Getting errors with nginx

Andy_Newby · June 10, 2020, 4:20pm

Hi all,

I seem to be having some issues getting this setup with nginx. I’m on the latest download of ownCloud (downloaded it today)

Here is my config for the domain:

server {
    listen      123.123.221.220:443 ssl http2;
    listen      [::]:443 ssl http2;
    server_name drive.foo.com ;
    root        /home/drive/web/drive.foo.com/public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/drive.foo.com.log combined;
    access_log  /var/log/nginx/domains/drive.foo.com.bytes bytes;
    error_log   /var/log/nginx/domains/drive.foo.com.error.log error;

    ssl_certificate      /home/drive/conf/web/ssl.drive.foo.com.pem;
    ssl_certificate_key  /home/drive/conf/web/ssl.drive.foo.com.key;

    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Robots-Tag none always;
    add_header X-Download-Options noopen always;
    add_header X-Permitted-Cross-Domain-Policies none always;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

      location / {
          rewrite ^ /index.php$uri;
      }

      location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
          return 404;
      }
      location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
          return 404;
      }

      location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|ocm-provider/.+|core/templates/40[34])\.php(?:$|/) {
          fastcgi_split_path_info ^(.+\.php)(/.*)$;
          include fastcgi_params;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
          fastcgi_param PATH_INFO $fastcgi_path_info;
          fastcgi_param HTTPS on;
          fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
          fastcgi_param front_controller_active true;
          fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries

          #fastcgi_pass php-handler;
          fastcgi_intercept_errors on;
          fastcgi_request_buffering off; #Available since NGINX 1.7.11


           location ~ [^/]\.php(/|$) {
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
               if (!-f $document_root$fastcgi_script_name) {
                   return  404;
               }

               fastcgi_pass    127.0.0.1:9080;
               fastcgi_index   index.php;
               include         /etc/nginx/fastcgi_params;
           }

      }

      location ~ ^/(?:updater|ocs-provider|ocm-provider)(?:$|/) {
          try_files $uri $uri/ =404;
          index index.php;
      }

      # Adding the cache control header for js and css files
      # Make sure it is BELOW the PHP block
      location ~ \.(?:css|js)$ {
          try_files $uri /index.php$uri$is_args$args;
          add_header Cache-Control "max-age=15778463" always;

          # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
          # The always parameter ensures that the header is set for all responses, including internally generated error responses.
          # Before enabling Strict-Transport-Security headers please read into this topic first.
          # https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
          add_header X-Content-Type-Options nosniff always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-XSS-Protection "1; mode=block" always;
          add_header X-Robots-Tag none always;
          add_header X-Download-Options noopen always;
          add_header X-Permitted-Cross-Domain-Policies none always;
          # Optional: Don't log access to assets
          access_log off;
      }

      location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map|json)$ {
          add_header Cache-Control "public, max-age=7200" always;
          try_files $uri /index.php$uri$is_args$args;
          # Optional: Don't log access to other assets
          access_log off;
      }


    error_page  403 /error/404.html;
    error_page  404 /error/404.html;
    error_page  500 502 503 504 /error/50x.html;

    location /error/ {
        alias   /home/drive/web/drive.foo.com/document_errors/;
    }

    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }



    include     /etc/nginx/conf.d/phpmyadmin.inc*;
    include     /etc/nginx/conf.d/phppgadmin.inc*;
    include     /etc/nginx/conf.d/webmail.inc*;

    include     /home/drive/conf/web/nginx.drive.foo.com.conf*;
}

The admin area loads at https://drive.foo.com/index.php, but I get a load of alerts in red at the top:

Security & setup warnings

    Transactional file locking should be configured to use memory-based locking, not the default slow database-based locking. See the documentation ↗ for more information.
    We recommend to enable system cron as any other cron method has possible performance and reliability implications.

    Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our documentation. (List of invalid files… / Rescan…)

    The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
    The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
    The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
    The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
    The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and we recommend adjusting this setting.
    The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
    The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

    No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.

Please double check the installation guides ↗, and check for any errors or warnings in the log.

For the headers - I’m confused. I do have those headers. Where does it decide if those headers exist or not?

Once I’ve got that sorted - I can then come back and look at the other alerts as well

Thanks!

Andy