-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: After update to 29: Some headers are not set correctly on your instance #45184
Comments
Do each of your configured |
For whatever reason |
I have the same problem. With Nextcloud 28 I made sure that the self-test would hit the reverse proxy's internal address by including an entry within /etc/hosts to override what DNS would otherwise provide. |
Got rid of it by modifying the compose file. The setup I used as a base had a |
I have the same issue. Could you please provide instructions on how to fix it? |
Like I said, remove/change the |
I don't have hostname configured in my compose file, but got this error after upgrading to 29. Is there another fix? |
What is your setup. Like is the server local, behind proxy, etc. What IP is the container resolving the hostbame to? (Run |
@jiriks74 I am not too sure if I have the exact same error but the symptoms are similar, appeared after upgrading to v29. Here's the error: |
I'm having the same issue since upgrading to 29, dig ran from within the container resolves to my public IP address, I've no hostname set on my container as well, trusted proxies are set properly. Any ideas? ;) |
This seems like Nextcloud doesn't have it's hostname set properly?
If it's the same error I suspect that Nextcloud doesn't know it's url and you cannot query an empty string What are your proxy settings? |
I might have expressed myself a bit unclearly. I mean that I get the warnings in my nextcloud admin settings despite curl telling me that all headers are enabled. I have trusted_proxies set to IP of my traefik container as well as public IP, like I said above dig ran from the nextcloud container shows my public IP address. |
|
I am also having this issue, baremetal nextcloud installation. I dont havy any ReverseProxy infront of my NC |
Hi, I've just had this message too. I solved it allowing container IP login in limit_login_to_ip app. I hope it helps. |
I dont use docker, just plain selft installation |
Same here. Plain installation without container... and i get the same warnings Since upgrade to 29. |
same, I run nextcloud from a lxc container and checked with |
I've Nextcloud 29.0.1 and have some problem. I can see that all headers are send but I'm getting security warning. |
Same here, running Nextcloud 29.0.1 with docker (had same behavior with 29.0.0). dig inside the container returns the public IP of my reverse proxy. Everything looks fine.
|
@joshtrichards I think the probe is following redirects. With OIDC, unauthenticated requests to the root URL are redirected to the provider. I see a request for
|
very good point! Could be the cause, I am also using external auth server (SAML SSO Keycloak) |
I can reproduce the problem with Authentik SAML SSO. Maybe the issue should indeed be reopened (or the discussion moved to a new one). Probably related also to #44234. |
I can confirm, that all security headers are set and also approved by securityheaders.com, but after upgrading from nextcloud 28.0.6 to 29.0.2 a warning is displayed in the settings/admin/overview that some headers are not set correctly. |
Authentik, OpenID, Nextcloud in a subdir, Nginx proxy configured as officially documented, problem occurs after update to NC29. Please reopen! |
Same here! |
Why is it closed if it's not resolved yet? |
Folks, just because you're seeing the same warning, doesn't mean it's always the same underlying cause. :-) If you're using external authentication then #44234 sounds more relevant. This issue is closed because the original reporter's situation was addressed (they closed it). Their cause was a DNS/hostname matter (which is a common reason for this error to occur because it means the test doesn't run against the proper service). Other than external authentication (#44234), this is a configuration matter (at least as far as known causes go). The reason you're seeing this trigger after an upgrade is because, in part, the checks are getting better and more sensitive, but mostly because the checks are running server-side rather than client-side now. So if there are configuration problems within your server environment (i.e. mismatched DNS, weirdly configured So take follow-up to the help forum if you're not in the #44234 camp. ;-) |
@joshtrichards I'm in the #44234 camp. Using Traefik + SSO with Authelia. If I disable SSO, the warning disappears. Is it a config issue or there's really an issue? Because if it's only a config issue there's a lot of people waiting in this issue. |
@gravelfreeman Well, the appropriate place to follow-up would be #44234 in that case :) |
Bug description
After update to 29 I get some errors which I've already solved in my Traefik configuration:
The errors
I checked and the headers are set. I've specifically checked the
nosniff
setting that it says is not set:Steps to reproduce
Expected behavior
No errors about headers which are set correctly
Installation method
Community Docker image
Nextcloud Server version
29
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered: