Insecure URLs warning on version 23

Nextcloud version (eg, 20.0.5): 23
Operating system and version (eg, Ubuntu 20.04): docker nextcloud repositoy on Docker Hub
Apache or nginx version (eg, Apache 2.4.25): apache I think
PHP version (eg, 7.4): not sure

Since updating to version 23 I am getting the warning " You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read the documentation page about this :arrow_upper_right:."

I believe it is the same as the issue here but the solution didn’t work for me. I am using Nextcloud behind the docker nginx-proxy + acme-companion. I have had this instance for several versions.

What does the warning mean? Does it mean some of the links have http instead of https? My favicon is using http for some reason, but all the other links appear to be https. Does it mean my URL path is insecure? My URLs look like this: https://sub.domain.net/index.php/settings/admin/overview. Is the index.php supposed to be there?

Any help would be appreciated so I can better debug this issue.

config.php:

<?php
$CONFIG = array (
  'datadirectory' => '/var/www/html/data',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => 'sub.domain.net',
  ),
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'overwrite.cli.url' => 'https://sub.domain.net',
  'dbtype' => 'mysql',
  'version' => '23.0.10.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxx',
  'dbpassword' => 'xxx',
  'installed' => true,
  'mail_from_address' => 'postmaster',
  'logtimezone' => 'Etc/UTC',
  'logdateformat' => 'Y-m-d H:i:s',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpsecure' => 'tls',
  'mail_domain' => 'sub.domain.net',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'xxx',
  'mail_smtpname' => 'xxx',
  'mail_smtppassword' => 'xxx',
  'default_phone_region' => 'US',
  'loglevel' => 0,
  'maintenance' => false,
  'theme' => '',
  'updater.release.channel' => 'stable',
  'app_install_overwrite' => 
  array (
    0 => 'spreed',
    1 => 'twofactor_totp',
  ),
);

docker-compose.yml

version: '3.7'
x-volumes:
  &nextcloud-volumes
      - /mnt/data/ansible/nextcloud/custom_apps:/var/www/html/custom_apps
      - /mnt/data/ansible/nextcloud/config:/var/www/html/config
      - /mnt/data/ansible/nextcloud/data:/var/www/html/data
      - /mnt/data/ansible/nextcloud/themes:/var/www/html/themes
      - /mnt/data/ansible/nextcloud/root:/var/www/html

services:
  db:
    image: mariadb:10.6
    environment:
      MYSQL_ROOT_PASSWORD: "xxx"
      MYSQL_DATABASE: xxx
      MYSQL_USER: xxx
      MYSQL_PASSWORD: "xxx"
    volumes:
      - /mnt/data/ansible/nextcloud/mariadb_data:/var/lib/mysql
    networks:
      - default
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
  app:
    image: nextcloud:23
    links:
      - db
    environment:
      VIRTUAL_HOST: sub.domain.net
      VIRTUAL_PORT: 80
      LETSENCRYPT_HOST: xxx
      LETSENCRYPT_EMAIL: xxx
      NEXTCLOUD_ADMIN_USER: xxx
      NEXTCLOUD_ADMIN_PASSWORD: "xxx"
      MYSQL_DATABASE: xxx
      MYSQL_USER: xxx
      MYSQL_PASSWORD: "xxxx"
      MYSQL_HOST: db
      # Changes since version 23
      # https://github.com/nextcloud/docker/issues/1672#issuecomment-1080467468
      TRUSTED_PROXIES: sub.domain.net
      OVERWRITECLIURL: https://sub.domain.net
      OVERWRITEPROTOCOL: https
      # I think this hooks in at a slightly different place
      NEXTCLOUD_TRUSTED_DOMAINS: sub.domain.net
      # maybe you also want this
      OVERWRITEHOST: sub.domain.net
    volumes:
      *nextcloud-volumes
    networks:
      - nginx-proxy
      - default
    restart: always
  cron:
    image: nextcloud
    restart: always
    volumes:
      *nextcloud-volumes
    depends_on:
      - app
    entrypoint: |
      bash -c 'bash -s <<EOF
      trap "break;exit" SIGHUP SIGINT SIGTERM
      while /bin/true; do
        su -s "/bin/bash" -c "/usr/local/bin/php /var/www/html/cron.php" www-data
        echo $$(date) - Running cron finished
        sleep 900
      done
      EOF'
networks:
  nginx-proxy:
    external: true
  default:
volumes:
  nextcloud-root:

Extra vhost configuration for nginx-proxy:

        client_max_body_size 10G;

        # Fix for some clients not able to find sync URL
        # https://docs.nextcloud.com/server/21/admin_manual/issues/general_troubleshooting.html#service-discovery
        location = /.well-known/carddav {
            return 301 $scheme://$host:$server_port/remote.php/dav;
        }
        location = /.well-known/caldav {
            return 301 $scheme://$host:$server_port/remote.php/dav;
        }

you configs look fine for me. Please double check your variables are right in the running config.php

docker exec --user www-data app php occ config:system:get overwrite.cli.url
docker exec --user www-data app php occ config:system:get overwriteprotocol
docker exec --user www-data app php occ config:system:get overwritehost

maybe there is something wrong, if the output doesn’t match your expectations perform docker-compose down/up. At least with NC24 I’, under impression overwrite.cli.url is not required anymore (I have an Apache container without this setting and no warnings).

most likely not related to this issue, but this is wrong - this variable should include a space separated array with IP addresses of trusted reverse proxy servers e.g.

TRUSTED_PROXIES=traefik 172.16.0.0/12 192.168.0.0/16 10.0.0.0/8

I’m not aware of this variables, try to remove them…:

overwriteprotocol and overwritehost came back empty even after a down and up with docker compose. I wonder why?

The VIRTUAL_HOST and VIRTUAL_PORT variables are used with nginx-proxy I believe.

OK. I set directly in the config.php as suggested in this comment. I guess the docker variables only take effect when setting up the config.php for the first time. At least that is my guess. Thank you for the suggestion of looking at the values from occ!