SSL works fine, but I am still getting "Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead." error

Nextcloud version: 29.0.0
Operating system and version: Ubuntu 22.04
Apache or nginx version: Apache/2.4.59
PHP version: 8.2.19

Hi all,

On my Administration overview, I am getting this warning:

Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead. Without it some important web functionality like “copy to clipboard” or “service workers” will not work! For more details see the documentation :arrow_upper_right:.

This started appearing after migrating my NC instance from bare metal to a Docker container. Nextcloud runs on Docker and is reverse proxied through my Apache2 reverse proxy.

I am not quite sure why I am seeing that, because I am not accessing Nextcloud via HTTP, but I am via HTTPS (as confirmed by my browser (both current version of Brave and Chrome). My best guess, right now, is that - while my configuration is fine in the sense that I have blocked all the routes to access NC via HTTP, NC is unable to detect that and, subsequently, this may be a false positive. By the same time, reading previous post on this forum, it seems that usually, when this error shows up, it is for a reason.

In addition, my config.php should be good - my understanding is that those settings a) only allow access to nextcloud if a request comes in through my proxy, and b) rewrites the URL should it come as HTTP.

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "subdomain.mydomain.io"
    ],
    "maintenance_window_start": 1,
    "trusted_proxies"=> ["127.0.0.1", "::1"],   
    "overwritehost": "subdomain.mydomain.io",
    "overwriteprotocol": "https",
    "overwritewebroot": "\/",
    "overwritecondaddr": "^127\\.0\\.0\\.1$",
    "trusted_headers": [
        "X-Forwarded-For",
        "X-Forwarded-Host",
        "X-Forwarded-Proto"
    ],
    "debug": false,
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "29.0.0.19",
    "overwrite.cli.url": "https:\/\/subdomain.mydomain.io\/",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "theme": "",
    "default_phone_region": "DE",
    "loglevel": 2,
    "maintenance": false,
    "htaccess.RewriteBase": "\/",
    "memcache.local": "\\OC\\Memcache\\APCu",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 6379
    },
    "twofactor_enforced": "true",
    "twofactor_enforced_groups": [],
    "twofactor_enforced_excluded_groups": [],
    "updater.release.channel": "stable",
    "app_install_overwrite": [
        "twofactor_totp"
    ],
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_sendmailmode": "smtp",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauth": 1,
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpsecure": "tls",
    "allow_local_remote_servers": true
}

Furthermore, my nextcloud.conf for the enabled site on Apache covers this, too:

<IfModule mod_ssl.c>

<VirtualHost *:80>
   ServerName subdomain.mydomain.io
   Redirect permanent / https://subdomain.mydomain.io//
</VirtualHost>

<VirtualHost *:443>
    ServerName subdomain.mydomain.io

    ErrorLog ${APACHE_LOG_DIR}/nextcloud.error
    CustomLog ${APACHE_LOG_DIR}/nextcloud.access combined

    # Proxy configuration
    ProxyPreserveHost On
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    # Ensure the necessary headers are passed
    <Location />
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Host "subdomain.mydomain.io"
        RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
    </Location>

    # Set up directory and environment
    <Directory /var/www/nextcloud/>
        Require all granted
        Options FollowSymlinks MultiViews
        AllowOverride All

        <IfModule mod_dav.c>
            Dav off
        </IfModule>

        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
        Satisfy Any
    </Directory>

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/subdomain.mydomain.io/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.mydomain.io/privkey.pem
</VirtualHost>
</IfModule>

# Configuration to deny direct access
<VirtualHost *:8080>
    <Location />
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </Location>
</VirtualHost>

Finally, my docker config is set so that it binds to the localhost as well, so even that doesn’t allow for connections from outside without HTTPS:

version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb:10.6
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=
      - MYSQL_USER=

  app:
    image: nextcloud
    restart: always
    ports:
      - "127.0.0.1:8080:80"
    links:
      - db
      - redis
    volumes:
      - /mnt/data/data:/var/www/nextcloud/data
      - /mnt/data/config:/var/www/html/config
      - /mnt/data/apps:/var/www/html/custom_apps
      - /mnt/data/themes:/var/www/html/themes
      - /mnt/data:/var/www/html
    environment:
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=
      - MYSQL_USER=
      - MYSQL_HOST=db

  redis:
    image: redis:alpine
    restart: always

hi @bigtbear welcome to the forum :handshake:

usually you don’t need this entry:

in Docker I would expect different IPs

(unless you run your reverse proxy inside of the app container - which is not common)

in general - many values seem to have “useless or bad” backslashes e.g

maybe this results from copy&paste but it is not expected in a plain config.php - replace with valid values if required.

Commenting this config entry did the trick. Thank you, kind Swiss stranger. Now I can go back to troubleshooting all the other errors Nextcloud is throwing after my migration. Thanks again, this was great. :heart_eyes:

1 Like
    volumes:
      - /mnt/data/data:/var/www/nextcloud/data
      - /mnt/data/config:/var/www/html/config
      - /mnt/data/apps:/var/www/html/custom_apps
      - /mnt/data/themes:/var/www/html/themes
      - /mnt/data:/var/www/html

Not related to your original issue, but since you mentioned some other warnings I did notice couple things stood that out to me when reviewing your config:

  • Your configuration doesn’t look complete for the micro-services image. If you migrate, it’s important your config.php is adapted per the Docker migration instructions since the Docker image depends on other aspects of the config.
  • The above volume configuration is going to be problematic for /mnt/data/apps:/var/www/html/custom_apps since it’ll overlap with real /var/www/html/apps within the container itself (and both apps/ and custom_apps/ must exist - independently - when using the Docker environment
  • Other than the /mnt/data/data:/var/www/nextcloud/data the rest of those volume entries are, at best, unnecessary since /mnt/data:/var/www/html will already (inherently) include all of those other sub-folders
1 Like

Thanks jtr - you may have saved me a lot of time. The first thing I have done to mitigate the errors (which came, as a majority, from different apps) was uninstalling all those apps I don’t need (should have done that before migration - sometimes the app store mechanism just seduces you to install crap) and then I was going to enable them one by one. But you are right, I missed the few pieces in the config AND I never adjusted the permissions, so maybe that was what was causing those issues.

I am grateful for your time. Thanks

1 Like