Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nextcloud Traefik security settings #561

Open
flammableliquids opened this issue Aug 2, 2022 · 1 comment
Open

Nextcloud Traefik security settings #561

flammableliquids opened this issue Aug 2, 2022 · 1 comment
Labels
bug

Comments

@flammableliquids
Copy link

flammableliquids commented Aug 2, 2022
edited

Once NextCloud is set up, it makes the following warnings about the setup:

There are some warnings regarding your setup.

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the [documentation ↗](https://docs.nextcloud.com/server/24/go.php?to=admin-reverse-proxy).
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the [security tips ↗](https://docs.nextcloud.com/server/24/go.php?to=admin-security).

Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the [documentation ↗](https://docs.nextcloud.com/server/24/go.php?to=admin-setup-well-known-URL).
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the [documentation ↗](https://docs.nextcloud.com/server/24/go.php?to=admin-setup-well-known-URL).

I have tried the following traefik settings:

      traefik.http.middlewares.nextcloud.headers.referrerPolicy: "no-referrer"
      traefik.http.middlewares.nextcloud.headers.sslRedirect: "true"
      traefik.http.middlewares.nextcloud.headers.stsSeconds: "15552000"
      traefik.http.middlewares.nextcloud.headers.browserXSSFilter: "true"
      traefik.http.middlewares.nextcloud.headers.contentTypeNosniff: "true"
      traefik.http.middlewares.nextcloud.headers.forceSTSHeader: "true"
      traefik.http.middlewares.nextcloud.headers.stsIncludeSubdomains: "true"
      traefik.http.middlewares.nextcloud.headers.stsPreload: "true"
      traefik.http.middlewares.nextcloud.headers.customFrameOptionsValue: "SAMEORIGIN"

      # Cal* Redirect
      traefik.http.middlewares.nextcloud.redirectRegex.permanent: "true"
      traefik.http.middlewares.nextcloud.redirectRegex.regex: "https://(.*)/.well-known/(card|cal)dav"
      traefik.http.middlewares.nextcloud.redirectRegex.replacement: "https://$${1}/remote.php/dav/"

based on some google searches, and the security complaints continue to come up. The fact is, I'm not really sure what I am doing with traefik. I could really use some help. Plus I would have thought that these settings would be default for most users.

traefik screenshots:
traefik_http_routers
traefik_http_middleware

Environment:
Ansible-NAS revision (3352773):
Operating system Ubuntu 20.04.4 LTS
Docker version 20.10.17, build 100c701
Running the playbook on the box itself.
Vagrant not installed
running on ZFS
@negimeister
Copy link

negimeister commented Aug 27, 2022
edited

In my case, setting the following environment variables for the nextcloud container seemed to help (at least to access it with the mobile app):

TRUSTED_PROXIES local IP of the server

OVERWRITEHOST external domain name of the nextcloud container

OVERWRITEPROTOCOL https

EDIT: Instead of the last two, APACHE_DISABLE_REWRITE_IP should also work if the container is running as root

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flammableliquids @negimeister