Setup & security warnings behind nginx proxy

bencgreen · April 16, 2021, 5:20pm

I’ve had ownCloud working behind an Nginx proxy via the Docker image for a year or more, but I noticed today that the Settings -> Admin -> General page is showing these:

This server has no working Internet connection. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. We suggest enabling the Internet connection for this server.
The "X-XSS-Protection" HTTP header is not configured to equal to "0". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

Except, they all are! And if I connect to the container via docker exec -it owncloud-server bash I can ping / curl to my heart’s content.

Everything works fine - I can login, access files, sync with desktop, the apps work fine, so I think it’s not a problem with the setup but with the warnings?

The annoying thing is that I can’t connect to the marketplace to update / install apps any more - despite the fact I have previously, and definitely under 10.6.

Is it safe to downgrade to 10.6 to check if I get the same warnings, now I’ve upgraded to 10.7?

Is there anything else I can do to test the config? As I say, I’ve had this config working since a fresh install under 10.4.

bencgreen · April 16, 2021, 5:32pm

OK so apparently owncloud is setting the headers, as is my proxy server, so they are appearing twice - is there any way to stop owncloud doing this?

That solves the header issue - but the no internet connection issue is very strange - especially as I can connect via docker exec and can quite happily connect to the outside world.

bencgreen · May 24, 2021, 2:29pm

This is still a problem despite updating to the latest Docker images - is no-one else struggling with this? The crazy thing is, I can send a test email from the admin interface, so it obviously is connected to the internet!

eneubauer · May 25, 2021, 8:41am

github.com

owncloud/core/blob/bf1ee0095759cf3132182bc3333194f1fafce162/tests/Settings/Controller/CheckSetupControllerTest.php#L115

    
      
          			->will($this->returnValue(false));
          
          
		$this->assertFalse(
          			self::invokePrivate(
          				$this->checkSetupController,
          				'isInternetConnectionWorking'
          			)
          		);
          	}
          
          
	public function testIsInternetConnectionWorkingCorrectly() {
          		$this->config->expects($this->once())
          			->method('getSystemValue')
          			->with('has_internet_connection', true)
          			->will($this->returnValue(true));
          
          
		$client = $this->getMockBuilder('\OCP\Http\Client\IClient')
          			->disableOriginalConstructor()->getMock();
          		$client->expects($this->at(0))
          			->method('get')
          			->with('https://www.owncloud.org/', []);

It seems like ownCloud tests whether it has a working internet connection by performing a GET request to https://www.owncloud.org/.

Perhaps try running a curl against that from within the docker container?

Regarding your reverse proxy configuration:

Did you check the documentation article about it
Use the available environment variables to configure it in your docker setup: GitHub - owncloud-docker/base: Base image for the ownCloud stack

bencgreen · May 25, 2021, 10:49am

Thanks for getting back to me. Yes I’d tested that - this is the result:

root@331fae586d44: /var/www/owncloud # curl https://www.owncloud.org/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://owncloud.com/">here</a>.</p>
<hr>
<address>Apache Server at www.owncloud.org Port 443</address>
</body></html>

I assume that is the correct response - regardless, it shows that there IS a working internet connection from within the container. The proxy is working fine as well - I can access files, over the local network and remotely, sync files to my PC, etc.

I’ve also been through that article before (and again) and checked / tested all the config values, there was one weird thing, which I corrected by removing the initial http://, but it made no difference:

'overwrite.cli.url' => 'http://https://xxxxxx'

bencgreen · May 25, 2021, 10:58am

OK, so I think I’ve figured it out - I had a brainwave and tried to use occ to update the market apps, to see if that gave me anything more sensible as an error, and I got this:

No marketplace connection: cURL error 77: error setting certificate verify locations: CAfile: /var/www/owncloud/data/files_external/rootcerts.crt CApath: /etc/ssl/certs

I searched for that error on the forums and found this - deleting /var/www/owncloud/data/files_external/rootcerts.crt and restarting my container fixed it, I no longer get the warning, and I am able to update apps again from the marketplace.

system · August 23, 2021, 10:58am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.