[Bug]: After update to 29: Some headers are not set correctly on your instance

[jiriks74]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

After update to 29 I get some errors which I've already solved in my Traefik configuration:

The errors

Nastavení hlaviček reverzní proxy není správné nebo přistupujete na Nextcloud z důvěryhodné proxy. Pokud nepřistupujete k Nextcloud z důvěryhodné proxy, potom je toto bezpečností chyba a může útočníkovi umožnit falšovat IP adresu, kterou NextCloud vidí. Podrobnosti naleznete v [dokumentaci ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-reverse-proxy).
Some headers are not set correctly on your instance - The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-Frame-Options` HTTP header is not set to `sameorigin`. Some features might not work correctly, as it is recommended to adjust this setting accordingly. - The `X-Permitted-Cross-Domain-Policies` HTTP header is not set to `none`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the [W3C Recommendation](https://www.w3.org/TR/referrer-policy/). - The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS. Podrobnosti naleznete v [dokumentaci ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-security).

I checked and the headers are set. I've specifically checked the nosniff setting that it says is not set:

Steps to reproduce

1. Use Traefik
2. Set the following middleware:

    nextcloud-middlewares-secure-headers:
      headers:
        accessControlMaxAge: 100
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "SAMEORIGIN"
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "no-referrer"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
          X-Robots-Tag: "noindex, nofollow"

3. See the header errors in Nextcloud

Expected behavior

No errors about headers which are set correctly

Installation method

Community Docker image

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "debug": "false",
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.example.com",
            "onlyoffice.example.com",
            "192.168.0.2",
            "192.168.0.3"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "onlyoffice": {
            "jwt_secret": "***REMOVED SENSITIVE VALUE***",
            "jwt_header": "AuthorizationJwt",
            "allow_local_remote_servers": true,
            "editors_check_interval": 0
        },
        "default_phone_region": "cs",
        "default_language": "cs",
        "default_locale": "cs_CZ",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.0.19",
        "overwrite.cli.url": "https:\/\/nextcloud.example.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "3306",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "theme": "",
        "loglevel": 0,
        "maintenance": false,
        "overwriteprotocol": "https",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "has_rebuilt_cache": true,
        "ncd_admin_settings": {
            "ncd_aria2_rpc_host": "",
            "focusVisibleAdded": "",
            "ncd_aria2_rpc_token": ""
        },
        "app_install_overwrite": [
            "news",
            "tasks"
        ],
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 2
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - announcementcenter: 6.8.1
  - audioplayer: 3.4.1
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.2
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contacts: 6.0.0
  - contactsinteraction: 1.10.0
  - cospend: 1.6.1
  - dashboard: 7.9.0
  - dav: 1.30.1
  - deck: 1.13.0
  - drawio: 3.0.2
  - event_update_notification: 2.4.0
  - external: 5.4.0
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - files_zip: 1.5.0
  - firstrunwizard: 2.18.0
  - forms: 4.2.3
  - integration_excalidraw: 2.1.0
  - integration_github: 2.0.7
  - integration_google: 2.2.0
  - integration_mastodon: 2.0.5
  - integration_onedrive: 3.2.1
  - integration_openai: 2.0.0
  - integration_reddit: 2.0.3
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.6.0
  - maps: 1.4.0
  - ncdownloader: 1.0.20
  - news: 24.0.0
  - notes: 4.10.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - onlyoffice: 9.2.0
  - password_policy: 1.19.0
  - photos: 2.5.0
  - polls: 7.0.3
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - quota_warning: 1.19.0
  - recognize: 6.1.1
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - riotchat: 0.16.9
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - side_menu: 3.12.0
  - snappymail: 2.36.1
  - spreed: 19.0.0
  - support: 1.12.0
  - survey_client: 1.17.0
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0
  - tasks: 0.15.0
  - text: 3.10.0
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - appointments: 2.1.1 (installed 2.1.1)
  - breezedark: 28.0.0 (installed 28.0.0)
  - camerarawpreviews: 0.8.4 (installed 0.8.4)
  - carnet: 0.25.4 (installed 0.25.4)
  - certificate24: 0.3.1 (installed 0.3.1)
  - cfg_share_links: 5.0.0 (installed 5.0.0)
  - cms_pico: 1.0.21 (installed 1.0.21)
  - cookbook: 0.11.0 (installed 0.11.0)
  - encryption: 2.17.0
  - end_to_end_encryption: 1.15.2 (installed 1.15.2)
  - extract: 1.3.6 (installed 1.3.6)
  - files_antivirus: 5.5.0 (installed 5.5.0)
  - files_mindmap: 0.0.30 (installed 0.0.30)
  - files_photospheres: 1.28.1 (installed 1.28.1)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - flow_notifications: 1.9.0 (installed 1.9.0)
  - groupfolders: 16.0.6 (installed 16.0.6)
  - integration_nuiteq: 1.0.6 (installed 1.0.6)
  - integration_twitter: 1.0.7 (installed 1.0.7)
  - metadata: 0.19.0 (installed 0.19.0)
  - money: 0.25.1 (installed 0.25.1)
  - nextcloud_announcements: 1.18.0 (installed 1.17.0)
  - ocsms: 2.2.0 (installed 2.2.0)
  - passwords: 2024.4.21 (installed 2024.4.21)
  - richdocuments: 8.4.1 (installed 8.4.1)
  - richdocumentscode_arm64: 24.4.103 (installed 24.4.103)
  - timetracker: 0.0.82 (installed 0.0.82)
  - unsplash: 2.2.1 (installed 2.2.1)
  - user_ldap: 1.20.0 (installed 1.15.0)
  - video_converter: 1.0.6 (installed 1.0.6)

Nextcloud Signing status

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- news
	- INVALID_HASH
		- css/custom.css

Raw output
==========
Array
(
    [news] => Array
        (
            [INVALID_HASH] => Array
                (
                    [css/custom.css] => Array
                        (
                            [expected] => 32ba88040d81aa40a3f24717e6d3e95e13df33f93c653858d6d3aae7e495befa0e4664e2fd18339f894f13ddb256bfaa952e7f3f179ad20f669f6b065d1f4ff6
                            [current] => b6c331110816789d9b5283b19c2c678a0b66417ab11bdb5f3f33aa172e54b7216ed2d87c63da436276e4adad79ec40bc1a8224af8ce4fde0f9ef8b1b69bae375
                        )

                )

        )

)

Nextcloud Logs

No response

Additional info

No response

[joshtrichards]

Do each of your configured trusted_domains resolve to your proxy/TLS terminator from the perspective of your Nextcloud Server? That is, if you run curl from within your Nextcloud Docker container does it hit your proxy (and therefore see those headers)? That's the most common culprit since most of the tests are running from the server itself rather than you're browser these days.

[jiriks74]

For whatever reason dig running directly from the container resolves to the container IP rather than the public one.

[mikesteele81]

I have the same problem. With Nextcloud 28 I made sure that the self-test would hit the reverse proxy's internal address by including an entry within /etc/hosts to override what DNS would otherwise provide.

[jiriks74]

Got rid of it by modifying the compose file. The setup I used as a base had a hostname defined and that's why it resolved to the container and not the proxy.

[VPaulV]

I have the same issue. Could you please provide instructions on how to fix it?

[jiriks74]

I have the same issue. Could you please provide instructions on how to fix it?

Like I said, remove/change the hostname: nextcloud.somedomain.eufrom your compose file