Nextcloud 18.0.4 Security & Setup Warnings

Here is what I did to get rid of different errors in Nextcloud in nextcloud/settings/admin/overview running in UCS:

A.)

The “Strict-Transport-Security” HTTP header is not configured to at least “15552000” seconds. For enhanced security we recommend enabling HSTS as described in our security tips

As explained here to keep changes consistent through upgrades variables have to be set in UCS / System / Univention Configuration Registry :

apache2/hsts : Default value <empty>, set to yes
Commentary in UCS: Enable HTTP Strict Transport Security (HSTS) by setting this variable to ‘yes’. ‘apache2/force_https’ should be enabled additionally to take full advantage of HSTS.

apache2/hsts/max-age : Default value <empty>, set to 15552000 as indicated by Nextcloud.
Commentary in UCS: Time in seconds of how long web browsers will cache and enforce the HSTS policy on the host. Defaults to ‘10886400’ - which are 18 weeks.

apache2/hsts/includeSubDomains : Default value <empty>, set to yes
Commentary in UCS: Applies HSTS policy also to subdomains if set to ‘yes’.

Addionally I activated:
apache2/force_https : Default value <empty>, set to yes as indicated in apache2/hsts.

In UCS / System / System services : Restart apache2 ! Be aware about connected users !

B.)
As indicated in Nextcloud I executed occ db:convert-filecache-bigint by using for example Putty as administrator. In console:

$ sudo su to switch to root user
$ univention-app shell nextcloud sudo -u www-data /var/www/html/occ db:convert-filecache-bigint to execute the command in nextcloud app.

I couldn’t solve the following errors:

  • Your web server is not properly set up to resolve “/.well-known/caldav”. Further information can be found in the documentation.
  • Your web server is not properly set up to resolve “/.well-known/carddav”. Further information can be found in the documentation.

Are there any UCS variables to set? This post was not concluding for me.

As I’m a beginner in Linux terminal all hints, critics are welcome.

Stay healthy
mangrovenjazz

I am not sure, that I mention all steps I did to get rid of the warning.

Create a snapshot or do a backup of your system, before you try to follow my steps.

Last year I just added the two lines manually to

/etc/apache2/sites-enabled/default-ssl.conf

below the line

ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud

Redirect 301 /.well-known/carddav https://my-UCS-domain.de/nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav https://my-UCS-domain.de/nextcloud/remote.php/dav

But before any update I hat to remove them and insert new after any update or “ucr commit…”

So I tried the following:

First I created a template named

11hsts

in the foder

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/

containing these lines:

Redirect 301 /.well-known/carddav https://my-UCS-domain.de/nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav https://my-UCS-domain.de/nextcloud/remote.php/dav

As second step I generated an info-file in

/etc/univention/templates/info

with the name

univention-apache-my.info

and added the following entries:

Type: subfile
Multifile: etc/apache2/sites-available/default-ssl.conf
Subfile: etc/apache2/sites-available/ssl.d/11hsts

I do not know, whether I did a

ucr register univention-apache-my.info

before

ucr commit /etc/apache2/sites-available/default-ssl.conf

(not sure, whether I did a

ucr commit apache2

only)

If everything was done right, the header of

/etc/apache2/sites-enabled/default-ssl.conf

should contain the line:

# /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/11hsts

and at the end:

ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud
Redirect 301 /.well-known/carddav https://my-UCS-domain.de/nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav https://my-UCS-domain.de/nextcloud/remote.php/dav
</VirtualHost>
</IfModule>

The last step is to load the settings into Apache:

service apache2 reload

Documentation:
http://docs.software-univention.de/developer-reference-4.0.html#ucr:conffiles
examples:
https://www.linet-services.de/templates-for-configuration-files-in-univention/

I hope it will work for you, because I cannot assist, if not.