Unavoidable security & setup warnings with NC 21 update

Hello,

I have a NC instance running on VPS using Docker-Compose. I have just updated to NC 21 and I get the following warnings which I cannot get rid of:

  • Your web server is not properly set up to resolve “/.well-known/webfinger”. Further information can be found in the documentation.
  • Your web server is not properly set up to resolve “/.well-known/nodeinfo”. Further information can be found in the documentation.
  • Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add “default_phone_region” with the respective ISO 3166-1 code :arrow_upper_right: of the region to your config file.
  • Module php-imagick in this instance has no SVG support. For better compatibility it is recommended to install it.

Any help on that? Thanks

2 Likes

To be more precise, I have added the following lines to my nginx config file:

    location = /.well-known/webfinger {
            rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
    }

    location = /.well-known/nodeinfo {
            rewrite ^/.well-known/nodeinfo /public.php?service=nodeinfo last;
    }

For the phone region, not enough details is provided to what has to be done, especially in a Docker environment.
For php-imagick I don’t think I can change that using official Docker images.

I think, I can help out regarding the default_phone_region:
In my nextcloud directory I opened /config/config.php and appended

'default_phone_region' => 'DE',

just before the closing bracket at the last line. According to the linked Wikipedia page 'DE' is the code for my country’s phone region. The error message regarding missing default_phone_region disappears after a new security check.

Thank you Pixolin. I suppose this config file is not overwritten when I update through docker-compose.

Same problem here, running NC 21.0.0 rc2 on a Debian Buster machine with NGinx, MariaDB and PHP7.4-fpm, with NC in the webroot.

Digging into the manual and pasting snippets from here and there I found the following rewrite section to work just fine for my host:

location ^~ /.well-known {
        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }
        try_files $uri $uri/ =404;
    }

With putting this into the server config and force-reloading config all checks are passed OK.

Hope this helps.

1 Like

Thanks Miyamoto, I was able to get rid of the warnings with the following configuration:

    location = /.well-known/carddav {
        return 301 /remote.php/dav;
    }

    location = /.well-known/caldav {
        return 301 /remote.php/dav;
    }

    location ^~ /.well-known {
        return 301 /index.php$uri;
    }

Now I’m left with only imagick warning.

1 Like

sudo apt install libmagickcore-dev solved my imagick warning. hope it also helps you

1 Like

I’m on nginx and MariaDB as well but on Centos 8.3. I have all three settings in nginx conf file but still getting those two warnings.

Thanks Vlad but I’m using an official Docker image this should be included in the image by default if it raises a warning.

Stupid question: did you restart nginx after changing the configuration?

yes of cause :slight_smile:

To get better support, create your own thread and post your nginx conf file.

I don’t think new thread is justified. I have exactly same issue as OP. And it’s happened after update to 21.
Here is my nginx conf file.

server {
    listen 80;
    listen [::]:80;
    server_name www.cloud.shrisha.tk cloud.shrisha.tk;
    root /var/www/shrisha.tk/nextcloud/;
    index index.html;
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload; always";
    return 301 https://cloud.shrisha.tk$request_uri;
    access_log /var/log/nginx/shrisha.tk.access.log;
    error_log /var/log/nginx/shrisha.tk.error.log;

#    location / {
#        try_files $uri $uri/ =404;
#    }
    location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }

}

server {
        server_name 192.168.1.20;
        # you can add other server_name if you need other IPs
        # or domain names such as without the www
        add_header X-Frame-Options "SAMEORIGIN";
        return 301 $scheme://cloud.shrisha.tk$request_uri;
}

server {
        server_name 10.147.20.20;
        # you can add other server_name if you need other IPs
        # or domain names such as without the www
        add_header X-Frame-Options "SAMEORIGIN";
        return 301 $scheme://cloud.shrisha.tk$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.cloud.shrisha.tk;
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload; always";
    ssl_certificate /etc/letsencrypt/live/shrisha.tk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/shrisha.tk/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/shrisha.tk/chain.pem;

location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    return 301 https://cloud.shrisha.tk$request_uri;
}

server {
    listen 443 ssl http2;
    server_name cloud.shrisha.tk;
    root /var/www/shrisha.tk/nextcloud/;
    index index.html;
    ssl_certificate /etc/letsencrypt/live/shrisha.tk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/shrisha.tk/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/shrisha.tk/chain.pem;
    access_log /var/log/nginx/shrisha.tk.access.log;
    error_log /var/log/nginx/shrisha.tk.error.log;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload; always";

    #I found this header is needed on Debian/Ubuntu/CentOS/RHEL, but not on Arch Linux.
    add_header X-Frame-Options "SAMEORIGIN";
    
        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
            try_files $uri $uri/ /index.php?q=$uri&$args;
        }
        
    # . . . other code
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }
    
    location ^~ /.well-known {
        return 301 $scheme://$host/index.php$uri;
    }
    
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       try_files $fastcgi_script_name =404;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php-fpm/www.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
}

What is the config for Apache?

I have limited knowledge regarding nginx config but at a first glance, it might be a conflict with either:

rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

or

location ~ /.well-known/acme-challenge {
  allow all;
}

Try to comment this lines to see if there is a difference.

Does anyone know how to redirect webfinger on apache2 host in the conf file?

1 Like

I can’t guarantee that would work but have you tried to add something like:

RewriteRule ^\.well-known /index.php%{REQUEST_URI} [R=301,L]

I just tried that, but it does not work. I now have:

Redirect 301 /.well-known/carddav “/nextcloud/remote.php/dav”
Redirect 301 /.well-known/caldav “/nextcloud/remote.php/dav”
RewriteRule ^.well-known /nextcloud/index.php%{REQUEST_URI} [R=301,L]

In the apache2 conf file of the root of the webserver. nextcloud is in a subdir.
I also tried:

   #Redirect 301 /.well-known/webfinger "/nextcloud/public.php?service=webfinger"
   #Redirect 301 /.well-known/nodeinfo "/nextcloud/public.php?service=nodeinfo"

The redirect carddav and caldav are workign well. Webfinger and nodeinfo are not.

try to add to .htaccess file

RewriteRule ^\.well-known/webfinger https://%{SERVER_NAME}/public.php?service=webfinger [QSA,L]
RewriteRule ^\.well-known/nodeinfo https://%{SERVER_NAME}/public.php?service=nodeinfo [QSA,L]

Yes I tried that. No effect.
Is this a bug in NC21 Public.php or something?
I’ve read that in NC21 there changed something in well-known api handler:

Replaced well-known handler API
There was an old, unused and inofficial mechanism to hook into well-known discovery via config settings. This includes host-meta, host-meta.json, nodeinfo and webfinger. A new public API replaces this mechanism in Nextcloud 21.

Could there be a problem?