HSTS and DAV with Docker and Traefik

PopeRigby · April 29, 2020, 1:41am

Nextcloud version: 18.0.4.2
Operating system and version: Debian 10
Apache or nginx version: nginx/1.16.1 (fpm-fcgi)
PHP version: 7.3.17

I’m getting these security warnings in my overview panel:

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
    
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

How do I get these to work with with Traefik and Nextcloud running through docker-compose?

Reiner_Nippes · April 29, 2020, 6:53am

which traefik version are you using? the syntax is different between 1.7 and 2.

PopeRigby · April 29, 2020, 4:25pm

I’m using v2

Apr 29, 2020, 12:04 AM by noreply@nextcloud.com:

Reiner_Nippes · April 29, 2020, 4:28pm

would this be helpful to you:

https://www.projekt-rootserver.de/nextcloud-docker-container/2019/09/2/

PopeRigby · April 29, 2020, 5:32pm

I don’t speak German, but I guess I can run it through a translator.

Reiner_Nippes · April 29, 2020, 5:37pm

sorry for that. nevertheless i guess you can identify the code snippets with the labels for traefik.

in the meantime i got a merge request to my ansible playbook. maybe you can find what you are looking for there. i didn’t had time to check. but i’ll merge it later.

github.com

azonictechnophile/nextcloud_on_docker/blob/4255c29e58f485ae1bad7f0ade61bb99b09e8c21/roles/docker_container/tasks/nginx.yml#L46


traefik.http.routers.nginx-http.entrypoints: "web"
traefik.http.routers.nginx-http.rule: "Host(`{{ nextcloud_server_fqdn }}`)"
traefik.http.routers.nginx-http.middlewares: "nginx-https@docker"
traefik.http.routers.nginx.entrypoints: "web-secure"
traefik.http.routers.nginx.rule: "Host(`{{ nextcloud_server_fqdn }}`)"
traefik.http.routers.nginx.middlewares: "nginx@docker,nginx-red@docker"
traefik.http.routers.nginx.tls: "true"
traefik.http.routers.nginx.tls.certresolver: "default"
traefik.http.middlewares.nginx.headers.referrerPolicy: "no-referrer"
traefik.http.middlewares.nginx.headers.SSLRedirect: "true"
traefik.http.middlewares.nginx.headers.STSSeconds: "315360000"
traefik.http.middlewares.nginx.headers.browserXSSFilter: "true"
traefik.http.middlewares.nginx.headers.contentTypeNosniff: "true"
traefik.http.middlewares.nginx.headers.forceSTSHeader: "true"
traefik.http.middlewares.nginx.headers.STSIncludeSubdomains: "true"
traefik.http.middlewares.nginx.headers.STSPreload: "true"
traefik.http.middlewares.nginx.headers.customFrameOptionsValue: "SAMEORIGIN"
traefik.http.middlewares.nginx-red.redirectregex.permanent: "true"
traefik.http.middlewares.nginx-red.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
traefik.http.middlewares.nginx-red.redirectregex.replacement: "https://$1/remote.php/dav"
com.centurylinklabs.watchtower.enable:            "true"

PopeRigby · April 29, 2020, 5:57pm

After adding these lines from that tutorial to my Nextcloud labels…

- "traefik.http.routers.nextcloud.middlewares=https-redirect@file"
- "traefik.http.routers.nextcloud-sec.middlewares = calcarddav, default-headers @ file"
- "traefik.http.middlewares.calcarddav.redirectregex.permanent = true"
- "traefik.http.middlewares.calcarddav.redirectregex.regex = https: // (. *) /.well-known/ (card | cal) dav"
- "traefik.http.middlewares.calcarddav.redirectregex.replacement = https: //$$1/remote.php/dav/"

…I get a 404 when visiting my Nextcloud subdomain, and Nextcloud disappears from my Traefik dashboard.