Fixed warnings of Nextcloud management page

nextcloud
2021.11.03



I faced many warnings in Nextcloud management page like below and fixed it.
This is note how I resolved.

  1. The PHP memory limit is below the recommended value of 512MB
  2. The "…" is not set to "…" This is a potential security or privacy risk,
  3. Your web server is not properly set up to resolve "…"
  4. Your installation has no default phone region set.
  5. Your PHP does not have FreeType support,
  6. This instance is missing some recommended PHP modules.
  7. Deleted X-Powered-By header
  8. Verification
  9. Conclusion

The PHP memory limit is below the recommended value of 512MB

This is very simple.
I added to configure php_admin_value[memory_limit].
I decreased instance of php-fpm to make stable.

-pm.max_children = 50
-pm.start_servers = 20
-pm.min_spare_servers = 20
-pm.max_spare_servers = 40
+pm.max_children = 15
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 10
+php_admin_value[memory_limit] = 512M



This is my commit in github.

Configured to remove "Security & setup warnings" in Nextcloud Overvie… · kurofuku/nextcloud-container-fpm@6a300e4
…w page.
github.com



The “…” is not set to “…” This is a potential security or privacy risk,

They are things.

The "X-Content-Type-Options" HTTP header is not set to "nosniff" This is a potential security or privacy risk,
The "X-Robots-Tag" HTTP header is not set to "none" This is a potential security or privacy risk,
The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN" This is a potential security or privacy risk,
The "X-Download-Options" HTTP header is not set to "noopen" This is a potential security or privacy risk,
The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none" This is a potential security or privacy risk,
The "X-XSS-Protection" doesn't contain "1; mode=block" This is a potential security or privacy risk,
The "Strict-Transport-Security" HTTP header is not set at least "15552000" This is a potential security or privacy risk,
The "Referrer-Policy" HTTP header is not set to "no-referrer" This is a potential security or privacy risk,



Just adding some lines in server block in configuration file of Nginx.

add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag none;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security 15552000;
add_header Referrer-Policy no-referrer always;



This is commit of github.
Please take note there should be white space between 1; and mode=block.
– This commit doesn’t include.

Configured to remove "Security & setup warnings" in Nextcloud Overvie… · kurofuku/nextcloud-container-fpm@6a300e4
…w page.
github.com



Your web server is not properly set up to resolve “…”

This is what.

Your web server is not properly set up to resolve "/.well-known/webfinger".
Your web server is not properly set up to resolve "/.well-known/nodeinfo".
Your web server is not properly set up to resolve "/.well-known/caldav".
Your web server is not properly set up to resolve "/.well-known/carddav".



I leave webfinger and nodeinfo because I couldn’t remove this warnings and it is not dangerous.

I fixed caldav and carddav by adding below to server block of Nginx. 

location ^~ /.well-known {

	location = /.well-known/carddav {
		return 301 /remote.php/dav/;
	}
	location = /.well-known/caldav {
		return 301 /remote.php/dav/;
	}
	location ^~ /.well-known/ {
		return 301 /index.php$uri;
	}

}



You can see by this commit.

Modified to allow dav access for Nextcloud. · kurofuku/nextcloud-container-fpm@fff944e
Contribute to kurofuku/nextcloud-container-fpm development by creating an account on GitHub.
github.com



Your installation has no default phone region set.

Just adding this line to Nextcloud configuration which is config.php.
Actual code should be proper by referring this page.

'default_phone_region' => 'JP',



Your PHP does not have FreeType support,

I performed below,
– apt install libfreetype6-dev
– docker-php-ext-configure gd –with-freetype

like this.

-docker-php-ext-configure gd --with-jpeg --with-webp && \
+apt -y install libfreetype6-dev libjpeg-dev libwebp-dev && \
+docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp && \



You can refer code diffs by this commit.

Configured to remove "Security & setup warnings" in Nextcloud Overvie… · kurofuku/nextcloud-container-fpm@6a300e4
…w page.
github.com



This instance is missing some recommended PHP modules.

Just adding intl and gmp.

apt install libgmp-dev && \
docker-php-ext-install intl gmp && \
docker-php-ext-enable intl gmp && \



This is commit.

Configured to remove "Security & setup warnings" in Nextcloud Overvie… · kurofuku/nextcloud-container-fpm@6a300e4
…w page.
github.com



Deleted X-Powered-By header

By default X-Powered-By header can be seen.
This has server information which should be hidden.

fastcgi_hide_header X-Powered-By;



This is commit.

Hided X-Powered-By header to avoid information leak. · kurofuku/nextcloud-container-fpm@ecfd86e
Contribute to kurofuku/nextcloud-container-fpm development by creating an account on GitHub.
github.com



Verification

Almost all warnings disappered.
– webfinger/nodeinfo remains.

 

I scanned by official check tool.
Level A+ which is the most secure!



Conclusion

How was it?

You should do first, why not?

Comments

Copied title and URL