New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security/performance issues with default install #80
Comments
The header is an easy enough fix. I recall putting the database conversion (which leaves aside the question of why a "conversion" is required in the first place, in a brand-new database created directly by Nextcloud--why isn't it created with big int in the first place?) in the script, but taking out because it wouldn't run non-interactively--it required user input to run. Is this no longer the case? |
This is true, the second command requests user confirmation for the convertion of the database. I don't know if there is a switch to turn it non-interactive. If the database is already in the right format however, the command exits cleanly without interaction. To my mind it would be OK to have the administrator confirm this step, but this is your call. |
This link considers there is a flag to be set for non interactive mode. |
Ah, I hadn't seen that earlier. This should be fixed now. |
Regarding the X-Frame-Options, I was unable to fix that by just adjusting the Caddyfile under /usr/local/www/. Is there another Caddyfile which needs to be changed? EDIT: I just noticed some weird behavior of nextcloud itself. The security check site tells me the missing setting is a security issue, but my browser tells me the header is sent. Can anyone relate to this? EDIT 2: Nevermind. I just found out that the security check site tests for the setting case sensitive... So the proposed fix was working fine. Anyways, you should correct it to "sameorigin" all lowercase for convenience. |
As I stated in the EDIT 2 in my last post, the problem was not really related to the script, but to the pickyness of the online nextcloud security scanner, which just didn't like the all uppercase header field. So the problem can be solved by adjusting the script, but IMHO should be fixed by nextcloud, adjusting their scanner to be case insensitive. |
After deploying the nextcloud-instance with this script, there are two warnings reported by the instance itself (under admin/settings/administration/overview):
Both issues can be easily fixed:
For the first issue, add
X-Frame-Options "SAMEORIGIN"
in the "header" section of the Caddyfile.
For the second issue, execute
sudo -u www php /usr/local/www/nextcloud/occ db:convert-filecache-bigint
once after install.
The text was updated successfully, but these errors were encountered: