Security & setup warnings NC 14.04

A lot of info here to digest
Frustrating that this has been ongoing for a number of versions.
I’m on SiteGround if that assists.

I ran NC Security Scan which indicates …
Running Nextcloud 11.0.3.2
See next section of what is installed.

Install Info

Nextcloud version : 14.0.4
Operating system and version (eg, Ubuntu 17.04):
Apache or nginx version (eg, Apache 2.4.25):
PHP version : 7.1.24

Database Server:

  • Server: Localhost via UNIX socket
  • Server type: Percona Server
  • Server version: 5.6.40-84.0-log - Percona Server (GPL), Release 84.0, Revision 47234b3
  • Protocol version: 10

Web Server:
cpsrvd 11.66.0.24
Database client version: libmysql - 5.1.73
PHP extension: mysqliDocumentation curlDocumentation mbstringDocumentation
PHP version: 5.6.30

The issue you are facing:

Ongoing Security & setup warnings
I have been getting these warning on an ongoing basis

Is this the first time you’ve seen this error? (Y/N): No
It has been an ongoing issue since NC v 10

Steps to replicate it:

  1. Delete and Install New Version
  2. Auto Update new version
  3. Manually update new version

Regardless of what method chosen these errors continue

Security & setup warnings output

Transactional file locking is disabled, this might lead to issues with race conditions. Enable "filelocking.enabled" in config.php to avoid these problems. See the documentation ↗ for more information.
The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Refer .htaccess file

Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.
No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.

---- .htaccess root contents included -------

RewriteRule ^\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
RewriteRule ^\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]

---- .htaccess root contents included -------

The PHP OPcache is not properly configured. For better performance it is recommended to use the following settings in the php.ini:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Refer php.ini file

---- Admin > Logging -----

Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg)	a minute ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/css/icons/icons-vars.css.gzip (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/css/icons/icons-vars.css.gzip)	a minute ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/theming/images/background (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/theming/images/background)	a minute ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg)	a minute ago
Debug	cron	Finished OCA\Support\BackgroundJobs\CheckSubscription job with ID 966 in 0 seconds	5 minutes ago
Debug	cron	Run OCA\Support\BackgroundJobs\CheckSubscription job with ID 966	5 minutes ago
Debug	cron	Finished OCA\DAV\BackgroundJob\UpdateCalendarResourcesRoomsBackgroundJob job with ID 963 in 0 seconds	5 minutes ago
Debug	cron	Run OCA\DAV\BackgroundJob\UpdateCalendarResourcesRoomsBackgroundJob job with ID 963	5 minutes ago
Debug	cron	Finished OC\Preview\BackgroundCleanupJob job with ID 960 in 0 seconds	5 minutes ago
Debug	cron	Run OC\Preview\BackgroundCleanupJob job with ID 960	5 minutes ago
Debug	cron	Finished OC\Log\Rotate job with ID 955 in 0 seconds	5 minutes ago
Debug	cron	Run OC\Log\Rotate job with ID 955	5 minutes ago
Debug	cron	Finished OC\Authentication\Token\DefaultTokenCleanupJob job with ID 954 in 0 seconds	5 minutes ago
Debug	cron	Invalidating remembered session tokens older than 2018-11-26T06:00:02+00:00	5 minutes ago
Debug	cron	Invalidating session tokens older than 2018-12-10T06:00:02+00:00	5 minutes ago
Debug	cron	Invalidating remembered session tokens older than 2018-11-26T06:00:02+00:00	5 minutes ago
Debug	cron	Invalidating session tokens older than 2018-12-10T06:00:02+00:00	5 minutes ago
Debug	cron	Run OC\Authentication\Token\DefaultTokenCleanupJob job with ID 954	5 minutes ago
Debug	cron	Finished OCA\UpdateNotification\ResetTokenBackgroundJob job with ID 275 in 0 seconds	5 minutes ago
Debug	cron	Run OCA\UpdateNotification\ResetTokenBackgroundJob job with ID 275	5 minutes ago
Debug	cron	Finished OC\Authentication\Token\DefaultTokenCleanupJob job with ID 14 in 0 seconds	5 minutes ago
Debug	cron	Invalidating remembered session tokens older than 2018-11-26T06:00:02+00:00	5 minutes ago
Debug	cron	Invalidating session tokens older than 2018-12-10T06:00:02+00:00	5 minutes ago
Debug	cron	Invalidating remembered session tokens older than 2018-11-26T06:00:02+00:00	5 minutes ago
Debug	cron	Invalidating session tokens older than 2018-12-10T06:00:02+00:00	5 minutes ago
Debug	cron	Run OC\Authentication\Token\DefaultTokenCleanupJob job with ID 14	5 minutes ago
Debug	cron	Finished OCA\Files\BackgroundJob\CleanupFileLocks job with ID 12 in 0 seconds	5 minutes ago
Debug	cron	Run OCA\Files\BackgroundJob\CleanupFileLocks job with ID 12	5 minutes ago
Debug	cron	Finished OCA\Activity\BackgroundJob\EmailNotification job with ID 1 in 0 seconds	5 minutes ago
Debug	cron	Run OCA\Activity\BackgroundJob\EmailNotification job with ID 1	5 minutes ago
Debug	cron	Finished OCA\Files\BackgroundJob\ScanFiles job with ID 10 in 0 seconds	5 minutes ago
Debug	cron	Run OCA\Files\BackgroundJob\ScanFiles job with ID 10	5 minutes ago
Debug	cron	Finished OCA\Files_Sharing\DeleteOrphanedSharesJob job with ID 8 in 0 seconds	5 minutes ago
Debug	DeleteOrphanedSharesJob	0 orphaned share(s) deleted	5 minutes ago
Debug	cron	Run OCA\Files_Sharing\DeleteOrphanedSharesJob job with ID 8	5 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg)	30 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/theming/images/background (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/theming/images/background)	30 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg)	30 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg)	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/avatar/yerg55/avatar.jpg)	31 minutes ago
Debug	core	SCSSCacher: /nextcloud/settings/css/settings.scss compiled and successfully cached	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/preview/25063 (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/preview/25063)	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/preview/25062 (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/preview/25062)	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/preview/25061 (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/preview/25061)	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/preview/25063 (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/preview/25063)	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/css/settings/4f30-f309-settings.css.gzip (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/css/settings/4f30-f309-settings.css.gzip)	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/preview/25011 (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/preview/25011)	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/preview/25062 (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/preview/25062)	31 minutes ago
Debug	no app in context	No cache entry found for /appdata_occv9adk2rxx/css/settings/4f30-f309-settings.css.deps (storage: local::/home/bbbbbb/ncdata/, internalPath: appdata_occv9adk2rxx/css/settings/4f30-f309-settings.css.deps)	31 minutes ago

---- end Admin > Logging -----

------- config.php ------

<?php
$CONFIG = array (
  'instanceid' => 'occv9adk2rxx',
  'passwordsalt' => 'XWRGs4hFeYjbE0xHleq3DxQ3PVxuTa',
  'secret' => '6Ci5/7Non3LxPHCF+Ox0ffl/kp4CrNvb4+cEq+jX+BYiwUwM',
  'trusted_domains' => 
  array (
    0 => 'domain.com.au',
    1 => 'www.domain.com.au',
  ),
  'datadirectory' => '/home/xxxx/ncdata',
  'overwrite.cli.url' => 'https://xxxx.com.au/nextcloud',
  'dbtype' => 'mysql',
  'version' => '14.0.4.2',
  'dbname' => 'xxxxxxx_nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xxxx_xxxxxx',
  'dbpassword' => 'xxxxxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
  'updater.server.url' => 'https://updates.nextcloud.com/updater_server/',
  'updater.release.channel' => 'stable',
  'maintenance' => false,
  'filelocking.enabled' => true,
  'theme' => '',
  'loglevel' => 0,
  'trashbin_retention_obligation' => 'auto',
);

------- end config.php ------

---- .htaccess --------

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Referrer-Policy "no-referrer"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
  php_value upload_max_filesize 511M
  php_value post_max_size 511M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value always_populate_raw_post_data -1
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_php7.c>
  php_value upload_max_filesize 511M
  php_value post_max_size 511M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT}  DavClnt
  RewriteRule ^$         /remote.php/webdav/          [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /nextcloud/
ErrorDocument 404 /nextcloud/

---- end .htaccess --------

---- php.ini --------

allow_url_include=Off
disable_functions=show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
open_basedir=/home/xxxx/public_html:/tmp:/home/xxxx/public_html/tmp:/home/xxxx/public_html/log

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

---- end php.ini --------

Hi,

Don’t let that frustrate you :slight_smile:
The security warnings refer to web server, caching (memcache/ acpu) and PHP configuration, which can’t be changed by Nextcloud. Therefore it didn’t help to reinstall or update.
The admin guide is actually describing these settings and tell you what to put into the configuration files :wink:

Regarding the security scanner: Notice the timestamp of that scan and consequently the age of the information about NC11. Hit the refresh button and a rescan will be initiated. It takes about 5 minutes, So refresh the page of the security scanner a little later again.

Schmu … you are a savior :clap: :clap: :clap:
Chasing rats up sewer pipes is not a good use of time.

Just ensuring that this thing is bolted down as well as I can make it.

Site Scanner interesting I used a couple of browsers and came up with the same response.
All good now

:blush:
I’m glad it helped you in a way.

Because I couldn’t access the documents before I’m going to add the links to the documents here just now:

Warnings about Caching:
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/security_setup_warnings.html#cache-warnings

Security headers:
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/harden_server.html#serve-security-related-headers-by-the-web-server

Strict-Transport-Security-Header:
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/security_setup_warnings.html#the-strict-transport-security-http-header-is-not-configured

Caldav/ Carddav:
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/security_setup_warnings.html#your-web-server-is-not-set-up-properly-to-resolve-well-known-caldav-or-well-known-carddav

I hope they are still helpful for your issues and help others who stumble over this thread.

1 Like