Closed
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
After update to 29 I get some errors which I've already solved in my Traefik configuration:
The errors
Nastavení hlaviček reverzní proxy není správné nebo přistupujete na Nextcloud z důvěryhodné proxy. Pokud nepřistupujete k Nextcloud z důvěryhodné proxy, potom je toto bezpečností chyba a může útočníkovi umožnit falšovat IP adresu, kterou NextCloud vidí. Podrobnosti naleznete v [dokumentaci ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-reverse-proxy).
Some headers are not set correctly on your instance - The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-Frame-Options` HTTP header is not set to `sameorigin`. Some features might not work correctly, as it is recommended to adjust this setting accordingly. - The `X-Permitted-Cross-Domain-Policies` HTTP header is not set to `none`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the [W3C Recommendation](https://www.w3.org/TR/referrer-policy/). - The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS. Podrobnosti naleznete v [dokumentaci ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-security).
I checked and the headers are set. I've specifically checked the nosniff setting that it says is not set:
Steps to reproduce
- Use Traefik
- Set the following middleware:
nextcloud-middlewares-secure-headers:
headers:
accessControlMaxAge: 100
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
customFrameOptionsValue: "SAMEORIGIN"
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: "no-referrer"
featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"- See the header errors in Nextcloud
Expected behavior
No errors about headers which are set correctly
Installation method
Community Docker image
Nextcloud Server version
29
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"debug": "false",
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"filelocking.enabled": true,
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379,
"timeout": 0,
"password": "***REMOVED SENSITIVE VALUE***"
},
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"nextcloud.example.com",
"onlyoffice.example.com",
"192.168.0.2",
"192.168.0.3"
],
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"onlyoffice": {
"jwt_secret": "***REMOVED SENSITIVE VALUE***",
"jwt_header": "AuthorizationJwt",
"allow_local_remote_servers": true,
"editors_check_interval": 0
},
"default_phone_region": "cs",
"default_language": "cs",
"default_locale": "cs_CZ",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "29.0.0.19",
"overwrite.cli.url": "https:\/\/nextcloud.example.com",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "3306",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"theme": "",
"loglevel": 0,
"maintenance": false,
"overwriteprotocol": "https",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"has_rebuilt_cache": true,
"ncd_admin_settings": {
"ncd_aria2_rpc_host": "",
"focusVisibleAdded": "",
"ncd_aria2_rpc_token": ""
},
"app_install_overwrite": [
"news",
"tasks"
],
"mail_smtpsecure": "ssl",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"maintenance_window_start": 2
}
}List of activated Apps
Enabled:
- activity: 2.21.1
- announcementcenter: 6.8.1
- audioplayer: 3.4.1
- bruteforcesettings: 2.9.0
- calendar: 4.7.2
- circles: 29.0.0-dev
- cloud_federation_api: 1.12.0
- comments: 1.19.0
- contacts: 6.0.0
- contactsinteraction: 1.10.0
- cospend: 1.6.1
- dashboard: 7.9.0
- dav: 1.30.1
- deck: 1.13.0
- drawio: 3.0.2
- event_update_notification: 2.4.0
- external: 5.4.0
- federatedfilesharing: 1.19.0
- federation: 1.19.0
- files: 2.1.0
- files_downloadlimit: 2.0.0
- files_external: 1.21.0
- files_pdfviewer: 2.10.0
- files_reminders: 1.2.0
- files_sharing: 1.21.0
- files_trashbin: 1.19.0
- files_versions: 1.22.0
- files_zip: 1.5.0
- firstrunwizard: 2.18.0
- forms: 4.2.3
- integration_excalidraw: 2.1.0
- integration_github: 2.0.7
- integration_google: 2.2.0
- integration_mastodon: 2.0.5
- integration_onedrive: 3.2.1
- integration_openai: 2.0.0
- integration_reddit: 2.0.3
- logreader: 2.14.0
- lookup_server_connector: 1.17.0
- mail: 3.6.0
- maps: 1.4.0
- ncdownloader: 1.0.20
- news: 24.0.0
- notes: 4.10.0
- notifications: 2.17.0
- oauth2: 1.17.0
- onlyoffice: 9.2.0
- password_policy: 1.19.0
- photos: 2.5.0
- polls: 7.0.3
- privacy: 1.13.0
- provisioning_api: 1.19.0
- quota_warning: 1.19.0
- recognize: 6.1.1
- recommendations: 2.1.0
- related_resources: 1.4.0
- riotchat: 0.16.9
- serverinfo: 1.19.0
- settings: 1.12.0
- sharebymail: 1.19.0
- side_menu: 3.12.0
- snappymail: 2.36.1
- spreed: 19.0.0
- support: 1.12.0
- survey_client: 1.17.0
- suspicious_login: 7.0.0
- systemtags: 1.19.0
- tasks: 0.15.0
- text: 3.10.0
- theming: 2.4.0
- twofactor_backupcodes: 1.18.0
- twofactor_totp: 11.0.0-dev
- updatenotification: 1.19.1
- user_status: 1.9.0
- viewer: 2.3.0
- weather_status: 1.9.0
- workflowengine: 2.11.0
Disabled:
- admin_audit: 1.19.0
- appointments: 2.1.1 (installed 2.1.1)
- breezedark: 28.0.0 (installed 28.0.0)
- camerarawpreviews: 0.8.4 (installed 0.8.4)
- carnet: 0.25.4 (installed 0.25.4)
- certificate24: 0.3.1 (installed 0.3.1)
- cfg_share_links: 5.0.0 (installed 5.0.0)
- cms_pico: 1.0.21 (installed 1.0.21)
- cookbook: 0.11.0 (installed 0.11.0)
- encryption: 2.17.0
- end_to_end_encryption: 1.15.2 (installed 1.15.2)
- extract: 1.3.6 (installed 1.3.6)
- files_antivirus: 5.5.0 (installed 5.5.0)
- files_mindmap: 0.0.30 (installed 0.0.30)
- files_photospheres: 1.28.1 (installed 1.28.1)
- files_rightclick: 0.15.1 (installed 1.6.0)
- flow_notifications: 1.9.0 (installed 1.9.0)
- groupfolders: 16.0.6 (installed 16.0.6)
- integration_nuiteq: 1.0.6 (installed 1.0.6)
- integration_twitter: 1.0.7 (installed 1.0.7)
- metadata: 0.19.0 (installed 0.19.0)
- money: 0.25.1 (installed 0.25.1)
- nextcloud_announcements: 1.18.0 (installed 1.17.0)
- ocsms: 2.2.0 (installed 2.2.0)
- passwords: 2024.4.21 (installed 2024.4.21)
- richdocuments: 8.4.1 (installed 8.4.1)
- richdocumentscode_arm64: 24.4.103 (installed 24.4.103)
- timetracker: 0.0.82 (installed 0.0.82)
- unsplash: 2.2.1 (installed 2.2.1)
- user_ldap: 1.20.0 (installed 1.15.0)
- video_converter: 1.0.6 (installed 1.0.6)Nextcloud Signing status
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- news
- INVALID_HASH
- css/custom.css
Raw output
==========
Array
(
[news] => Array
(
[INVALID_HASH] => Array
(
[css/custom.css] => Array
(
[expected] => 32ba88040d81aa40a3f24717e6d3e95e13df33f93c653858d6d3aae7e495befa0e4664e2fd18339f894f13ddb256bfaa952e7f3f179ad20f669f6b065d1f4ff6
[current] => b6c331110816789d9b5283b19c2c678a0b66417ab11bdb5f3f33aa172e54b7216ed2d87c63da436276e4adad79ec40bc1a8224af8ce4fde0f9ef8b1b69bae375
)
)
)
)Nextcloud Logs
No response
Additional info
No response