Nextcloud 15 with Apache and Letsencrypt, on Ubuntu 18.04

by Yannick

Web server configuration

We all know and love Nextcloud. We also know and love Letsencrypt. So it is only natural that we would want to secure our beloved Nextcloud 15 instance with a letsencrypt certificate.

I’m not going to go over how to install Nextcloud, or how to get an SSL certificate. I will assume you have already done that, using the certbot deb package, and the official tarball for Nextcloud.

I know, I know, Nextcloud is now available as a snap, but back when I installed my instance of Nextcloud, snaps had not been invented yet !

If, like me, you are using Apache and you followed the instructions to the letter, you end up with something similar to this for your webserver’s configuration file :

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName cloud.example.com
        ServerAdmin john.doe@example.com
        DocumentRoot /home/nextcloud
        ServerSignature off

        <Directory /home/nextcloud>
                Options +FollowSymlinks
                AllowOverride All
                Require all granted

                <IfModule mod_dav.c>
                        Dav off
                </IfModule>

                <IfModule mod_headers.c>
                        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
                </IfModule>

                SetEnv HOME /home/nextcloud
                SetEnv HTTP_HOME /home/nextcloud
        </Directory>

        <Directory "/home/nextcloud/data/">
                # just in case if .htaccess gets disabled
                Require all denied
        </Directory>

        ErrorLog /var/log/apache2/cloud/error.log
        CustomLog /var/log/apache2/cloud/access.log combined
        SSLCertificateFile /etc/letsencrypt/live/cloud.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/cloud.example.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

</IfModule>

Checking Nextcloud.

Now, you have done everything to the letter, and you go to https://cloud.example.com/index.php/settings/admin/overview and, oh surprise : three HTTP headers are either missing or not set to the correct value : X-Content-Type-Options, X-Frame-Options and Referrer-Policy. How is that possible, I hear you ask ?

Well, here’s what’s going on : Nexcloud hardcodes 5 HTTP headers : X-Content-Type-Options, X-XSS-Protection, X-Robots-Tag, X-Frame-Options and Referrer-Policy.

And it turns out that in letsencrypt’s configuration file (/etc/letsencrypt/options-ssl-apache.conf), four of those headers are also defined :

Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy no-referrer-when-downgrade
Header always set X-Content-Type-Options "nosniff"

So in the end, if you spy on the response sent by your webserver, you realize that X-Content-Type-Options, X-Frame-Options and Referrer-Policy appear twice :

Referrer-Policy    no-referrer-when-downgrade
Referrer-Policy    no-referrer
X-Content-Type-Options    nosniff
X-Content-Type-Options    nosniff
X-Frame-Options    DENY
X-Frame-Options    SAMEORIGIN

That confuses Nextcould, and it reports a problem.

X-XSS-Protection also appears twice, but for some reasons, Nextcloud seems to be fine with that.

Fixing it

Fortunately, the fix is easy.

Because letsencrypt adds the always keyword – wich means that even when there is an error, those headers should be sent to the browser -, they actually “live” in a different “table” – that’s how Apache calls that -, while the headers set by Nextcloud live in the “onsuccess” table (the default one).

So all we need to do is remove those headers from the “always” table, and we’ll be good.

To do so, we add the following line at the end of the Apache’s configuration file :

        Include /etc/letsencrypt/options-ssl-apache.conf

        Header always unset X-Frame-Options
        Header always unset X-Content-Type-Options
        Header always unset X-XSS-Protection
        Header always unset Referrer-Policy

Then, make apache reload its configuration :

sudo systemctl reload apache2

Checking again

Go back to https://cloud.example.com/index.php/settings/admin/overview, and there should be no more warnings about incorrect headers !

by Yannick

Comments

Start the discussion at discourse.bigdaddylinux.com

Recent Posts

Recent Comments

Post comments are integrated with our Discourse forum. Each posts links to the specific discussion thread or you can visit the forum directly at https://discourse.bigdaddylinux.com/