PHP 8.0.x in TrueNas 13.0-U6

[danb35]

The README is your friend:

HTTP Strict Transport Security​

When you log into your Nextcloud instance as administrator, you may see a configuration warning that HSTS is not enabled. This is intentional. HSTS is a useful security measure, but it can also lock you out of your site if certificate renewal isn't working properly. I recommend you let the system obtain its initial trusted cert, and then renewing at least once, before enabling HSTS, to ensure that automatic renewal works as intended. Ordinarily this will take about 60 days. To enable HSTS, follow these steps:

• iocage console nextcloud
• nano /usr/local/www/Caddyfile
• Uncomment (remove the #) from the line that begins with Strict-Transport-Security
• Save the edited file and exit nano.
• service caddy reload

Edit: Actually, this probably isn't relevant to you, since Caddy isn't doing TLS termination for you. You'd instead need to set this on your pfSense box, wherever in the labyrinth of HAProxy settings it would be.

 

[ddaenen1]

i actually read that but forgot about it in my quest to get the access to NC. I assume since my certs are generated through pfSense, i don't have any risk for lockout, right?

 

[danb35]

I assume since my certs are generated through pfSense, i don't have any risk for lockout, right?

Then it's going to be a matter of making sure that process is reliable. I'd still probably wait a couple of months just to be on the safe side (Nextcloud likes to whine about things that don't really matter), but you can enable it now if you like--but again, it'd be on the pfSense box since that's where TLS termination is happening.

 

[ddaenen1]

That would be here:

 

[victort]

EDIT You guys beat me to it...

 

[ddaenen1]

Then it's going to be a matter of making sure that process is reliable. I'd still probably wait a couple of months just to be on the safe side (Nextcloud likes to whine about things that don't really matter), but you can enable it now if you like--but again, it'd be on the pfSense box since that's where TLS termination is happening.

I have one last question on the script though: how is NC updated best? Through NC GUI or through the shell with pkg upgrade?

 

[danb35]

how is NC updated best?

Through the Nextcloud GUI. My script installs it from source rather than from the FreeBSD packages. A periodic pkg update in the jail is probably a good idea, though, for all the other packages.

 

[victort]

Also, if you need to update caddy then caddy upgrade is necessary as that is also built from source by the script.

 

[danb35]

I should probably put some logic in the script to only do that if the user's specified a DNS plugin (in which case it has to be built from source)--I don't recall that there was a particular reason to otherwise. Otherwise there's a FreeBSD package for it that should do the trick.

 

[victort]

I should probably put some logic in the script to only do that if the user's specified a DNS plugin (in which case it has to be built from source)--I don't recall that there was a particular reason to otherwise. Otherwise there's a FreeBSD package for it that should do the trick.

Better to keep it the same IMO. That way the command is always the same to update.

 

[ddaenen1]

I am very pleased that i am now officially "plugin-free"

The lack of support and the cumbersome update process has been bothering me for a long time and now that i use my NC for my business, even more so.

 

[Patrick M. Hausen]

Edit: Actually, this probably isn't relevant to you, since Caddy isn't doing TLS termination for you. You'd instead need to set this on your pfSense box, wherever in the labyrinth of HAProxy settings it would be.

I actually set that in my NginX config for Nextcloud which serves only plain HTTP. I like to keep the Caddy reverse proxy that does all the HTTPS and cert stuff clean and identical for all applications. It's just an HTTP header.

 

[ddaenen1]

If i add the HSTS line to Caddyfile, this is what i get. Not sure what i a; doing wrong but also not a caddy expert:

Code:

root@nextcloudv2:/ # service caddy reload

2024/03/08 17:57:50.795    INFO    using provided configuration    {"config_file": "/usr/local/www/Caddyfile", "config_adapter": "caddyfile"}

2024/03/08 17:57:50.797    WARN    Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "/usr/local/www/Caddyfile", "line": 16}

Here is the Caddyfile the way i added the line:

Code:

192.168.1.xxx:80, cloud.xxx.be:80 {
    root * /usr/local/www/nextcloud
    file_server
    log {
        output file /var/log/192.168.1.xxx.log
    }

    php_fastcgi 127.0.0.1:9000 {
        env front_controller_active true
    }

        header {
          enable HSTS
          Strict-Transport-Security max-age=31536000;
        }

    # client support (e.g. os x calendar / contacts)
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

    # Required for legacy
    @notlegacy {
        path *.php
        not path /index*
        not path /remote*
        not path /public*
        not path /cron*
        not path /core/ajax/update*
        not path /status*
        not path /ocs/v1*
        not path /ocs/v2*
        not path /updater/*
        not path /ocs-provider/*
        not path */richdocumentscode/proxy*
    }
    rewrite @notlegacy /index.php{uri}

    # .htaccess / data / config / ... shouldn't be accessible from outside
    @forbidden {
        path /.htaccess
        path /data/*
        path /config/*
        path /db_structure
        path /.xml
        path /README
        path /3rdparty/*
        path /lib/*
        path /templates/*
        path /occ
        path /console.php
    }

    respond @forbidden 404
}

 

[victort]

If i add the HSTS line to Caddyfile, this is what i get. Not sure what i a; doing wrong but also not a caddy expert:

Code:

root@nextcloudv2:/ # service caddy reload

2024/03/08 17:57:50.795    INFO    using provided configuration    {"config_file": "/usr/local/www/Caddyfile", "config_adapter": "caddyfile"}

2024/03/08 17:57:50.797    WARN    Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "/usr/local/www/Caddyfile", "line": 16}

Here is the Caddyfile the way i added the line:

Code:

192.168.1.xxx:80, cloud.xxx.be:80 {
    root * /usr/local/www/nextcloud
    file_server
    log {
        output file /var/log/192.168.1.xxx.log
    }

    php_fastcgi 127.0.0.1:9000 {
        env front_controller_active true
    }

        header {
          enable HSTS
          Strict-Transport-Security max-age=31536000;
        }

    # client support (e.g. os x calendar / contacts)
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

    # Required for legacy
    @notlegacy {
        path *.php
        not path /index*
        not path /remote*
        not path /public*
        not path /cron*
        not path /core/ajax/update*
        not path /status*
        not path /ocs/v1*
        not path /ocs/v2*
        not path /updater/*
        not path /ocs-provider/*
        not path */richdocumentscode/proxy*
    }
    rewrite @notlegacy /index.php{uri}

    # .htaccess / data / config / ... shouldn't be accessible from outside
    @forbidden {
        path /.htaccess
        path /data/*
        path /config/*
        path /db_structure
        path /.xml
        path /README
        path /3rdparty/*
        path /lib/*
        path /templates/*
        path /occ
        path /console.php
    }

    respond @forbidden 404
}

That’s normal. Just a format warning but the config should still work. Does it?

 

[ddaenen1]

That’s normal. Just a format warning but the config should still work. Does it?

Yes, indeed it does. Wasn't sure i wanted to try it if the Caddyfile wasn't correct. Everything is running fine now. Didn't want to wreck it again