Nextcloud & NginX (seperat Device) but Nextcloud says unsecure Access

lightningstorch · October 1, 2024, 3:46pm

I have a problem and wanted to ask if anyone has the same problem.

I have installed Nextcloud as an app on Truena’s Scale and configured everything. Now the error “Insecure access to the website via HTTP.” is permanently displayed.

I use NginX on a Raspberry Pi (other device) and have the domain nextcloud..ddnsfree.com from dynu (only use it internally) and have created an SSL certificate through dynu and Let’s encrypt.

When I call up the domain, the Nextcloud website always appears and is encrypted via HTTPS, but Nextcloud still shows the error.

I have tried to adjust the Apache2 server in the container at Truenas where Nextcloud is running (as an app), but the settings are reset after each restart.

Does anyone have any help here. I can’t get any further at the moment.

jtr · October 1, 2024, 4:07pm

You seem to have ignored the support template.

Post your Nextcloud config (i.e. occ config:list system)

I have tried to adjust the Apache2 server in the container at Truenas where Nextcloud is running (as an app), but the settings are reset after each restart.

If HTTPS terminates on nginx and you have nginx serving as your reverse proxy in front of Nextcloud there is no need to mess with Apache.

Chances are it’s a mixture of trusted_proxies and/or overwrite* config values in your Nextcloud config (there are other possibilities however).

EDIT: Wait, are you referring to the setup checks under Administration settings->Overview? I was thinking you meant browser warnings. For the setup checks, your situation may have the same underlying cause as: HTTP Strict Transport enabled, but alert on Nextcloud 30 - #4 by jtr

lightningstorch · October 1, 2024, 6:18pm

There is my Config file

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "upgrade.disable-web": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "192.168.0.71",
            "127.0.0.1",
            "nextcloud-init-sync.lock",
            "nextcloud",
            "nextcloud.lan",
            "nextcloud.<something>.ddnsfree.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "30.0.0.14",
        "overwrite.cli.url": "https:\/\/nextcloud.<something>.ddnsfree.com",
        "overwriteprotocoll": "https",
        "overwirteHost": "nextcloud.<something>.ddnsfree.com",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "AT",
        "maintenance_window_start": "1",
        "maintenance": false,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "nextcloud.<something>.ddnsfree.com",
        "forbidden_filename_characters": [
            "\\",
            "\/"
        ],
        "forbidden_filename_extensions": [
            ".filepart",
            ".part"
        ]
    }
}

The Problem is that nextcloud says (under the settings)
“Insecure access to the website via HTTP. It is strongly recommended to set up your server so that HTTPS is required. Without HTTPS, some important web functions such as “Copy to clipboard” or “Service Worker” will not work! You can find more information in the documentation .”
(When i change ‘overwrite.cli.url’ => ‘https://nextcloud…ddnsfree.com’, to http://localhost, then the HSTS error occur)

everytime when i change the settings from the apache2 server in the App Container and reboot. The changings are deleted.

Not i have an other problem. I would like to access my Nextcloud via the App and Windows client. and i typed in https://nextcloud…ddnsfree.com and the client says
“The Polling URL does not start with HTTPS despite to login URL start with HTTPS. Login will not be possible because this maiht be a security issue. Please contat your administrator”.

jtr · October 2, 2024, 4:53pm

       "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "192.168.0.71",
            "127.0.0.1",
            "nextcloud-init-sync.lock",  <--- REMOVE
            "nextcloud", 
            "nextcloud.lan", 
            "nextcloud.<something>.ddnsfree.com"
        ],
        "overwriteprotocoll": "https", <-- FIX TYPO: `ll` should be `l`
        "overwirteHost": "nextcloud.<something>.ddnsfree.com", <-- FIX TYPO: `overwritehost`

everytime when i change the settings from the apache2 server in the App Container and reboot. The changings are deleted.

What settings are you referring to that you’re changing in Apache? And what are your volume mounts for the container?

lightningstorch · October 2, 2024, 8:59pm

Thanks for the Help. You are brilliant. That fixed my problem and now i can use my Nextcloud via https and without security issue.

For the other questions:

I used this command from an other Thread.
https://help.nextcloud.com/t/help-me-to-enable-hsts-http-strict-transport-security-on-my-nc22-instance-please/121552/8?u=lightningstorch

For the mounted Volumes:
The Truenas App Folder is on a NVME ssd without mirror and the Volume for the Data is on my 8 TB Mirrored HDD Storage.
I changed the Settings in Truenas by the installation to the correct Folder on the seperate Storage.

jtr · October 2, 2024, 9:35pm

You can set the Strict-Transport-Security header on your reverse proxy, where HTTPS is terminated anyhow. The example in that linked thread was someone with a different type of installation and they were running HTTPS in Apache.