Next Cloud Thinks I have a revers proxy when I don't?

  • You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read [the documentation page about this]

How do I get next cloud to tell me what it thinks the reverse proxy is?

some envierment information
Nextcloud version (19.0.3):
Operating system and version (Ubuntu 20.04):
Apache or nginx version ( Nginx 1.18.0):
PHP version (eg, 7.3):

You can set the overwrite-variables anyway. You are running everything over https? Probably the internal links created are not https.
If you need more help, we need information, how you set up your webserver, and the config.php of Nextcloud.

It may be that I havn’t set up the certificats and enabled ssl yet.

here is the web server config

server {
listen 80;
server_name fil2.xxxx.com;

# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

#This header is already set in PHP, so it is commented out here.
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy no-referrer always;

# Path to the root of your installation
root /var/www/html/nextcloud/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}
location = /data/htaccesstest.txt{
allow all;
log_not_found off;
access_log off;	
}

location = /data/\.ocdata {
access_log off;
} 
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
   return 301 $scheme://$host/remote.php/dav;
}

location ~ /.well-known/acme-challenge {
  allow all;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
   rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
   deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
   deny all;
 }

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
   include fastcgi_params;
   fastcgi_split_path_info ^(.+\.php)(/.*)$;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_param PATH_INFO $fastcgi_path_info;
   #Avoid sending the security headers twice
   fastcgi_param modHeadersAvailable true;
   fastcgi_param front_controller_active true;
   fastcgi_pass unix:/run/php/php7.3-fpm.sock;
   fastcgi_intercept_errors on;
   fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
   try_files $uri/ =404;
   index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;

}

location ~* .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don’t log access to other assets
access_log off;
}
}

here is the config.php

<?php $CONFIG = array ( 'instanceid' => 'ockdhfg6esc1', 'passwordsalt' => 'WIz8n4ol3OxMjarav1GpxSKpcMuDiq', 'secret' => 'tfSfYvxL8sB0NheQOOBmARAfzIVwFfQb7AFWE0A1rVuTxZ8I', 'trusted_domains' => array ( 0 => 'localhost', 1 =>'fil2.xxxx.com', 2 =>'192.168.1.200', ), 'datadirectory' => '/var/www/html/nextcloud/data', 'dbtype' => 'mysql', 'version' => '19.0.3.1', 'overwrite.cli.url' => 'http://localhost', 'dbname' => 'xxx', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'admin', 'dbpassword' => 'xxx', 'installed' => true, 'memcache.local' => '\\OC\\Memcache\\Redis', 'filelocking.enabled' => 'true', 'memcache.distributed' => '\\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => array ( 'host' => 'localhost', 'port' => 6379, 'timeout' => 0, 'dbindex' => 0, ), );

The other thing I noticed was this message in my nginx web server log

2020/09/21 09:13:02 [error] 684#684: *171 access forbidden by rule, client: 192.168.0.34, server: fil2.xxxx.com, request: “GET /data/.ocdata?t=1600701183406 HTTP/1.1”, host: “fil2.xxxx.com

I think for your own security you should not post your database user or Database password in public forums !!

Thankyou for the heads up just removed them.

When I turned on certbot and set up That corected the Revers Proxy issue. How ever has left me with one more issue I am working on

  • The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.

Hopfully the last issue :slight_smile:

To Corect the “Strict-Transport-Security” issue you add

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

To your headers in the nginx config gile

Finaly a green check on the overview :smile:

Not necessary anymore. Please make sure you are using the latest nginx configuration from the docs.