Security & setup warnings, mighty google couldn't help me :(

hey folks,

i’ve been succesfully installing nextcloud 12 on an ubuntu 16.04 server & apache2 with this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-16-04

When i enter the admin page security & setup warnings are shown (X-Content-Type-Options, X-Frame-Options). With the power of google i figured out that the problem should be the .htaccess file, so i edited the apache2.conf to:

Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory

and i also checked that the “www-data” user is the owner of the .htaccess file

nothing worked yet and the security warnings are still there…

Edit: i wrote some bullshit in the .htaccess file and after that nextcloud failed to load. so, that means the .htaccess file works, but why do i get this security warnings anyway?

Can youpost the following:

  • Your VHOST conf
  • A prinscreen of your errors
  • Your .htaccess file

vhost:

VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin xxxxxxx@gmail.com
    DocumentRoot /var/www/html
    Redirect permanent "/" "https://192.168.2.100/"
    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/>
AllowOverride All

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with “a2disconf”.
#Include conf-available/serve-cgi-bin.conf

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

.htaccess file:

<IfModule mod_headers.c>
        Header always append X-Frame-Options SAMEORIGIN
        Header set X-Content-Type-Options nosniff
          <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
  php_value upload_max_filesize 511M
  php_value post_max_size 511M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value always_populate_raw_post_data -1
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_php7.c>
  Header set X-Content-Type-Options nosniff
  php_value upload_max_filesize 511M
  php_value post_max_size 511M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
RewriteCond %{HTTP_USER_AGENT}  DavClnt
  RewriteRule ^$         /remote.php/webdav/          [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

This is the difference between your .htaccess and mine (running Nextcloud 12.0.0). So first thing would be to update your .htaccess file and get the correct one from master: https://github.com/nextcloud/server/blob/master/.htaccess

2,4c2
<         Header always append X-Frame-Options SAMEORIGIN
<         Header set X-Content-Type-Options nosniff
<           <IfModule mod_setenvif.c>
---
>   <IfModule mod_setenvif.c>
28c26
< 
---
>   
47d44
<   Header set X-Content-Type-Options nosniff
60c57
< RewriteCond %{HTTP_USER_AGENT}  DavClnt
---
>   RewriteCond %{HTTP_USER_AGENT}  DavClnt
82a80,110
> </IfModule>
> #### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
> 
> ErrorDocument 403 /core/templates/403.php
> ErrorDocument 404 /core/templates/404.php
> <IfModule mod_rewrite.c>
>   Options -MultiViews
>   RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
>   RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
>   RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$
>   RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
>   RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
>   RewriteCond %{REQUEST_FILENAME} !/remote.php
>   RewriteCond %{REQUEST_FILENAME} !/public.php
>   RewriteCond %{REQUEST_FILENAME} !/cron.php
>   RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
>   RewriteCond %{REQUEST_FILENAME} !/status.php
>   RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
>   RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
>   RewriteCond %{REQUEST_FILENAME} !/robots.txt
>   RewriteCond %{REQUEST_FILENAME} !/updater/
>   RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
>   RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
>   RewriteRule . index.php [PT,E=PATH_INFO:$1]
>   RewriteBase /
>   <IfModule mod_env.c>
>     SetEnv front_controller_active true
>     <IfModule mod_dir.c>
>       DirectorySlash off
>     </IfModule>
>   </IfModule>

Second, your VHOST looks strange. Did you configure your settings globally in apache.conf? Because you shouldn’t.

This is a correct VHOST for port 80:

<VirtualHost 192.168.4.111:80>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

### YOUR SERVER ADDRESS ###
    ServerAdmin daniel@domain.se
    ServerName cloud.domain.se

### SETTINGS ###
    DocumentRoot /var/www/nextcloud

    <Directory /var/www/nextcloud>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    Satisfy Any
    </Directory>

    <IfModule mod_dav.c>
    Dav off
    </IfModule>

    <Directory "/var/ocdata">
    # just in case if .htaccess gets disabled
    Require all denied
    </Directory>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

</VirtualHost>

so i changed the settings in .htaccess but still security warnings…

i think i’ve posted the wrong VHOST config, this is the one from /etc/apache2/sites-available/nextcloud.conf (i hope this is what you meant, i am a total noob in LAMP server stuff…)

Alias /nextcloud "/var/www/nextcloud/"

<Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All

    <IfModule mod_dav.c>
        Dav off
    </IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

</Directory>

My vhost also includes:

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000; preload"
</IfModule>

<IfModule mod_headers.c>
      Header set Content-Security-Policy: "font-src https: data:;"
      # `mod_headers` cannot match based on the content-type, however,
      # the `Content-Security-Policy` response header should be send
      # only for HTML documents and not for the other resources.
      <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
              Header unset Content-Security-Policy
      </FilesMatch>
</IfModule>

nope, didn’t work for me, everything is working fine (i.e. uploads, enable apps, etc.) but still these security warnings…

i am clueless where the problem is because when i modify the vhost or the .htaccess file with rubbish i get error messages, so they should be working… i hope i can avoid to reinstall the LAMP server and nextcloud -.-

Well, something is messed up with your LAMP install. Better to start fresh and don’t mess with apache.conf and only create a vhost for the specific domain/host.

Or make it easy on yourself; use the VM scripts. https://github.com/nextcloud/vm/blob/master/nextcloud_install_production.sh

You are restarting Apache between vhost edits right?

yes i restarted everytime i edited the vhost…

after being a few days abroad i decided to reinstall my server cause i couldn’t figure out what the problem was. now i’ll use the install script…

1 Like