Hello,
I have install an Nextcloud Instance behind my Apache Reverse proxy and the security admin console bring me this error :
> The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
Your web server is not properly set up to resolve “/.well-known/webfinger”. Further information can be found in the documentation.
My platform is on this stack :
Nextcloud version : 21 (latest)
Operating system and version: Debian Buster
Apache : 2.4 (for nextcloud and reversy proxy)
PHP version : 7.3
Apache reverse proxy : 192.168.1.111
Nextcloud server with apache and mariadb : 192.168.1.112
My apache reverse proxy config is :
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
*<VirtualHost :443>ServerName cloud.mydomain.com
ServerAdmin mymail
AddDefaultCharset off*Order Allow,Deny*Allow from all*
ProxyRequests On
ProxyPreserveHost On
ProxyPass “/” “http://192.168.1.112:80/”
ProxyPassReverse “/” “http://192.168.1.112:80/”SetEnvIf Host "^(.)$" THE_HOST=$1*
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders OffProxyPassMatch (.)(/websocket)$ “ws://192.168.1.112/$1$2”*
LogLevel notice
CustomLog /var/log/apache2/nextcloud_access.log combined
ErrorLog /var/log/apache2/nextcloud_error.logSSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire offHeader always set X-Frame-Options “SAMEORIGIN”
Header always set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
RewriteEngine On
RewriteRule ^/.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/.well-known/host-meta https://%{SERVER_NAME}/public.php?service=host-meta [R=301,L]
RewriteRule ^/.well-known/host-meta.json https://%{SERVER_NAME}/public.php?service=host-meta-json [QSA,L]
RewriteRule ^.well-known/webfinger https://%{SERVER_NAME}/public.php?service=webfinger [R=301,L]
RewriteRule ^.well-known/webfinger https://%{SERVER_NAME}/public.php?service=webfinger [QSA,L]SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLUseStapling on
my config.php file is :
<?php $CONFIG = array ( 'instanceid' => '******************', 'passwordsalt' => '***********************', 'secret' => '*************************************', 'trusted_domains' => array ( 0 => '192.168.1.112', 1 => 'cloud.mydomain.com', 2 => '192.168.1.111', ), 'datadirectory' => '/mount/stockage/segate/nextcloud/data_racine', 'dbtype' => 'mysql', 'version' => '21.0.0.18', 'overwrite.cli.url' => 'https:/cloud.mydomain.com', 'dbname' => 'nextclouddb', 'dbhost' => 'localhost:3306', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'nextcloud', 'dbpassword' => 'pass**', 'installed' => true, 'default_phone_region' => 'FR', 'memcache.local' => '\\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'filelocking.enabled' => 'true', 'redis' => array ( 'host' => '/var/run/redis/redis.sock', 'port' => 0, 'timeout' => 0.0, ), 'htaccess.RewriteBase' => '/', 'trusted_proxies' => array ( 1 => '192.168.1.111', 2 => 'cloud.mydomain.com', ), 'overwritehost' => 'cloud.mydomain.com', 'overwriteprotocol' => 'https', 'overwritewebroot' => '/', 'overwritecondaddr' => '^192\.168\.1\.111$', 'forwarded_for_headers' => array('HTTP_X_FORWARDED'), );
I don’t know what is missing, i try to read some article about header,
But nothing change
Thank you
