems like a security risk.

Is this the first time you’ve seen this error?: Yes

If anyone has recommendations for how to disable the installation wizard, it would be appreciated.

Edit:
@just My apologies. Please see below.

Nextcloud Config FIle:

<?php
$CONFIG = array (
  'instanceid' => 'my_instance_ID',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'passwordsalt' => 'my_very_long_password_salt',
  'secret' => 'my_much_longer_password_secret',
  'trusted_domains' =>
  array (
    0 => 'nc.mydomain.co',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '24.0.2.1',
  'overwrite.cli.url' => 'https://nc.mydomain.co',
  'dbname' => 'mydbname',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'mydbusername',
  'dbpassword' => 'mydbpassword',
  'installed' => true,
  'default_phone_region' => 'US',
  'maintenance' => false,
  'updater.secret' => 'my_super_long_updater_secret_that_you_don_t_know',
  'theme' => '',
  'loglevel' => 2,
);

Apache Error Log 1:

[Fri Jun 24 00:00:04.449408 2022] [mpm_prefork:notice] [pid 1888] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f con>
[Fri Jun 24 00:00:04.449513 2022] [core:notice] [pid 1888] AH00094: Command line: '/usr/sbin/apache2'

Apache Error Log 2:

[Thu Jun 23 00:00:02.164563 2022] [mpm_prefork:notice] [pid 872] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f conf>
[Thu Jun 23 00:00:02.164608 2022] [core:notice] [pid 872] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jun 23 01:15:35.215935 2022] [proxy_fcgi:error] [pid 4891] (70007)The timeout specified has expired: [client 71>
[Thu Jun 23 01:30:35.668753 2022] [proxy_fcgi:error] [pid 4370] (70007)The timeout specified has expired: [client 71>
[Thu Jun 23 01:34:25.558682 2022] [mpm_prefork:notice] [pid 872] AH00169: caught SIGTERM, shutting down
[Thu Jun 23 01:34:41.913461 2022] [mpm_prefork:notice] [pid 876] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f conf>
[Thu Jun 23 01:34:41.977509 2022] [core:notice] [pid 876] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jun 23 04:53:30.141316 2022] [core:error] [pid 1442] [client 185.7.214.104:39938] AH00126: Invalid URI in reque>
[Thu Jun 23 09:09:28.981131 2022] [proxy_fcgi:error] [pid 1442] [client 120.92.147.164:21774] AH01071: Got error 'Pr>
[Thu Jun 23 09:09:29.449273 2022] [proxy_fcgi:error] [pid 1908] [client 120.92.147.164:24656] AH01071: Got error 'Pr>
[Thu Jun 23 19:26:05.040200 2022] [proxy_fcgi:error] [pid 1544] [client 185.7.214.104:56140] AH01071: Got error 'Pri>

Nextcloud Error Log:
The existing error logs are unrelated to this issue. The only error logs I have relate to apps that I was testing on my instance.

Nextcloud Warning Log (there are no failures):
There are several dozen just like the following, from different IP addresses all to access my IP as host.

[core] Warning: Trusted domain error. "20.XXX.XXX.XX3" tried to access using "XX.XX.XX.XX" as host.

POST /
from 20.XXX.XXX.XX3 at 2022-06-24T00:11:11+00:00

Have you tried using an actual domain or dynamic dns service (duckdns) behind https?

Why are you exposing your ip address?

try

and also read through all given links to other issues.

pls relink the solution as an answer here.

As I use a reverse proxy, I must confess I never seen this, as the IP address associated with my NC on DNS, is the HAProxy and not the NC instance. I runs several sites and services behind that HAProxy, so if anything hits the HAProxy with no domain name in the header, HAProxy will show a 404. But thank you for discovering this, as it defaults to a vulnerability, as the iupdate page can either break your installation or leak enumeration information (or be used to gather enumeration info). I would solve this in Apache config, by redirecting raw port 80 and 443 with no domain name to the base url of your nc. Eg: mycloud.mydom.dom.
The above is completely untested however and I have no idea if this will mess with the OCC CLI commands, or the updater.phar, or if those uses the localhost and not the host IP.

I was unaware that it was exposed. Yes, I have always been using a domain and my NC install is on a subdomain (as recommended). My server has a static IP, so I was not using a dynamic DNS service. I have (what I thought) were the appropriate DNS settings through my host.

Thanks. I did read that (and all associated issues) before posting here. That seems different than what I am inquiring about (but maybe I misunderstand?). I am referring to the installation wizard for an admin account and completion of the installation. Please see image below if you are unsure what I refer to.

I am happy to do so, once I figure out what the solution is. :grin:

Thank you. This is part of what concerned me.

I understand. But this is a good idea, thank you. I will experiment to see if this might work.

Edit: I would also add that I checked my config file for trusted domains and it is set correctly to a single domain. And it only shows up on HTTP. HTTPS redirects to a 404 - which I believe is what should be happening.

I tried both a redirect and a rewrite. Neither of them had any effect.

Still searching…

Hi @tenkara,
You are missing the required support template. Please fill this form out and edit into your post.

This will give us the technical info and logs needed to help you! Thanks.

@just My apologies. Please see my edited original post.

Make two vhosts. The first is your NC installation which only listens to port 80 domain name = your excact domain, and the other is: 80:0.0.0.0, which points to an empty folder, or an index.html with “Sorry, no site here”. It should hit the latter for anything else NOT requesting the specific host name.

You probably needs to loom in your default apache configuration files to ensure you are not overwriting the above.

I have tried this too, but no effect.

After many hours of searching, I spent quite a lot of time rereading through the official documentation for NC as well as looking at a number of other sites that provide their own interpretation of installation. I was almost to the point of experimenting with creating a new install of NC to see what happens.

Although I could not find anything in the official documentation that clearly states this, it seems that the web installation wizard is either automatically disabled or deleted after installation has completed successfully. Given that I’ve been using this for awhile, I assumed that should then be the case for me. If not, it leads to some concerns as @Kerasit references in a reply above.

Upon further reading, some unofficial sources suggest that NC be installed in the /var/www/html directory. The point of this is not to judge right or wrong of that suggestion, rather it got me curious to look in that directory. In doing so, I discovered that I had unpacked an older version of NC in that directory, but had never proceeded with the installation process. Thereby it was exposed on my IP, but not domain. All I can think of is that I was much less experienced at this when I installed NC the first time and after using the official docs, I must have forgotten to remove the files from that directory.

To be clear, deleting the /var/www/html/nextcloud directory solved my problem and entering my IP (instead of my domain) now leads to a 404 not found. Where entering my domain, it takes me to my login page.

Thanks for the suggestions everyone. The one thing this did help me learn a lot more about was better use of vhosts. I understand them much better now.