@dan @pmh @victor did any of you upgrade to Nextcloud 29 on Core? I just did that and all is working as expected but i did encounter an issue that i did not encouter with NC28
Some related posts mention the issue is related with nginx or Apache but since we have caddy, not sure that flies.
Just wanted to check if you guys bumped onto anything.
I’ve updated the script to install NC 29, and I haven’t seen that error. You may want to check your Caddyfile, and update it to match what’s in the Github repo.
Well, i checked both. The only line i have inthere that isn’t on Gtihub is this:
header {
enable HSTS
Strict-Transport-Security max-age=31536000;
}
For the rest, they are identical and have not been altered during the update. I didn’t have any issue with NC28 either with the same Caddyfile.
I haven’t updated to 29 yet.
Are you sure about that? The GitHub repos Caddyfiles all have that line.
Can you share your Caddyfile, redacting sensitive info?
Sure, @victor here it is.
{
# debug
}
192.***.*.***:80, ***.*******.***:80 {
root * /usr/local/www/nextcloud
file_server
log {
output file /var/log/192.***.*.***.log
}
php_fastcgi 127.0.0.1:9000 {
env front_controller_active true
}
header {
enable HSTS
Strict-Transport-Security max-age=31536000;
}
# client support (e.g. os x calendar / contacts)
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
# Required for legacy
@notlegacy {
path *.php
not path /index*
not path /remote*
not path /public*
not path /cron*
not path /core/ajax/update*
not path /status*
not path /ocs/v1*
not path /ocs/v2*
not path /updater/*
not path /ocs-provider/*
not path */richdocumentscode/proxy*
}
rewrite @notlegacy /index.php{uri}
# .htaccess / data / config / ... shouldn't be accessible from outside
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
}
This is what i pulled from Github (caddyfile-nossl)
{
# debug
}
yourhostnamehere:80, jail_ip:80 {
root * /usr/local/www/nextcloud
file_server
log {
output file /var/log/yourhostnamehere.log
}
php_fastcgi 127.0.0.1:9000 {
env front_controller_active true
}
# client support (e.g. os x calendar / contacts)
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
# Required for legacy
@notlegacy {
path *.php
not path /index*
not path /remote*
not path /public*
not path /cron*
not path /core/ajax/update*
not path /status*
not path /ocs/v1*
not path /ocs/v2*
not path /updater/*
not path /ocs-provider/*
not path */richdocumentscode/proxy*
}
rewrite @notlegacy /index.php{uri}
# .htaccess / data / config / ... shouldn't be accessible from outside
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
}
My bad. The “nossl” version will not have that line.
The file looks correct though.
How are you accessing Nextcloud? Reverse proxy?
What is doing the cert handling? Or are you accessing only via port 80?
i am accessing nextcloud only through an FQDN with letsencrypt certs via HAproxy, set up in pfSense. Access works perfectly fine and i don’t detect any anomalities while accessing. Also connections with the mobile and desktop apps is fine. Same as it was with 28 where i did not get this error notification.
Also, when i perform the security scan, i get an A+.
I’m wondering if perhaps Nextcloud 29 introduced some different checks. Maybe you could check their forums and ask there.
i found the solution today:
Indeed, apparently with NC29 this check is now run from server side. Seems that one entry in config.php under “trusted domains” was causing the issue. By default it contains ‘localhost’ and the IP of the jail. I added my FQDN afterwards. The new check doesn’t like ‘localhost’ in there. After i removed that, the check passed successfully. Case closed.