Safety warnings in NC 19.0.3

Hi@all,

i have installed NC 19.0.3 on a UCS 4.4.6 member from the AppCenter. I NC I get the following security warnings:

Es gibt einige Warnungen bei Deiner Systemkonfiguration.

• Der HTTP-Header “Strict-Transport-Security” ist nicht auf mindestens 15552000 Sekunden eingestellt. Für mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in den Sicherheitshinweisen erläutert ist.

• Dein Web-Server ist nicht richtig eingerichtet um “/.well-known/caldav” aufzulösen. Weitere Informationen findest Du in der Dokumentation.

• Dein Web-Server ist nicht richtig eingerichtet um “/.well-known/carddav” aufzulösen. Weitere Informationen findest Du in der Dokumentation.

• In der Datenbank fehlen einige Indizes. Auf Grund der Tatsache, dass das Hinzufügen von Indizes in großen Tabellen einige Zeit in Anspruch nehmen kann, wurden diese nicht automatisch erzeugt. Durch das Ausführen von “occ db:add-missing-indices” können die fehlenden Indizes manuell hinzugefügt werden, während die Instanz weiter läuft. Nachdem die Indizes hinzugefügt wurden, sind Anfragen auf die Tabellen normalerweise schneller.

  • Fehlender Index “calendarobject_calid_index” in der Tabelle “oc_calendarobjects_props”.
  • Fehlender Index “schedulobj_principuri_index” in der Tabelle “oc_schedulingobjects”.
  • Fehlender Index “properties_path_index” in der Tabelle “oc_properties”.

• In der Datenbank fehlen einige optionale Spalten. Da das Hinzufügen von Spalten bei großen Tabellen einige Zeit dauern kann, wurden sie nicht automatisch hinzugefügt, wenn sie optional sein können. Durch Ausführen von “occ db:add-missing-columns” können diese fehlenden Spalten manuell hinzugefügt werden, während die Instanz weiter läuft. Sobald die Spalten hinzugefügt sind, könnten einige Funktionen die Reaktionsfähigkeit oder die Benutzerfreundlichkeit verbessern.

  • Fehlende optionale Spalte “reference_id” in der Tabelle “oc_comments”.

• Einige Spalten in der Datenbank können zu big int konvertiert werden. Das Ändern von Spaltentypen kann bei großen Tabellen einige Zeit dauern. Deshalb muss die Konvertierung manuell durch den Befehl “occ db:convert-filecache-bigint” gestartet werden. Zur Konvertierung muss die Instanz offline sein. Einzelheiten dazu auf der zugehörigen Dokumentationsseite.

  • mounts.storage_id
  • mounts.root_id
  • mounts.mount_id

Bitte überprüfe noch einmal die Installationsanleitungen und kontrolliere das Protokoll auf mögliche Fehler oder Warnungen.

Überprüfe die Sicherheit Deiner Nextcloud über unseren Sicherheitsscanner .

The warnings contain links to the documentation with information about the problems.

I’m asking because I have never made manual changes in the configurations under UCS. Most of the time the changes were also made via UCR.

Do I have to resolve these warnings manually or via UCR under UCS?

with best
sven

Hi @pixel,

I think unfortunatly not all the warnings can be handled the same way.

• hsts: there is a systemwide setting which you can apply. ucr search hsts will give you the relevant settings.
• the occ-commands: you can run them with
  univention-app shell nextcloud sudo -u www-data /var/www/html/occ
• I have had difficulties getting rid of the /.well-known/... entries. As I have a dedicated apache-vhost and subdomain for nextcloud, I have finally added the rewrite entries from the nextcloud doc to that file (I didn’t get any .htacces-method to work).

Best, Bernd

first step was to fix these warnings and run them on the UCS:

ucr set apache2/force_https=yes
ucr set apache2/hsts/includeSubDomains=yes
ucr set apache2/hsts/max-age=15552000

Restarted the UCS afterwards. The message about hsts has not disappeared

Do you have a special vhost for nextcloud?

If nextcloud is served through /etc/apache/sites-enabled/default-ssl.conf it should pick up those values I guess. See /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts

I see on a system - where I didn’t configure a subdomain - that for the well-known part I have created a file: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/50nextcloud-wellknown
With:

### https://docs.nextcloud.com/server/15/admin_manual/issues/general_troubleshooting.html#service-discovery
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
  RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
  RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
  RewriteRule ^/\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
  RewriteRule ^/\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
</IfModule>

In it and passed it to default-ssl.conf

Best, Bernd

I have forgotten one variable:
ucr set apache2/hsts=yes
shame on me!

go to the other warnings now

With the “well-known errors” I get no further.

I think not. I installed Nextcloud on the UCS member without any customizations from the App Center.

The mentioned adjustments are not clear to me. Which files exactly do I have to adapt? On the UCS host or inside the Docker container?

No, if you have just installed it through the app-center, then you won’t have a dedicated apache-vhost.

My proposal is to add a file to a ucs-template - the one that is serving the default-ssl.conf

That beeing said, you should read through the developer handbook from ucs and get comfortable with adding and changing template-files.

I have not seen an easy way to handle those well-known entries.
That beeing said - they actually don’t affect the service on nextcloud. They just serve a discovery-service - especially for mobil devices - for the calendar and contacts app on nextcloud.
Everything should work without these settings too.

Best, Bernd

On the UCS host (not Docker container) the file “/etc/apache2/sites-enabled/default-ssl.conf” exists.

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
# 	/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
# 	/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
# 	/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
# 	/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
# 

<IfModule mod_ssl.c>

<VirtualHost *:443>
	IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
	SSLEngine on
	SSLProxyEngine on
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerName off
	SSLProxyCheckPeerExpire off
	SSLCertificateFile /etc/univention/ssl/cloud01.gehr.local/cert.pem
	SSLCertificateKeyFile /etc/univention/ssl/cloud01.gehr.local/private.key
	SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

	#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

	### To enable special log format for HTTPS-access
	# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
	# CustomLog /var/log/apache2/access.log combinedssl	## with port number

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>


	ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
	ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud



</VirtualHost>
</IfModule>

Here are the values for Nextcloud. In which template do I have to insert which rows?

If you compare the header of your default-ssl.conf with my proposal you will see that I have created an additional template-file 50nextcloud that writes the missing redirections to this file.

But you will actually need two files: 1) the conf-file with the content and 2) and info-file which will tell ucr to actually read this file when creating default-ssl.conf

So warning - read the docs! - the name “default-ssl.conf” indicates some importance.

1. Create the file - like in post 4 in this thread
2. Make an info-file: /etc/univention/templates/info/nextcloud-wellknown.info

Type: subfile
Multifile: etc/apache2/sites-available/default-ssl.conf
Subfile: etc/apache2/sites-available/ssl.d/50nextcloud-wellknown

See https://docs.software-univention.de/developer-reference-4.4.html#ucr:multifile

3. Run ucr update and ucr commit /etc/apache/sites-available/default-ssl.conf
4. reload apache …

Have I written, that this can break things and it is a user-proposal?

Best, Bernd

I will test and report about it later

The UCS host with NC runs on Proxmox as VM. I have made a backup before

I would like to take up this topic again

I have installed Nextcloud on a UCS5 (member) and created the following files:

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/50nextcloud-wellknown

### https://docs.nextcloud.com/server/15/admin_manual/issues/general_troubleshooting.html#service-discovery
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
  RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
  RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
  RewriteRule ^/\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
  RewriteRule ^/\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
</IfModule>

/etc/univention/templates/info/nextcloud-wellknown.info

Type: subfile
Multifile: etc/apache2/sites-available/default-ssl.conf
Subfile: etc/apache2/sites-available/ssl.d/50nextcloud-wellknown

Afterwards

ucr update
ucr commit /etc/apache2/sites-available/default-ssl.conf

and reload Apache. I still get warnings in Nextcloud:

Sorry but I had a typo in the file. Now all security warnings are gone