Nextcloud on TrueNAS Scale and the Strict-Transport-Security problem

[bluepr0]

Hi!

I have recently moved my Nextcloud installation from a Docker instance to the TrueNAS Scale official app. As far as I am aware, I am running the latest stable version available (28.0.4 - Chart Version 1.6.59). Along with Nextcloud, I have also enabled memcache with the Redis app (also from the official TrueNAS repository).

My nextcloud configuration looks like this

Code:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'upgrade.disable-web' => true,
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '10.0.1.38', //this is my truenas IP where is also redis installed
    'port' => 30036,
    'timeout' => 0.0,
    'password' => 'REDACT',
  ),
  'trusted_proxies' =>
  array (
    0 => '10.0.1.40', //this is the ip of my Nginx proxy manager
  ),
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '10.0.1.38', //TrueNAS server ip
    2 => '10.0.1.40:8080', // Nginx proxy manager
    3 => 'REDACTED.REDACTED.com', // My internet domain
  ),
  'maintenance_window_start' => 1,
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '28.0.4.1',
  'overwrite.cli.url' => 'https://REDACTED.REDACTED.com',
  'overwriteprotocol' => 'https',
  'filesystem_check_changes' => 1,
  'dbname' => 'nextcloud',
  'dbhost' => 'nextcloud-postgres:5432',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_jonatan',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'instanceid' => 'REDACTED',
  'loglevel' => 2,
  'maintenance' => false,
);

Because this instance is open to the internet, I'm using Cloudflare to proxy the domain. It then redirects to Nginx Proxy Manager, which in turn directs to my local Nextcloud IP.

However, I'm finding a new error that I never experienced before, which is the infamous.

Code:

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

I'm not entirely sure if this is a TrueNAS thing, Apache, or Nextcloud. In the Nextcloud documentation, it mentions something about the Apache VirtualHost file, which I'm not even able to figure out where it is located in the TrueNAS Nextcloud app.

Any help on how to move forward and fix this would be greatly appreciated. As mentioned, I'm using the latest version of TrueNAS Scale and all official apps from iX Systems.

 

[bluepr0]

Actually, I just realized it's the last error I'm getting and I would love to fix it

 

[Patrick M. Hausen]

It can be set anywhere in the chain leading to the client browser connecting to your Nextcloud instance. Web server inside the container, ingress proxy if present, Cloudflare - pick whatever is most convenient.

I have no idea about where to do it on SCALE, because I run all my apps with an external reverse proxy for ingress and Nextcloud specifically not at all but in a jail on CORE, sorry.

 

[bluepr0]

It can be set anywhere in the chain leading to the client browser connecting to your Nextcloud instance. Web server inside the container, ingress proxy if present, Cloudflare - pick whatever is most convenient.

I have no idea about where to do it on SCALE, because I run all my apps with an external reverse proxy for ingress and Nextcloud specifically not at all but in a jail on CORE, sorry.

Do you mean I can set this up in my Advanced tab in the Nginx proxy manager web panel?

 

[Patrick M. Hausen]

If an NginX proxy is somwhere in your chain and if the proxy manager can do this - yes. I am not familiar with that manager. I configure NginX by editing config files

The header must simply be statically added to every reply that goes to the browser or the Nextcloud client. Where exactly it is inserted is irrelevant. I personally prefer to do this as close to the app web engine as possible to keep my proxy setup simple, but if the container in SCALE does not offer that option, just anywhere will be ok.

 

[bluepr0]

Cool! it was actually easier than I thought. There's an option on the SSL tab to enable all this!

I'm officially error-free on Nextcloud now! Yay!

 

[bluepr0]

Just for the record and future reference of other users the errors with caldav y carddav were fixed by following this post