Nextcloud version : Nextcloud Hub 8 (29.0.4)
Operating system and version: Ubuntu 22.04.4 LTS
nginx version : nginx/1.26.1
PHP version _: 8.3.9
Nextcloud is accessible without SSL on local network through nginx webserver: /etc/nginx/sites-available/nextcloud
upstream php-handler {
server unix:/opt/.nextcloud.sock;
}
map $arg_v $asset_immutable {
"" "";
default ", immutable";
}
server {
listen 8789;
# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /opt/nextcloud/; #Your nextcloud directory
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location ~ /.well-known/acme-challenge {
allow all;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:/opt/.nextcloud.sock; #Change your php version
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don’t log access to other assets
access_log off;
}
}
I have a reverse proxy setup on nginx hosting a variety of other services in subdirectories. These services are accessed with example.com/service. The reverse proxy is configured to handle SSL connections and uses authelia for authentication / authorization to the services it sits in front of.
I now want to configure the nginx reverse-proxy to also handle my traffic to/from nextcloud. Ultimately my goal is to have authelia handle authentication with nextcloud as well, but that would come after the reverse-proxy server is configured.
I don’t know how to setup the location block in my nginx reverse-proxy, or what options are necessary in config.php to achieve these goals. I’ve tried searching google and reading through the nextcloud docs all day, but nothing I’ve tried has worked.
Here is config.php
<?php
$CONFIG = array (
'instanceid' => 'XXXXXXXXXXXXXXXXXXXXXXXXX',
'passwordsalt' => 'XXXXXXXXXXXXXXXXXXXXXXXXX',
'secret' => 'XXXXXXXXXXXXXXXXXXXXXXXXX',
'trusted_domains' =>
array (
0 => '192.168.1.4',
),
'datadirectory' => '/mnt/sda1/nextcloud',
'dbtype' => 'mysql',
'version' => '29.0.4.1',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'XXXXXXXXXXXXXXXXXXXXXXXXX',
'installed' => true,
);
Here are the parts of my reverse-proxy configuration that may be somewhat relevant?
server {
listen 443 ssl;
server_name example.com;
proxy_hide_header X-Powered-By;
# SSL
include /etc/nginx/snippets/ssl.conf;
# add_header directives - must all be specified HERE, specifying below invalidates all header inheritance
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
# Authelia Stuff
include /etc/nginx/snippets/authelia-location.conf;
location / {
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8000;
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-authrequest.conf;
}
location /nextcloud {
include /etc/nginx/snippets/authelia-authrequest.conf;
proxy_pass http://localhost:8789$request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
# other services configured here.
}
These are the setup warnings reported in Administration Settings -> Administration -> Overview. While i’d like to resolve these eventually, I’m more inclined to address them once I know that I can configure nextcloud as described above.
There are some errors regarding your setup.
Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.
Your webserver does not serve `.mjs` files using the JavaScript MIME type. This will break some apps by preventing browsers from executing the JavaScript files. You should configure your webserver to serve `.mjs` files with either the `text/javascript` or `application/javascript` MIME type.
Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead. Without it some important web functionality like "copy to clipboard" or "service workers" will not work! For more details see the documentation ↗.
The PHP memory limit is below the recommended value of 512 MB.
Your web server is not properly set up to resolve `.well-known` URLs, failed on: `/.well-known/webfinger` For more details see the documentation ↗.
Server has no maintenance window start time configured. This means resource intensive daily background jobs will also be executed during your main usage time. We recommend to set it to a time of low usage, so users are less impacted by the load caused from these heavy tasks. For more details see the documentation ↗.
Some headers are not set correctly on your instance - The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-Frame-Options` HTTP header is not set to `sameorigin`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the W3C Recommendation. - The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗.
Please make sure to set the "overwrite.cli.url" option in your config.php file to the URL that your users mainly use to access this Nextcloud. Suggestion: "http://xxx.xxx.xxx.xxx:8789". Otherwise there might be problems with the URL generation via cron. (It is possible though that the suggested URL is not the URL that your users mainly use to access this Nextcloud. Best is to double check this in any case.)
The PHP OPcache module is not properly configured. The OPcache interned strings buffer is nearly full. To assure that repeating strings can be effectively cached, it is recommended to apply "opcache.interned_strings_buffer" to your PHP configuration with a value higher than "8".. For more details see the documentation ↗.
7 warnings in the logs since July 25, 2024, 7:51:08 PM{"2":7,"3":0,"4":0}
The database is used for transactional file locking. To enhance performance, please configure memcache, if available. For more details see the documentation ↗.
No memory cache has been configured. To enhance performance, please configure a memcache, if available. For more details see the documentation ↗.
Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective ISO 3166-1 code of the region to your config file. For more details see the documentation ↗.
You have not set or verified your email server configuration, yet. Please head over to the "Basic settings" in order to set them. Afterwards, use the "Send email" button below the form to verify your settings. For more details see the documentation ↗.
The PHP module "imagick" in this instance has no SVG support. For better compatibility it is recommended to install it. For more details see the documentation ↗.