Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: After update to 29: Some headers are not set correctly on your instance #45184

Closed
5 of 8 tasks
jiriks74 opened this issue May 4, 2024 · 30 comments
Closed
5 of 8 tasks
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug feature: settings needs info

Comments

@jiriks74
Copy link

jiriks74 commented May 4, 2024

⚠️ This issue respects the following points: ⚠️

Bug description

After update to 29 I get some errors which I've already solved in my Traefik configuration:

The errors
Nastavení hlaviček reverzní proxy není správné nebo přistupujete na Nextcloud z důvěryhodné proxy. Pokud nepřistupujete k Nextcloud z důvěryhodné proxy, potom je toto bezpečností chyba a může útočníkovi umožnit falšovat IP adresu, kterou NextCloud vidí. Podrobnosti naleznete v [dokumentaci ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-reverse-proxy).
Some headers are not set correctly on your instance - The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-Frame-Options` HTTP header is not set to `sameorigin`. Some features might not work correctly, as it is recommended to adjust this setting accordingly. - The `X-Permitted-Cross-Domain-Policies` HTTP header is not set to `none`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the [W3C Recommendation](https://www.w3.org/TR/referrer-policy/). - The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS. Podrobnosti naleznete v [dokumentaci ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-security).

I checked and the headers are set. I've specifically checked the nosniff setting that it says is not set:

obrazek

Steps to reproduce

  1. Use Traefik
  2. Set the following middleware:
    nextcloud-middlewares-secure-headers:
      headers:
        accessControlMaxAge: 100
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "SAMEORIGIN"
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "no-referrer"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
          X-Robots-Tag: "noindex, nofollow"
  1. See the header errors in Nextcloud

Expected behavior

No errors about headers which are set correctly

Installation method

Community Docker image

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "debug": "false",
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.example.com",
            "onlyoffice.example.com",
            "192.168.0.2",
            "192.168.0.3"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "onlyoffice": {
            "jwt_secret": "***REMOVED SENSITIVE VALUE***",
            "jwt_header": "AuthorizationJwt",
            "allow_local_remote_servers": true,
            "editors_check_interval": 0
        },
        "default_phone_region": "cs",
        "default_language": "cs",
        "default_locale": "cs_CZ",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.0.19",
        "overwrite.cli.url": "https:\/\/nextcloud.example.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "3306",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "theme": "",
        "loglevel": 0,
        "maintenance": false,
        "overwriteprotocol": "https",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "has_rebuilt_cache": true,
        "ncd_admin_settings": {
            "ncd_aria2_rpc_host": "",
            "focusVisibleAdded": "",
            "ncd_aria2_rpc_token": ""
        },
        "app_install_overwrite": [
            "news",
            "tasks"
        ],
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 2
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - announcementcenter: 6.8.1
  - audioplayer: 3.4.1
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.2
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contacts: 6.0.0
  - contactsinteraction: 1.10.0
  - cospend: 1.6.1
  - dashboard: 7.9.0
  - dav: 1.30.1
  - deck: 1.13.0
  - drawio: 3.0.2
  - event_update_notification: 2.4.0
  - external: 5.4.0
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - files_zip: 1.5.0
  - firstrunwizard: 2.18.0
  - forms: 4.2.3
  - integration_excalidraw: 2.1.0
  - integration_github: 2.0.7
  - integration_google: 2.2.0
  - integration_mastodon: 2.0.5
  - integration_onedrive: 3.2.1
  - integration_openai: 2.0.0
  - integration_reddit: 2.0.3
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.6.0
  - maps: 1.4.0
  - ncdownloader: 1.0.20
  - news: 24.0.0
  - notes: 4.10.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - onlyoffice: 9.2.0
  - password_policy: 1.19.0
  - photos: 2.5.0
  - polls: 7.0.3
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - quota_warning: 1.19.0
  - recognize: 6.1.1
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - riotchat: 0.16.9
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - side_menu: 3.12.0
  - snappymail: 2.36.1
  - spreed: 19.0.0
  - support: 1.12.0
  - survey_client: 1.17.0
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0
  - tasks: 0.15.0
  - text: 3.10.0
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - appointments: 2.1.1 (installed 2.1.1)
  - breezedark: 28.0.0 (installed 28.0.0)
  - camerarawpreviews: 0.8.4 (installed 0.8.4)
  - carnet: 0.25.4 (installed 0.25.4)
  - certificate24: 0.3.1 (installed 0.3.1)
  - cfg_share_links: 5.0.0 (installed 5.0.0)
  - cms_pico: 1.0.21 (installed 1.0.21)
  - cookbook: 0.11.0 (installed 0.11.0)
  - encryption: 2.17.0
  - end_to_end_encryption: 1.15.2 (installed 1.15.2)
  - extract: 1.3.6 (installed 1.3.6)
  - files_antivirus: 5.5.0 (installed 5.5.0)
  - files_mindmap: 0.0.30 (installed 0.0.30)
  - files_photospheres: 1.28.1 (installed 1.28.1)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - flow_notifications: 1.9.0 (installed 1.9.0)
  - groupfolders: 16.0.6 (installed 16.0.6)
  - integration_nuiteq: 1.0.6 (installed 1.0.6)
  - integration_twitter: 1.0.7 (installed 1.0.7)
  - metadata: 0.19.0 (installed 0.19.0)
  - money: 0.25.1 (installed 0.25.1)
  - nextcloud_announcements: 1.18.0 (installed 1.17.0)
  - ocsms: 2.2.0 (installed 2.2.0)
  - passwords: 2024.4.21 (installed 2024.4.21)
  - richdocuments: 8.4.1 (installed 8.4.1)
  - richdocumentscode_arm64: 24.4.103 (installed 24.4.103)
  - timetracker: 0.0.82 (installed 0.0.82)
  - unsplash: 2.2.1 (installed 2.2.1)
  - user_ldap: 1.20.0 (installed 1.15.0)
  - video_converter: 1.0.6 (installed 1.0.6)

Nextcloud Signing status

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- news
	- INVALID_HASH
		- css/custom.css

Raw output
==========
Array
(
    [news] => Array
        (
            [INVALID_HASH] => Array
                (
                    [css/custom.css] => Array
                        (
                            [expected] => 32ba88040d81aa40a3f24717e6d3e95e13df33f93c653858d6d3aae7e495befa0e4664e2fd18339f894f13ddb256bfaa952e7f3f179ad20f669f6b065d1f4ff6
                            [current] => b6c331110816789d9b5283b19c2c678a0b66417ab11bdb5f3f33aa172e54b7216ed2d87c63da436276e4adad79ec40bc1a8224af8ce4fde0f9ef8b1b69bae375
                        )

                )

        )

)

Nextcloud Logs

No response

Additional info

No response

@jiriks74 jiriks74 added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels May 4, 2024
@joshtrichards
Copy link
Member

Do each of your configured trusted_domains resolve to your proxy/TLS terminator from the perspective of your Nextcloud Server? That is, if you run curl from within your Nextcloud Docker container does it hit your proxy (and therefore see those headers)? That's the most common culprit since most of the tests are running from the server itself rather than you're browser these days.

@jiriks74
Copy link
Author

jiriks74 commented May 5, 2024

For whatever reason dig running directly from the container resolves to the container IP rather than the public one.

@mikesteele81
Copy link

I have the same problem. With Nextcloud 28 I made sure that the self-test would hit the reverse proxy's internal address by including an entry within /etc/hosts to override what DNS would otherwise provide.

@jiriks74
Copy link
Author

jiriks74 commented May 7, 2024

Got rid of it by modifying the compose file. The setup I used as a base had a hostname defined and that's why it resolved to the container and not the proxy.

@jiriks74 jiriks74 closed this as completed May 7, 2024
@VPaulV
Copy link

VPaulV commented May 13, 2024

I have the same issue. Could you please provide instructions on how to fix it?

@jiriks74
Copy link
Author

I have the same issue. Could you please provide instructions on how to fix it?

Like I said, remove/change the hostname: nextcloud.somedomain.eufrom your compose file

@0x09AF
Copy link

0x09AF commented May 19, 2024

I don't have hostname configured in my compose file, but got this error after upgrading to 29. Is there another fix?

@jiriks74
Copy link
Author

What is your setup. Like is the server local, behind proxy, etc. What IP is the container resolving the hostbame to? (Run dig your.domain inside the container)

@0x09AF
Copy link

0x09AF commented May 21, 2024

@jiriks74 I am not too sure if I have the exact same error but the symptoms are similar, appeared after upgrading to v29. Here's the error: Could not check that your web server serves security headers correctly, unable to query `` For more details see the documentation ↗
dig inside the container resolves the same as from the outside - to Cloudflare IPs

@wvxx
Copy link

wvxx commented May 23, 2024

I'm having the same issue since upgrading to 29, dig ran from within the container resolves to my public IP address, I've no hostname set on my container as well, trusted proxies are set properly.

Any ideas? ;)
Thanks.

@jiriks74
Copy link
Author

@0x09AF

unable to query ``

This seems like Nextcloud doesn't have it's hostname set properly?

I've no hostname set on my container as well, trusted proxies are set properly.

If it's the same error I suspect that Nextcloud doesn't know it's url and you cannot query an empty string


What are your proxy settings?

@wvxx
Copy link

wvxx commented May 23, 2024

If it's the same error I suspect that Nextcloud doesn't know it's url and you cannot query an empty string

What are your proxy settings?

I might have expressed myself a bit unclearly. I mean that I get the warnings in my nextcloud admin settings despite curl telling me that all headers are enabled.

image

I have trusted_proxies set to IP of my traefik container as well as public IP, like I said above dig ran from the nextcloud container shows my public IP address.

@0x09AF
Copy link

0x09AF commented May 23, 2024

@0x09AF

unable to query ``

This seems like Nextcloud doesn't have it's hostname set properly?
My docker-compose hasn't changed in a few years I have been running Nextcloud. Could you point me to the right env variable or a line in config.php?
Thanks

@warioishere
Copy link

I am also having this issue, baremetal nextcloud installation. I dont havy any ReverseProxy infront of my NC
they headers are set if i curl my domain.

@tuxArg
Copy link

tuxArg commented May 26, 2024

Hi, I've just had this message too. I solved it allowing container IP login in limit_login_to_ip app. I hope it helps.

@warioishere
Copy link

I dont use docker, just plain selft installation

@xundeenergie
Copy link

Same here. Plain installation without container... and i get the same warnings Since upgrade to 29.

@lexxxel
Copy link

lexxxel commented May 29, 2024

same, I run nextcloud from a lxc container and checked with curl - everything looks OK from there. (My reverse proxy is also traefik on another lxc container somewhere in the network)

@kocouj1
Copy link

kocouj1 commented Jun 2, 2024

I've Nextcloud 29.0.1 and have some problem. I can see that all headers are send but I'm getting security warning.

@nicolas-parmentier
Copy link

nicolas-parmentier commented Jun 3, 2024

Same here, running Nextcloud 29.0.1 with docker (had same behavior with 29.0.0). dig inside the container returns the public IP of my reverse proxy. Everything looks fine.
From the container, with a curl command, i can see the headers well configured:

curl -v nextcloud.mydomain.com

< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-robots-tag: noindex, nofollow
< x-xss-protection: 1; mode=block

@nick-oconnor
Copy link

nick-oconnor commented Jun 5, 2024

@joshtrichards I think the probe is following redirects. With OIDC, unauthenticated requests to the root URL are redirected to the provider. I see a request for / made by Nextcloud Server Crawler which is getting redirected to my provider. I'm curious if that's the request that's checking for headers. If that's the case, this issue should be reopened.

[05/Jun/2024:03:56:56 +0000] "GET / HTTP/1.1" 302 0 "-" "Nextcloud Server Crawler" 105 0.034 [apps-nextcloud-nextcloud] [] [<ip redacted>]:80 0 0.033 302 <trace redacted>
[05/Jun/2024:03:56:56 +0000] "GET /login HTTP/1.1" 302 0 "-" "Nextcloud Server Crawler" 110 0.021 [apps-nextcloud-nextcloud] [] [<ip redacted>]:80 0 0.021 302 <trace redacted>
[05/Jun/2024:03:56:56 +0000] "GET /apps/user_oidc/login/2 HTTP/1.1" 303 0 "-" "Nextcloud Server Crawler" 127 0.028 [apps-nextcloud-nextcloud] [] [<ip redacted>]:80 0 0.028 303 <trace redacted>
[05/Jun/2024:03:56:56 +0000] "GET /api/oidc/authorization?<params redacted> HTTP/1.1" 302 945 "-" "Nextcloud Server Crawler" 766 0.001 [core-authelia-http] [] [<ip redacted>]:9091 945 0.001 302 <trace redacted>
[05/Jun/2024:03:56:56 +0000] "GET /?<params redacted> HTTP/1.1" 200 1053 "-" "Nextcloud Server Crawler" 996 0.000 [core-authelia-http] [] [<ip redacted>]:9091 1053 0.000 200 <trace redacted>

@warioishere
Copy link

warioishere commented Jun 5, 2024

@joshtrichards I think the probe is following redirects. With OIDC, unauthenticated requests to the root URL are redirected to the provider. I see a request for / made by Nextcloud Server Crawler which is getting redirected to my provider. I'm curious if that's the request that's checking for headers. If that's the case, this issue should be reopened.

[05/Jun/2024:03:56:56 +0000] "GET / HTTP/1.1" 302 0 "-" "Nextcloud Server Crawler" 105 0.034 [apps-nextcloud-nextcloud] [] [<ip redacted>]:80 0 0.033 302 <trace redacted>
[05/Jun/2024:03:56:56 +0000] "GET /login HTTP/1.1" 302 0 "-" "Nextcloud Server Crawler" 110 0.021 [apps-nextcloud-nextcloud] [] [<ip redacted>]:80 0 0.021 302 <trace redacted>
[05/Jun/2024:03:56:56 +0000] "GET /apps/user_oidc/login/2 HTTP/1.1" 303 0 "-" "Nextcloud Server Crawler" 127 0.028 [apps-nextcloud-nextcloud] [] [<ip redacted>]:80 0 0.028 303 <trace redacted>
[05/Jun/2024:03:56:56 +0000] "GET /api/oidc/authorization?<params redacted> HTTP/1.1" 302 945 "-" "Nextcloud Server Crawler" 766 0.001 [core-authelia-http] [] [<ip redacted>]:9091 945 0.001 302 <trace redacted>
[05/Jun/2024:03:56:56 +0000] "GET /?<params redacted> HTTP/1.1" 200 1053 "-" "Nextcloud Server Crawler" 996 0.000 [core-authelia-http] [] [<ip redacted>]:9091 1053 0.000 200 <trace redacted>

very good point! Could be the cause, I am also using external auth server (SAML SSO Keycloak)
I have another private server which doesnt use the Keycloak Server for authentication, same setup, but it doesnt show the error!

@MatteoPaier
Copy link

I can reproduce the problem with Authentik SAML SSO. Maybe the issue should indeed be reopened (or the discussion moved to a new one).

Probably related also to #44234.

@Patta
Copy link

Patta commented Jun 7, 2024

I can confirm, that all security headers are set and also approved by securityheaders.com, but after upgrading from nextcloud 28.0.6 to 29.0.2 a warning is displayed in the settings/admin/overview that some headers are not set correctly.
Plain installation with nginx.

@Ra72xx
Copy link

Ra72xx commented Jun 7, 2024

Authentik, OpenID, Nextcloud in a subdir, Nginx proxy configured as officially documented, problem occurs after update to NC29. Please reopen!

@xundeenergie
Copy link

Authentik, OpenID, Nextcloud in a subdir, Nginx proxy configured as officially documented, problem occurs after update to NC29. Please reopen!

Same here!

@gravelfreeman
Copy link

Why is it closed if it's not resolved yet?

@joshtrichards
Copy link
Member

Folks, just because you're seeing the same warning, doesn't mean it's always the same underlying cause. :-)

If you're using external authentication then #44234 sounds more relevant.

This issue is closed because the original reporter's situation was addressed (they closed it). Their cause was a DNS/hostname matter (which is a common reason for this error to occur because it means the test doesn't run against the proper service).

Other than external authentication (#44234), this is a configuration matter (at least as far as known causes go).

The reason you're seeing this trigger after an upgrade is because, in part, the checks are getting better and more sensitive, but mostly because the checks are running server-side rather than client-side now. So if there are configuration problems within your server environment (i.e. mismatched DNS, weirdly configured trusted_domains and overwrite.cli.url values in your Nextcloud config.php, etc.) that is coming out.

So take follow-up to the help forum if you're not in the #44234 camp. ;-)

@gravelfreeman
Copy link

@joshtrichards I'm in the #44234 camp. Using Traefik + SSO with Authelia. If I disable SSO, the warning disappears. Is it a config issue or there's really an issue? Because if it's only a config issue there's a lot of people waiting in this issue.

@joshtrichards
Copy link
Member

@gravelfreeman Well, the appropriate place to follow-up would be #44234 in that case :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug feature: settings needs info
Projects
None yet
Development

No branches or pull requests