Nextcloud version: 29.0.0
Operating system and version: Ubuntu 22.04
Apache or nginx version: Apache/2.4.59
PHP version: 8.2.19
Hi all,
On my Administration overview, I am getting this warning:
Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead. Without it some important web functionality like “copy to clipboard” or “service workers” will not work! For more details see the documentation
.
This started appearing after migrating my NC instance from bare metal to a Docker container. Nextcloud runs on Docker and is reverse proxied through my Apache2 reverse proxy.
I am not quite sure why I am seeing that, because I am not accessing Nextcloud via HTTP, but I am via HTTPS (as confirmed by my browser (both current version of Brave and Chrome). My best guess, right now, is that - while my configuration is fine in the sense that I have blocked all the routes to access NC via HTTP, NC is unable to detect that and, subsequently, this may be a false positive. By the same time, reading previous post on this forum, it seems that usually, when this error shows up, it is for a reason.
In addition, my config.php should be good - my understanding is that those settings a) only allow access to nextcloud if a request comes in through my proxy, and b) rewrites the URL should it come as HTTP.
{
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"subdomain.mydomain.io"
],
"maintenance_window_start": 1,
"trusted_proxies"=> ["127.0.0.1", "::1"],
"overwritehost": "subdomain.mydomain.io",
"overwriteprotocol": "https",
"overwritewebroot": "\/",
"overwritecondaddr": "^127\\.0\\.0\\.1$",
"trusted_headers": [
"X-Forwarded-For",
"X-Forwarded-Host",
"X-Forwarded-Proto"
],
"debug": false,
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "29.0.0.19",
"overwrite.cli.url": "https:\/\/subdomain.mydomain.io\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"theme": "",
"default_phone_region": "DE",
"loglevel": 2,
"maintenance": false,
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"twofactor_enforced": "true",
"twofactor_enforced_groups": [],
"twofactor_enforced_excluded_groups": [],
"updater.release.channel": "stable",
"app_install_overwrite": [
"twofactor_totp"
],
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauth": 1,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "tls",
"allow_local_remote_servers": true
}
Furthermore, my nextcloud.conf for the enabled site on Apache covers this, too:
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName subdomain.mydomain.io
Redirect permanent / https://subdomain.mydomain.io//
</VirtualHost>
<VirtualHost *:443>
ServerName subdomain.mydomain.io
ErrorLog ${APACHE_LOG_DIR}/nextcloud.error
CustomLog ${APACHE_LOG_DIR}/nextcloud.access combined
# Proxy configuration
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
# Ensure the necessary headers are passed
<Location />
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Host "subdomain.mydomain.io"
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
</Location>
# Set up directory and environment
<Directory /var/www/nextcloud/>
Require all granted
Options FollowSymlinks MultiViews
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
Satisfy Any
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/subdomain.mydomain.io/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.mydomain.io/privkey.pem
</VirtualHost>
</IfModule>
# Configuration to deny direct access
<VirtualHost *:8080>
<Location />
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
</VirtualHost>
Finally, my docker config is set so that it binds to the localhost as well, so even that doesn’t allow for connections from outside without HTTPS:
version: '2'
volumes:
nextcloud:
db:
services:
db:
image: mariadb:10.6
restart: always
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=
- MYSQL_PASSWORD=
- MYSQL_DATABASE=
- MYSQL_USER=
app:
image: nextcloud
restart: always
ports:
- "127.0.0.1:8080:80"
links:
- db
- redis
volumes:
- /mnt/data/data:/var/www/nextcloud/data
- /mnt/data/config:/var/www/html/config
- /mnt/data/apps:/var/www/html/custom_apps
- /mnt/data/themes:/var/www/html/themes
- /mnt/data:/var/www/html
environment:
- MYSQL_PASSWORD=
- MYSQL_DATABASE=
- MYSQL_USER=
- MYSQL_HOST=db
redis:
image: redis:alpine
restart: always
