Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[glauco]

Chiming in to let everybody know that I have successfully updated Nextcloud to the latest version from within the Nextcloud web user interface since installing it using this wonderful script!
After that, I've bought a domain name and thanks to this tutorial I've set up nginx as an HTTPS-enabled reverse proxy in a different jail, so I don't need the TLS certificate on Nextcloud anymore, right? Removing entries in the apache config file/s shoud be enough, right? Or should I also run acme.sh --uninstall or something? Thank you.

 

[glauco]

Hello everybody.
I'm getting these three warnings in Nextcloud -> Administration -> Basic settings:

• The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
• The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
• The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips.

Can anybody tell me at least which file/s I should edit to adjust the settings as suggested?
By the way, I'm using an nginx reverse proxy so perhaps some of those settings I should adjust on my nginx reverse proxy instead? I could be wrong, but I seem to remember (I haven't noted though) that only the HSTS warning showed up before I set up the reverse proxy. I'm pretty new to web servers in general and reverse proxying, so please be patient!
Thank you!

 

[adrianwi]

Hello everybody.
I'm getting these three warnings in Nextcloud -> Administration -> Basic settings:

• The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
• The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
• The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips.

Can anybody tell me at least which file/s I should edit to adjust the settings as suggested?
By the way, I'm using an nginx reverse proxy so perhaps some of those settings I should adjust on my nginx reverse proxy instead? I could be wrong, but I seem to remember (I haven't noted though) that only the HSTS warning showed up before I set up the reverse proxy. I'm pretty new to web servers in general and reverse proxying, so please be patient!
Thank you!

I'd start by reviewing your nginx.conf file on the reverse proxy, or at least the .conf file that is redirecting to the Nextcloud jail.


Sent from my iPhone using Tapatalk

 

[Yaguznal]

Ugh just realized that the free dns domain name .linkpc.net I use has too many certificates already and it is not my testing that saturated the requests.
Is there any way I can get a cert for just my subdomain "homecommunity.linkpc.net"?

I know it's off topic. Sorry.

 

[SirHW]

Just tried this script on 11.1-U5 and it worked beautifully. The only tweak I made was enabling HSTS after the install. That brought me from an "A" to an "A+" on Qualys SSL Labs. Really appreciate the work!

For those that may want to enable HSTS, I added the following to .htaccess at /usr/local/www/apache24/data/nextcloud and restarted apache.

Code:

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>

 

[Yaguznal]

Code:

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>

+1

Ugh just realized that the free dns domain name .linkpc.net I use has too many certificates already and it is not my testing that saturated the requests.
Is there any way I can get a cert for just my subdomain "homecommunity.linkpc.net"?

Duckdns.org apparently has not been blacklisted so I went with them. I used your command, @danb35, and got a certificate pronto. Everything works like it is supposed to. I am quite happy :D

But I can not rest. My group needs to be able to work on office documents together so the next step is collabora. It needs a subdomain with ssl. Got the docker, got ssl but it does not include subdomains.

Enter DNS01. There's a dozen scripts available that will connect to the duckdns api but I am afraid to use it with your concoction as I have no clue about how you implemented letsencrypt. It still very much is a black box for me.
Is there one command, like the simple certificate one you gave me before, that will start ACME in dns mode and refresh every month?

Also I am wondering how acme can refresh every month without appearing in the cron job list.

A fuckload of thankses,

Joris

 

[danb35]

For those that may want to enable HSTS, I added the following to .htaccess at /usr/local/www/apache24/data/nextcloud and restarted apache.

If you'll notice, that directive is already in nextcloud.conf (which gets put in /usr/local/etc/apache24/Includes/${HOST_NAME}.conf), but is commented out. The reason it's commented out is that it can lock you out from accessing your site if something goes wrong with the SSL configuration. But if you're sure that's up and running, including renewal, there's no harm in enabling it.

 

[danb35]

Also I am wondering how acme can refresh every month without appearing in the cron job list.

When you install acme.sh, it should create a cron job. What do you see if you run crontab -l inside the jail? It should run daily.

 

[ezra]

VM way: https://github.com/nextcloud/vm
Fully automated, with collabora or onlyoffice and lots more, letsencrypt etc etc.

 

[danb35]

VM way:

Yes, there are indeed lots of ways to set up Nextcloud. But this thread is about setting it up in a FreeNAS jail.

 

[ezra]

Yes, there are indeed lots of ways to set up Nextcloud. But this thread is about setting it up in a FreeNAS jail.

My bad, merely pointing out other options for the not so tech savvy people
Perhaps you could take some bits of the scripts to incorporate in the automated jail install.

 

[danb35]

Perhaps you could take some bits of the scripts to incorporate in the automated jail install.

Yeah, as I look at it more, the title of "Nextcloud VM" is really misleading--it's a script to install Nextcloud on a clean copy of Ubuntu Server (which can be running on bare metal, a VM, or whatever). I don't think, in principle, that it's significantly different than my script, though it's more flexible and interactive.

 

[bitola1970]

@danb35 many thanks for the script, excellent work. the script worked with no fuss on FreeNAS-11.2-BETA1. i tried initially install via the plugin but couldn't get it running. i then found your script and thought ill give it a try. i had to delete the jail first time as i didn't do the port forwarding until everything was installed. Second time worked without a glitch. i do get the bad certificate warning when connecting via browser, obviously the self signed cert is not a trusted one. DDNS is duckdns.org. i just ignore and proceed to log in. i understand the connection is encrypted so am i safe to say its OK. cheers and many thanks

 

[danb35]

obviously the self signed cert is not a trusted one

You shouldn't have a self-signed cert if you ran my script, but you probably have a "test" cert. You can issue a trusted cert (which will then renew automatically) by running

Code:

iocage console nextcloud
acme.sh --issue -d ${HOST_NAME} -w /usr/local/www/apache24/data -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

 

[bitola1970]

You shouldn't have a self-signed cert if you ran my script, but you probably have a "test" cert. You can issue a trusted cert (which will then renew automatically) by running

Code:

iocage console nextcloud
acme.sh --issue -d ${HOST_NAME} -w /usr/local/www/apache24/data -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

yes good point. i forgot to change the test cert. many thanks again.

 

[bitola1970]

You shouldn't have a self-signed cert if you ran my script, but you probably have a "test" cert. You can issue a trusted cert (which will then renew automatically) by running

Code:

iocage console nextcloud
acme.sh --issue -d ${HOST_NAME} -w /usr/local/www/apache24/data -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

tried above but no change. i get:

[Tue Jul 17 00:06:40 AEST 2018] Domains not changed.
[Tue Jul 17 00:06:40 AEST 2018] Skip, Next renewal time is: Fri Sep 14 11:25:39 UTC 2018
[Tue Jul 17 00:06:40 AEST 2018] Add '--force' to force to renew.]

 

[bitola1970]

tried above but no change. i get:

[Tue Jul 17 00:06:40 AEST 2018] Domains not changed.
[Tue Jul 17 00:06:40 AEST 2018] Skip, Next renewal time is: Fri Sep 14 11:25:39 UTC 2018
[Tue Jul 17 00:06:40 AEST 2018] Add '--force' to force to renew.]

and now all good/green after rebooting my server.

 

[snorp]

Hello and first of all thank you for your effort to make such a great script available to the community!

Unfortunately I did not manage to install nextcloud on my new system. For example, I can't open Nextcloud over the local or over the external IP.

I would be very happy to receive help. I like to send logs that are needed, but I don't know which ones are important.

Many thanks in advance.

Edit: when I enter the local IP I am redirected to the Freenas interface and not to the Nextcloud interface.

 

[danb35]

What version of FreeNAS are you running? And what's the output of iocage list?

 

[snorp]

Wow, that went really fast. I am using FreeNAS-11.1-U2.

Code:

iocage list

+-----+-----------+-------+--------------+--------------+

| JID |   NAME	| STATE |   RELEASE	|	 IP4	  |

+=====+===========+=======+==============+==============+

| 1   | nextcloud | up	| 11.1-RELEASE | 192.168.0.11 |

+-----+-----------+-------+--------------+--------------+