Web server configuration
We all know and love Nextcloud. We also know and love Letsencrypt. So it is only natural that we would want to secure our beloved Nextcloud 15 instance with a letsencrypt certificate.
I’m not going to go over how to install Nextcloud, or how to get an SSL certificate. I will assume you have already done that, using the
certbot deb package, and the official tarball for Nextcloud.
I know, I know, Nextcloud is now available as a snap, but back when I installed my instance of Nextcloud, snaps had not been invented yet !
If, like me, you are using Apache and you followed the instructions to the letter, you end up with something similar to this for your webserver’s configuration file :
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName cloud.example.com ServerAdmin firstname.lastname@example.org DocumentRoot /home/nextcloud ServerSignature off <Directory /home/nextcloud> Options +FollowSymlinks AllowOverride All Require all granted <IfModule mod_dav.c> Dav off </IfModule> <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule> SetEnv HOME /home/nextcloud SetEnv HTTP_HOME /home/nextcloud </Directory> <Directory "/home/nextcloud/data/"> # just in case if .htaccess gets disabled Require all denied </Directory> ErrorLog /var/log/apache2/cloud/error.log CustomLog /var/log/apache2/cloud/access.log combined SSLCertificateFile /etc/letsencrypt/live/cloud.example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/cloud.example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>
Now, you have done everything to the letter, and you go to
https://cloud.example.com/index.php/settings/admin/overview and, oh surprise : three HTTP headers are either missing or not set to the correct value :
Referrer-Policy. How is that possible, I hear you ask ?
Well, here’s what’s going on : Nexcloud hardcodes 5 HTTP headers :
And it turns out that in letsencrypt’s configuration file (
/etc/letsencrypt/options-ssl-apache.conf), four of those headers are also defined :
Header always set X-Frame-Options DENY Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy no-referrer-when-downgrade Header always set X-Content-Type-Options "nosniff"
So in the end, if you spy on the response sent by your webserver, you realize that
Referrer-Policy appear twice :
Referrer-Policy no-referrer-when-downgrade Referrer-Policy no-referrer X-Content-Type-Options nosniff X-Content-Type-Options nosniff X-Frame-Options DENY X-Frame-Options SAMEORIGIN
That confuses Nextcould, and it reports a problem.
X-XSS-Protection also appears twice, but for some reasons, Nextcloud seems to be fine with that.
Fortunately, the fix is easy.
Because letsencrypt adds the
always keyword – wich means that even when there is an error, those headers should be sent to the browser -, they actually “live” in a different “table” – that’s how Apache calls that -, while the headers set by Nextcloud live in the “onsuccess” table (the default one).
So all we need to do is remove those headers from the “always” table, and we’ll be good.
To do so, we add the following line at the end of the Apache’s configuration file :
Include /etc/letsencrypt/options-ssl-apache.conf Header always unset X-Frame-Options Header always unset X-Content-Type-Options Header always unset X-XSS-Protection Header always unset Referrer-Policy
Then, make apache reload its configuration :
sudo systemctl reload apache2
Go back to
https://cloud.example.com/index.php/settings/admin/overview, and there should be no more warnings about incorrect headers !