Nextcloud version: 15.0.2
Operating system and version: Debian 9 “Stretch”
Apache or nginx version:
**nginx version:** nginx/1.10.3
built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.0j 20 Nov 2018)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-0TiIP5/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-0TiIP5/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-0TiIP5/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-0TiIP5/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-0TiIP5/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-0TiIP5/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module
PHP version: PHP 7.0.33-0+deb9u1 (cli) (built: Dec 7 2018 11:36:49) ( NTS )
The issue you are facing:
After adding HSTS directives to nginx, I had to comment out CSP, since it breaks the instance in Firefox, and the Referrer-Policy keeps nagging me even after adding it in nginx config.
Is this the first time you’ve seen this error? (Y/N)
Config to replicate it:
upstream php-handler {
server unix:/var/run/php/php7.0-fpm.sock;
}
server {
root /var/www;
index index.php;
error_log /var/log/nginx/nextcloud-error.log;
access_log /var/log/nginx/nextcloud-access.log combined;
server_name cloud.intra;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer always;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload";
#add_header Content-Security-Policy "default-src 'none' data: blob:; font-src 'self';
# connect-src 'self'; img-src 'self' data: blob:; object-src 'self';
# style-src 'self'; script-src 'self'; media-src 'self';
# base-uri 'self'; frame-ancestors 'self'; form-action 'self';
# https://cloud.intra;";
# REMOVED UNTIL RESOLVED
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer no-referrer-when-downgrade strict-origin strict-origin-when-cross-origin same-origin";
client_max_body_size 900G;
fastcgi_buffers 64 4K;
gzip off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_param PHP_VALUE "
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1";
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_hide_header X-Powered-By;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~* \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
access_log off;
}
location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
access_log off;
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/nginx/ssl/cloud.intra/cloud_intra_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/cloud.intra/cloud.intra.key;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 1.1.1.1 1.0.0.1 8.8.8.8;
}
server {
return 301 https://$host$request_uri;
listen 80 ;
listen [::]:80 ;
server_name nextcloud.intra;
error_page 404 /var/www/core/templates/404.php;
return 404;
}
The output of your Nextcloud log in Admin > Logging:
Continuous spam about "Zend OPcache can't be temporary enabled (it may be only disabled till the end of request) at Unknown#0" - FUBAR.
The output of your config.php file in /path/to/nextcloud
(make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => 'STRIPPED',
'passwordsalt' => 'STRIPPED',
'secret' => 'STRIPPED',
'trusted_domains' =>
array (
0 => 'cloud.intra',
),
'datadirectory' => '/var/www/data',
'dbtype' => 'mysql',
'version' => '15.0.2.0',
'overwrite.cli.url' => 'https://cloud.intra',
'dbname' => 'owncloud',
'dbhost' => 'localhost:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'owncloud',
'dbpassword' => 'STRIPPED',
'installed' => true,
'updater.release.channel' => 'production',
'memcache.local' => '\OC\Memcache\APCu',
);
The output of your Apache/nginx/system log in /var/log/nginx
: Is largely irrelevant.