nextcloud
[Bug]: wrong or misleading "Security & Setup Warnings" due to HTTP headers
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
I can't get rid of error messages in Nextclouds "Security & Setup Warnings", the messages are wrong or at least misleading:
-
Nextcloud issues a standard error message on on a set of missing headers independent of what is really wrong
-
Nextcloud seems to export the "X-Robots-Tag" in its own code, but in the docs asks the admin to provide it by the webserver
-
this leads to a double "X-Robots-Tag" in the http-response (at least with nginx, may be apache removes double entries?) which is erroneously reported as mssing !
-
when not providing the "Strict-Transport-Security" Nextcloud complains about it, but after providing it Nextcloud still reports it as missing and in addition shows the above mentioned standard message about missing/wrong headers
Steps to reproduce
1.install Nextcloud Hub 8 (29.0.3) 2.configuration with nginx webservers as server and reverse proxy 3.look for the "Security & Setup Warnings" messages
Expected behavior
- only missing HTTP-headers should be reported instead of a standard message with all headers
- double entries of headers should be ignored in the check
- the docs should inform the admin, which headers are generated by Nextcloud itself (special role of X-Robots-Tag?)
- when the Strict-Transport-Security header is available (as can be seen with curl) Nextcloud should report the correct reason for complaining, e.g. wrong value
Installation method
Community NextcloudPi appliance
Nextcloud Server version
29
Operating system
Debian/Ubuntu
PHP engine version
None
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
- [X] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
output of "php occ config:list system"
"system": {
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379,
"password": "***REMOVED SENSITIVE VALUE***",
"timeout": 0
},
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
], r\n
"log_rotate_size": 10485760,
"upgrade.disable-web": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/nc.test.hp4",
"overwritehost": "nc.test.hp4",
"overwriteprotocol": "https",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***", :1f
"trusted_domains": [
"nc.test.hp4" o\r
], 97d
"datadirectory": "***REMOVED SENSITIVE VALUE***", nfo
"dbtype": "mysql",
"version": "29.0.3.4",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***", o\r
"dbport": "", 97d
"dbtableprefix": "oc_", nfo
"mysql.utf8mb4": true, in
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***", p\r
"installed": true, 145
"default_phone_region": "DE", d b
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauth": 1,
"mail_smtpport": "587",
"mail_sendmailmode": "smtp",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"maintenance_window_start": 1,
"maintenance": false,
"loglevel": 2
}
List of activated Apps
Enabled:
- activity: 2.21.1
- calendar: 4.7.10
- circles: 29.0.0-dev
- cloud_federation_api: 1.12.0
- comments: 1.19.0
- contacts: 6.0.0
- contactsinteraction: 1.10.0
- dashboard: 7.9.0
- dav: 1.30.1
- deck: 1.13.1
- federatedfilesharing: 1.19.0
- federation: 1.19.0
- files: 2.1.0
- files_downloadlimit: 2.0.0
- files_pdfviewer: 2.10.0
- files_reminders: 1.2.0
- files_sharing: 1.21.0
- files_trashbin: 1.19.0
- files_versions: 1.22.0
- firstrunwizard: 2.18.0
- logreader: 2.14.0
- lookup_server_connector: 1.17.0
- mail: 3.7.2
- nextcloud_announcements: 1.18.0
- notes: 4.10.0
- notifications: 2.17.0
- oauth2: 1.17.0
- password_policy: 1.19.0
- photos: 2.5.0
- polls: 7.1.3
- privacy: 1.13.0
- provisioning_api: 1.19.0
- recommendations: 2.1.0
- related_resources: 1.4.0
- richdocuments: 8.4.3
- serverinfo: 1.19.0
- settings: 1.12.0
- sharebymail: 1.19.0
- spreed: 19.0.4
- support: 1.12.0
- survey_client: 1.17.0
- systemtags: 1.19.0
- text: 3.10.1
- theming: 2.4.0
- twofactor_backupcodes: 1.18.0
- updatenotification: 1.19.1
- user_status: 1.9.0
- viewer: 2.3.0
- weather_status: 1.9.0
- workflowengine: 2.11.0
Disabled:
- admin_audit: 1.19.0
- bruteforcesettings: 2.9.0
- encryption: 2.17.0
- files_external: 1.21.0
- groupfolders: 17.0.1 (installed 17.0.1)
- suspicious_login: 7.0.0
- tasks: 0.16.0 (installed 0.16.0)
- twofactor_totp: 11.0.0-dev
- user_ldap: 1.20.0
Nextcloud Signing status
No errors have been found.
Nextcloud Logs
No response
Additional info
No response
Can you provide the exact warnings and errors you're seeing? And also confirm you're using the latest Nginx config in our manual?
Nextcloud issues a standard error message on on a set of missing headers independent of what is really wrong
We check and report on each security header independently:
https://github.com/nextcloud/server/blob/3b795cde79946cb9b41ed823c78111ea040cbfa2/apps/settings/lib/SetupChecks/SecurityHeaders.php
Nextcloud seems to export the "X-Robots-Tag" in its own code, but in the docs asks the admin to provide it by the webserver
Where do we say that?
https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html#serve-security-related-headers-by-the-web-server
And in the Nginx config we provide, there is handling for it (in spots we cover in standard (Apache) installations via the bundled .htaccess). Check the modHeadersAvailable line in the Nginx config as well as the separate header handling section for static assets as seen in manual:
https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
Are you using the above Nginx config?
You also stated you're using NextcloudPi, but that's Apache based. So your report has some inconsistencies that are hard to follow. Your provided config suggests you're using one of our micro-services Docker images (fpm variant presumably if you're using Nginx as your web server).
Slightly related, but not a biggy either:
I have add_header X-Robots-Tag none always;in my nginx configuration.noneshould be an alias tonoindex, nofollow, but nextcloud still warns that I am missing noindex, nofollow` in X-Robots-Tag
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
