Please help fixing this Strict-Transport-Security error in Nextcloud

Somebody please tell me if this nextcloud configuration (config.php) is correct for

Router port 443 → Nginx Proxy Manager port 30022 → Nextcloud port 9001?

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'nextcloud-redis',
    'password' => '-',
    'port' => 6379,
  ),
  'overwritehost' => 'cloud.example.com',
  'overwriteprotocol' => 'https',
  'trusted_proxies' =>
  array (
    0 => '192.168.1.11'
  ),
  'upgrade.disable-web' => true,
  'passwordsalt' => '-',
  'secret' => '-',
  'trusted_domains' =>
  array (
    0 => 'cloud.example.com',
    1 => 'localhost'
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '29.0.4.1',
  'overwrite.cli.url' => 'https://cloud.example.com',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextcloud-postgres:5432',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => '-',
  'installed' => true,
  'instanceid' => 'ocdeew47qsef',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
    0 => 'admin',
  ),
  'loglevel' => 2,
  'maintenance' => false,
);


Nextcloud runs but I can't figure out how can I get rid of this error:

Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation .

in the nextcloud overview page

pleaseee

The Nextcloud configuration file is irrelevant to this stated issue (which isn’t really an issue at all, but Nextcloud likes to make mountains out of molehills). HSTS is something you’d enable, if desired, in NPM. But make sure you understand its ramifications before doing so; it can lock you out of your site if there are problems.

no I didn’t enable anything. Thing is that this error appears only when I’m accessing nextcloud through nginx proxy which proxies from 30022 port to nextcloud 9001 port. Note that for some reason, if I don’t want to get whole set of errors in nextcloud overview page, I have to include localhost in config.php file. When I set nginx to use port 443 instead - it works and no need for localhost entry in the trusted hosts section.

I’m forced to use this 30022 port, because otherwise nginx proxy manager isn’t listening to port 443 and Truenas host nginx configuraion rewrites to its default values after some time automatically or if I change network settings.

Interesting is that in case of using nginx proxy with 30022 port, I can test my website successfully for HSTS with online tools, but nextcloud itself can’t see it.

ok I will answer my own question and try to install Nginx truecharts version ro bind it to standard ports. Funny is that all my questions here got stuck in nowhere.

In that case, the answer would appear to be that Nextcloud’s test is overly-sensitive and gives false positives. Which isn’t a surprise, that’s true of a lot of their code. If yoou know the HSTS headers are there, you can safely ignore this warning.

In the nextcloud docs they said it is recommended to leave only one domain in the trusted_hosts.

So very interesting happens here.

When I leave only a single domain in trusted_host, for example domain.example.com - not a single error appears when I set my router to forward external 443 port to internal 443 port, so in this case truenas host nginx config is configured to listen to port 443 and proxy requests to nextcloud internal port 9001.

Now, when I set my router to port forward 443 port to nginx proxy manager which is in the docker container port 30022 (and can’t listen to port 443 because of the docker limitation) - look what I see in the nextcloud overview page:

image1583×930 82 KB

UPDATE
Seems like nextcloud bypassing proxy during its configuration check and requests infromation from the host on port 443. Because when the router is still configured to forward 443 port to nginx 30022 port and I’m adding another nginx proxy in the host to serve 443 - then it works again.

I’m moving forward a little bit…

When the host nginx proxy is disabled, nextcloud docker is unable to:

curl cloud.example.com

So instead of asking my router about cloud.example.com it asking itself and of course don’t getting anything, because the port 443 isn’t forwaring to nginx proxy manager.

What can be a cause of this?

Maybe it’s a DNS issue? How to tell nextcloud to set my router as a DNS server?
or even better, a gateway issue?

It turns out that if you set your router to forward 443 port to nginx proxy manager port 30022 or whatever you set there, and leave only your domain name in the trusted_hosts of the nextcloud config.php file, like:

'trusted_domains' =>
  array (
    0 => 'cloud.example.com',
  )

then the nextcloud overview page is unable to connect to itself using the domain name you specify in the trusted_hosts from inside the local network, because host is not proxying to nextcloud service.

Hi,
I think dan is correct
Recently NextCloud is reporting all kind of errors and warnings.
However, to be honest, I understand lev.
it’s causing me some stress to see these constant warnings, especially since I’m not an expert. It can be difficult to determine what’s really important and what’s just a minor issue.

However, dealing with the issues is very helpful for learning.
I got the same error reported by lev some weeks ago after upgrading NextCloud.

I am using NextCloud behind Nginx installed using Truenas catalogue, both.
Same ports configuration as indicated by lev.
My server is Truenas Scale (24.04.2)

This is the warning:
“Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds)”

The documentation indicates to adjust this:
add_header Strict-Transport-Security “max-age=15552000; includeSubDomains; preload;” always;
One solution suggested I found online is to increase to 2 years:
add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload;” always;

The first problem was to find the configuration file. It took me days.
I found it in the nginx.conf file under the nginx pod inside the Nextcloud.

I thought it would easy after that, but the file (nginx.conf) is read only.
So, I have not been able to edit it.
lrwxrwxrwx 1 root 568 17 Aug 3 19:11 nginx.conf → …data/nginx.conf

The owner of the file is root/568
I do not understand why the file is owned by root/568 instead of www-data as the rest (majority) of files in Nextcloud.

I think that chown the file to www-data may allow me to edit it, but I do not want to break something else by changing the owner of the file.

Any idea?

Hi there,

The problem is that, whatever change you make in pod, it will most likely ignored / overwritten to the initial pod installation values!

I wonder if Truenas next version (Electric eel) will allow docker containers to preserve user configuration changes after initial installation. Because developers unaware that we, end users WILL HAVE TO CHANGE or upgrade application packages due to the fact that their software isn’t always perfect. Great example is Nextcloud’s default smbclient package, which is just nothing but an incompatible garbage.

I’ve managed to get rid of all kind of errors in Nextcloud overview page by configuring main /etc/nginx.conf file to act as a proxy server to nextcloud and collabora, BUT had to create startup script to copy and overwrite my nginx.conf file to /etc/nginx.conf file everytime system boots.

I think the main reason why nextcloud was complaining about strict transport policy misconfiguration is that it was looking for that directive under localhost virtualhost section in its nginx configuration (because I added localhost in trusted_hosts section), and of course there is no such settings.

But this is not the end of troubles, we are missing most important feature, mainly this is why we all installing nextcloud - Background Sync. IOS device can’t sync data if the nextcloud app isn’t active

I know this is off topic, but I have to say that the nextcloud is completely useless without this feature.

Electric Eel will not allow that, that’s how docker works! It does not persist. To persist, you have to set a hostpath (or volume in docker). If you want to retain changes to some file or directory, set a hostpath for it.

hostpath is set to different dataset, there is no ix-application, but for example if I open nextcloud pod shell and install package there, it is lost after restart.

What if I want this packages to be permanent in the container?

apt install smbclient libsmbclient-dev pecl install smbclient docker-php-ext-enable smbclient

As I said, datasets are set outside ix-applications
When I enter this command in pod shell it installs these packages no problem, but how to make it stay like that when I restart the container?

Use a different container that includes them. Or install Nextcloud in a different way (like a VM, or a sandbox) that lets you install arbitrary packages to it. You’re running into a fundamental design decision (or limitation) of using Docker images for your apps.

Right, so, if for example (and the file may not even be there no idea and doesn’t matter), if you update a config file at /var/www/html/config.php and expect that to be there on the next startup of the container, it will not be. However, if you set a hostpath for /var/www/html/config.php to somewhere on your pools, it will be there on the next startup. That’s how docker works and is supposed to work. So, that’s how docker works.

Now, if you want to make the container have more stuff in it, like other software as you do, you need to extend the standard docker container with an enhanced dockerfile, and, make your own container. Or as Dan says, find one with that already in it. i.e., you have to know more about docker.

Here’s an example, part of my nextcloud dockerfile from which I build my own container to load into truenas:

FROM nextcloud:29.0.3-apache

RUN set -ex; \
    \
    apt-get update; \
    apt-get install -y --no-install-recommends \
        libmagickcore-6.q16-6-extra \
        procps \
        vim \
        mariadb-client \
        supervisor \
        pigz \
    ; \
    rm -rf /var/lib/apt/lists/*

are you installing your container using this?

or you’re installing docker from shell?

I don’t understand guys how you’re running this docker file in truenas environment? This feature is yet to be implemented

Custom app, you can run 99.9% of all containers that way. Would never install docker or anything from the shell. Nextcloud runs fine, but for some reason you want to add smb to it. which I presume it doesn’t come with. To do that, you would either build your own container, or, you would look for someone else who has done so with smb.

So, in short, to build your own container, you’d need to learn docker and build to make containers. Not trivial, but not extremely hard. I doubt very many others are building their own containers, most people would just run the standard image.

Great, I’ve been installing nginx that way, unfortunately unsuccessful. But what about updates?

By the way, Truenas promises to migrate all current installations to their new docker method automatically when you update to Eel.