Latest Docker Image Security Issues

ā„¹ļø Support šŸ“¦ Appliances (Docker, Snappy, VM, NCP, AIO)
1

Good morning

It appears there may be an issue with the latest docker image on tag 15.0.0.

Im running it behind haproxy and when I go into the security section of settings I see the following warning (which ive never seen before):

There are some warnings regarding your setup.

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ā†—.

Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.
Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running 'occ db:convert-filecache-bigint' those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read the documentation page about this.
    filecache.mtime
    filecache.storage_mtime

Please double check the installation guides :arrow_upper_right:, and check for any errors or warnings in the log.

Is this a known issue? Or have I missed something?

Really appreciate your help.

Best wishes

Andrew
Check the security of your Nextcloud over our security scan :arrow_upper_right:.

2

Apologies for the noise - in case anyone else gets this, I fixed it by adding this to my haproxy backend :slight_smile:

http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;

3

I am however seeing these errors as well and Im confused as to why we would get them when its the nextcloud 15.0.0 docker image Im running?

There are some warnings regarding your setup.

  • Your web server is not properly set up to resolve ā€œ/.well-known/caldavā€. Further information can be found in the documentation.
  • Your web server is not properly set up to resolve ā€œ/.well-known/carddavā€. Further information can be found in the documentation.
  • Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running ā€˜occ db:convert-filecache-bigintā€™ those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read the documentation page about this.
    • filecache.mtime
    • filecache.storage_mtime

Apprecaite your help

4

just do an occ db:convert-filecache-bigint
IMHO thatā€™s a ā€œmissing featureā€ caused by Nextcloud Inc. After a fresh install nothing should be missing. I included the occ command in the setup of nc.

Iā€™m getting the same error message after I run my playbook. Nextcloud/nginx/Traefik. Nevertheless the forewarding/redirect from /.well-known/carddav to /remote.php/dav is working. But since I donā€™t use this I canā€™t really checkā€¦

1 Like
5

Good afternoon :slight_smile: Thankyou for your reply. I tried docker exec into the container to do this however the command wasnt recognised ??

andrew@microserver:~$ docker exec -it 6c4441b6328a bash
root@6c4441b6328a:/var/www/html# occ db:convert-filecache-bigint
bash: occ: command not found

Any ideas?

Thank you for your help

6

itā€™s php occ. occ is a php skript. you have to run it as user www-data (web server user)

but you donā€™t need to login:

docker exec --user www-data 6c4441b6328a php occ db:convert-filecache-bigint
7

Wow thats brilliant thank you ! :slight_smile:
andrew@microserver:~$ docker exec --user www-data 6c4441b6328a php occ db:convert-filecache-bigint
Following columns will be updated:

  • filecache.mtime
  • filecache.storage_mtime

This can take up to hours, depending on the number of files in your instance!

8

Now just the errors:

Your web server is not properly set up to resolve ā€œ/.well-known/caldavā€

To fix :slight_smile:

9

Fixed using this post :slight_smile:

  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]

To:

  RewriteRule ^\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

From funky penguin here https://github.com/nextcloud/docker/issues/528

Modified my .htaccess file in my persistent storage

10

Finally my only error I see is when I used the nextcloud scanning service - I get an A rating and this error:

__Host-Prefix

The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ā€˜normalā€™ same-site cookies.

Anyone seen a fix or workaround for this by anychance?

Many thanks
Andrew

11

@Reiner_Nippes Hi mate, Iā€™m getting this when I enter your command: Could not open input file: occ

What should I do?

12

provide more details.
you are running nextcloud in docker container?
you entered docker exec --user www-data <nextcloud-container-id> php occ db:convert-filecache-bigint?

1 Like
13

Sorry about that mate. Yes, nextcloudpi in docker container from ownyourbits. Command worked when I gave the full path of the occ. Thanks.

exec --user www-data php /var/www/nextcloud/occ db:convert-filecache-bigint