Error in the setup checks

Nextcloud version 29.01
Operating system and version: Ubuntu Server 22.04.5
Apacheversion:
HP version: 8.3.7

The issue you are facing: i’ve migrated my previous Nextcloud instance to new hosts, but the new instance is displaying numerous errors that did not appear on the previous system. The configuration is the same nothing changed.

sudo -u www-data php /var/www/nextcloud/occ setupchecks

	dav:
		\u2713 DAV system address book: No outstanding DAV system address book sync.
	network:
		\u2717 WebDAV endpoint: Your web server is not yet properly set up to allow file synchronization, because the WebDAV interface seems to be broken.
To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`.
		\u2713 Data directory protected
		\u2713 Internet connectivity
		\u26a0 JavaScript source map support: Your webserver is not set up to serve `.js.map` files. Without these files, JavaScript Source Maps won't function properly, making it more challenging to troubleshoot and debug any issues that may arise.
		\u26a0 JavaScript modules support: Could not check for JavaScript support via any of your `trusted_domains` nor `overwrite.cli.url`. This may be the result of a server-side DNS mismatch or outbound firewall rule. Please check manually if your webserver serves `.mjs` files using the JavaScript MIME type.
To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`.
		\u26a0 OCS provider resolving: Your web server is not properly set up to resolve "/ocm-provider/", "/ocs-provider/".
This is most likely related to a web server configuration that was not updated to deliver this folder directly.
Please compare your configuration against the shipped rewrite rules in ".htaccess" for Apache or the provided one in the documentation for Nginx.
On Nginx those are typically the lines starting with "location ~" that need an update.
		\u26a0 .well-known URLs: Your web server is not properly set up to resolve `.well-known` URLs, failed on:
`/.well-known/webfinger`
		\u2139 WOFF2 file loading: Could not check for WOFF2 loading support. Please check manually if your webserver serves `.woff2` files.
To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`.
	system:
		\u2713 Errors in the log: No errors in the logs since May 15, 2024, 10:29:36\u202fPM
		\u2139 Brute-force Throttle: Your remote address could not be determined.
		\u2713 Cron errors: The last cron job ran without errors.
		\u2713 Cron last run: Last background job execution ran 4 minutes ago.
		\u2713 Debug mode: Debug mode is disabled.
		\u2713 File locking
		\u2713 Maintenance window start: Maintenance window to execute heavy background jobs is between 1:00 UTC and 7:00 UTC
		\u2713 Memcache: Configured
		\u2713 Architecture: 64-bit
		\u2713 Temporary space available: Temporary directory is correctly configured:
- 35.0 GiB available in /tmp (PHP temporary directory)
		\u2713 Push service: Free push service
	notifications:
		\u2713 Push notifications - Fair use policy
	passwords:
		\u2713 Checking if the server runs background tasks with the same PHP version.: Background jobs are executed with the same PHP version.
		\u2713 Checking if the server runs background jobs with cron.: Background jobs are executed with cron.
	security:
		\u2713 App directories owner: App directories have the correct owner "www-data"
		\u2713 Old administration imported certificates
		\u2713 Code integrity: No altered files
		\u2139 Forwarded for headers: Your remote address could not be determined.
		\u26a0 HTTPS access and URLs: You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly.
		\u2713 Old server-side-encryption: Disabled
		\u2713 PHP version: You are currently running PHP 8.3.7.
		\u2713 Random generator: Secure
		\u26a0 HTTP headers: Some headers are not set correctly on your instance
- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The `X-Frame-Options` HTTP header is not set to `sameorigin`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The `X-Permitted-Cross-Domain-Policies` HTTP header is not set to `none`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the W3C Recommendation.
- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.

	database:
		\u2713 Database missing columns: None
		\u2713 Database missing indices: None
		\u2713 Database missing primary keys: None
		\u2713 Database pending bigint migrations: None
		\u2713 MySQL Unicode support: MySQL is used as database and does support 4-byte characters
		\u2713 Database version: 10.6.16-MariaDB-0ubuntu0.22.04.1
		\u2713 Database transaction isolation level: Read committed
	config:
		\u2713 Default phone region: en
		\u2713 Email test: Email test was successfully sent
		\u2713 Overwrite CLI URL: The "overwrite.cli.url" option in your config.php is set to "http://network_machine_IP/nextcloud" which is a correct URL. Suggested URL is "http://localhost".
		\u2713 Configuration file access rights: Nextcloud configuration file is writable
	php:
		\u2713 PHP default charset: UTF-8
		\u2713 PHP set_time_limit: The function is available.
		\u2713 Freetype: Supported
		\u2713 PHP getenv
		\u2713 PHP memory limit: ?
		\u2713 PHP modules
		\u2713 PHP opcache: Correctly configured
		\u2713 PHP "output_buffering" option: Disabled
		\u2713 PHP Imagick module

nextcloud/config.php

<?php
$CONFIG = array (
  'updatechecker' => false,
  'instanceid' => 'xxxxx',
  'passwordsalt' => 'xxxxxxx',
  'secret' => 'xxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => '127.0.0.1',
    1 => 'localhost',
  ),
  'datadirectory' => '/data',
  'overwrite.cli.url' => 'http://localhost',
  'dbtype' => 'mysql',
  'version' => '29.0.0.19',
  'dbname' => 'nextcloud',
  'dbhost' => 'IP',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxxxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
  'default_phone_region' => 'PT',
  'maintenance' => true,
  'theme' => '',
  'loglevel' => 0,
  'filelocking.enabled' => true,
  'overwriteprotocol' => 'https',
  'preview_max_memory' => '1280',
  'overwritehost' => 'nextcloud.example.com',
  'overwritecondaddr' => '^network_GW$',
  'maintenance_window_start' => 1,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcache.locking' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' => 
  array (
    0 => 
    array (
      0 => '127.0.0.1',
      1 => 11211,
    ),
  ),
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_domain' => 'xxxxxxx',
  'mail_sendmailmode' => 'smtp',
  'updater.release.channel' => 'stable',
  'app_install_overwrite' => 
  array (
    0 => 'social',
    1 => 'documents',
    2 => 'dropit',
    3 => 'files_clipboard',
    4 => 'uploaddetails',
    5 => 'impersonate',
    6 => 'files_downloadactivity',
    7 => 'tencentcloudcosconfig',
  ),
  'encryption.legacy_format_support' => false,
  'encryption.key_storage_migrated' => false,
  'mysql.utf8mb4' => true,
  'mail_smtphost' => 'mail.example.com',
  'mail_smtpport' => '587',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'nextcloud@example.com,
  'mail_smtppassword' => 'xxxxxxxxxx',
);

nextcloud/.htaccess

# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^ocm-provider/(.*)$ /path/to/ocm-provider/$1 [L]
    RewriteRule ^ocs-provider/(.*)$ /path/to/ocs-provider/$1 [L]
</IfModule>


# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

virtual hosts File.

<VirtualHost *:443>
    ServerName nextcloud.example.com
    ServerAlias nextcloud.example.com
    DocumentRoot /var/www/nextcloud/
    ErrorLog /var/log/apache/example.com/error.log

    # RewriteMap directive
    RewriteMap lowercase int:tolower

    # Add MIME type for .mjs files
    AddType application/javascript .mjs

    # Redirect rule for "/nextcloud"
    Redirect "/nextcloud" "https://nextcloud.example.com"

    # Security headers
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        Header always set X-Content-Type-Options "nosniff"
        Header always set X-Robots-Tag "noindex, nofollow"
        Header always set X-Frame-Options "sameorigin"
        Header always set X-Permitted-Cross-Domain-Policies "none"
        Header always set X-XSS-Protection "1; mode=block"
        Header always set Referrer-Policy "no-referrer"
    </IfModule>

    <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All

        <IfModule mod_dav.c>
            Dav off
        </IfModule>

        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud

        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteCond %{SERVER_NAME} =nextcloud.example.com
            RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
        </IfModule>
    </Directory>

    <Location /remote.php/webdav>
        Dav On
        AuthType Basic
        AuthName "WebDAV"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Location>
</VirtualHost>

Was the previous Nextcloud environment running v29?

The configuration is the same nothing changed.

Well, the host and hosting environment itself changing qualifies as a config change since Nextcloud is heavily coupled to the web server and PHP configuration and proxy setup (and local DNS and firewalling, and so on). :slight_smile:

The setup checks in v29 run server-side now. Most of your errors are going to be dependent on all the domains listed in trusted_domains and overwrite.cli.url resolving consistently and being accessible from your server itself.

That also includes making sure that if you’re using HTTPS (which you’re VirtualHost config is) that your Nextcloud config matches that. It’s unclear whether you have HTTP to HTTPS redirects anywhere in your new environment (which is fine), but your Nextcloud config is specifically only set to http://localhost at the moment it looks like.

Hello @jtr,

I followed the procedure that is in Nextcloud KB.
https://docs.nextcloud.com/server/latest/admin_manual/maintenance/migrating.html

Yes that is true, that was stupid of me saying that there were no changes.
There was no proxy before, it was a direct connection to the public IP.
At the moment, between the haProxy and Apache there is no certificates configuration, but I’m only accepting the 443.
Should that be changed to port 80?

Between the internet in the haProxy all communications are SSL.
Inside the LAN communications are not SSL, but very limited in terms of port connections.
Although, all the connections need authentication.

I’ve tried changing the trusted_domains and overwrite.cli.url to the hostname but no luck also.

I know that config.php in v29 is very different from the one I have, but the config file shown is from v18 I believe.
Should I change to the new version and make changes accordingly.

I just want to clear the error messages, I do believe that most of the configurations are in the virtual hosts file or .htaccess. So I’m having a hard time understanding why is this happening.

That really depends on your goals.

At the moment your Apache configuration is likely not working at all.

You have the VirutalHost listening on :443 without any certificates configured. If you have a proxy (sounds like you do since you mentioned haproxy), then presumably you’ll terminate your HTTPS on the proxy. In that case, the Apache VirtualHost should only listen on 80. Then you’ll need to add the haproxy IP address to trusted_proxies in your config.php. Probably a few other things, but those are the fundamental elements.

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#

I’ve changed configurations but still the same outcome.
Changed the default 80 to 8080 due to port usage.

<VirtualHost *:8080>
    ServerName nextcloud.example.com
    DocumentRoot /var/www/nextcloud/

    <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted


        <IfModule mod_dav.c>
            Dav off
        </IfModule>

        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud

        <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        </IfModule>

        <FilesMatch "\.js\.map$">
            Header set Content-Type "application/json"
        </FilesMatch>

        <FilesMatch "\.mjs$">
            AddType application/javascript .mjs
        </FilesMatch>

    </Directory>
   CustomLog /var/log/apache/example.com/nextcloud_access.log combined
    ErrorLog /var/log/apache/example.com/error.log
</VirtualHost>
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>
<?php
$CONFIG = array (
  'updatechecker' => false,
  'instanceid' => 'oc30ee9lxrlw',
  'passwordsalt' => 'xxxxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxxxx',
  'trusted_domains' =>
  array (
    0 => 'nextcloud.example.com',
  ),
  'trusted_proxies' =>
        array (
          0 => '172.16.0.254',
  ),
  'overwritehost' => 'nextcloud.example.com',
  'overwriteprotocol' => 'http',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^172\.16\.0\.254$',
  'overwrite.cli.url' => 'https://nextcloud.example.com',
  'datadirectory' => '/data',
  'dbtype' => 'mysql',
  'version' => '29.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => '172.16.255.3',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxxxxxxxxxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
  'default_phone_region' => 'PT',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 0,
  'filelocking.enabled' => true,
  'preview_max_memory' => '1280',
  'maintenance_window_start' => 1,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcache.locking' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' =>
  array (
    0 =>
    array (
      0 => '127.0.0.1',
      1 => 11211,
    ),
  ),
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_domain' => 'example.com',
  'mail_sendmailmode' => 'smtp',
  'updater.release.channel' => 'stable',
  'app_install_overwrite' =>
  array (
    0 => 'social',
    1 => 'documents',
    2 => 'dropit',
    3 => 'files_clipboard',
    4 => 'uploaddetails',
    5 => 'impersonate',
    6 => 'files_downloadactivity',
    7 => 'tencentcloudcosconfig',
  ),
  'encryption.legacy_format_support' => false,
  'encryption.key_storage_migrated' => false,
  'mysql.utf8mb4' => true,
  'mail_smtphost' => 'mail.example.com',
  'mail_smtpport' => '587',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'nextcloud@example.com',
  'mail_smtppassword' => 'xxxxxxxxxxxxxx',
);

At the moment no front end is working, but if I change the virtual hosts to 443 everything starts working but full of warnings and alerts.

From pfSense/HAproxy perspective everything seems configured properly.
I’m clueless.