Nextcloud problems / questions

hemertje · 6 January 2023 14:29

Seems there is something wrong with te latest part?

hemertje:

    # Rule borrowed from `.htaccess`
    location /remote {
            return 301 /remote.php$request_uri;
    }

    location / {
            try_files $uri $uri/ /index.php$request_uri;
    }

Joulinar · 6 January 2023 17:07

remove that folowing small location / block

And pls, don’t change anything else inside /etc/nginx/sites-dietpi/dietpi-nextcloud.conf except removing the nextcloud sub folder. On my demo system, following is working. Simply delete the whole content of your file and replace it fully with:

# Based on: https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx-subdir.conf.sample

# Redirect webfinger and nodeinfo requests to Nextcloud endpoint
location /.well-known/webfinger { return 301 /index.php$request_uri; }
location /.well-known/nodeinfo  { return 301 /index.php$request_uri; }

location ^~ / {

	# Omit Nginx version on error response
	server_tokens off;

	# Set max upload size
	client_max_body_size 1048576M;
	fastcgi_buffers 64 4K;

	# Enable gzip but do not remove ETag headers
	gzip on;
	gzip_vary on;
	gzip_comp_level 4;
	gzip_min_length 256;
	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

	# HTTP response headers borrowed from Nextcloud `.htaccess`
	#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
	add_header Referrer-Policy "no-referrer" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Download-Options "noopen" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Permitted-Cross-Domain-Policies "none" always;
	add_header X-Robots-Tag "none" always;
	add_header X-XSS-Protection "1; mode=block" always;

	# Remove X-Powered-By, which is an information leak
	fastcgi_hide_header X-Powered-By;

	# Specify how to handle directories -- specifying `/nextcloud/index.php$request_uri`
	# here as the fallback means that Nginx always exhibits the desired behaviour
	# when a client requests a path that corresponds to a directory that exists
	# on the server. In particular, if that directory contains an index.php file,
	# that file is correctly served; if it doesn't, then the request is passed to
	# the front-end controller. This consistent behaviour means that we don't need
	# to specify custom rules for certain paths (e.g. images and other assets,
	# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
	# `try_files $uri $uri/ /nextcloud/index.php$request_uri`
	# always provides the desired behaviour.
	index index.php index.html /index.php$request_uri;

	# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
	location = / {
		if ( $http_user_agent ~ ^DavClnt ) {
			return 302 /remote.php/webdav/$is_args$args;
		}
	}

	# Rules borrowed from `.htaccess` to hide certain paths from clients
	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }

	# Ensure this block, which passes PHP files to the PHP process, is above the blocks
	# which handle static assets (as seen below). If this block is not declared first,
	# then Nginx will encounter an infinite rewriting loop when it prepends
	# `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response.
	location ~ \.php(?:$|/) {
		fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
		set $path_info $fastcgi_path_info;
		try_files $fastcgi_script_name =404;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTPS $https;
		fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
		fastcgi_param front_controller_active true; # Enable pretty URLs without /index.php/
		fastcgi_pass php;
		fastcgi_intercept_errors on;
		fastcgi_request_buffering off;
		fastcgi_max_temp_file_size 0; # Allow downloads > 1 GiB: https://github.com/nextcloud/documentation/pull/7979
	}

	location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
		try_files $uri /index.php$request_uri;
		expires 6M; # Cache-Control policy borrowed from `.htaccess`
		access_log off; # Optional: Don't log access to assets
	}

	location ~ \.woff2?$ {
		try_files $uri /index.php$request_uri;
		expires 7d; # Cache-Control policy borrowed from `.htaccess`
		access_log off; # Optional: Don't log access to assets
	}

	# Rule borrowed from `.htaccess`
	location /remote {
		return 301 /remote.php$request_uri;
	}

	location / {
		try_files $uri $uri/ /index.php$request_uri;
	}
}

MichaIng · 7 January 2023 03:08

The idea with the dedicated file was so that Nextcloud reinstalls won’t overwrite them. But at least the Cal/CardDAV redirects would conflict anyway without adjusting the original file.

hemertje · 8 January 2023 12:45

Sadly I get this error with your file

root@DietPi:~# nano /etc/nginx/sites-dietpi/dietpi-nextcloud.conf
root@DietPi:~# systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See “systemctl status nginx.service” and “journalctl -xe” for details.
root@DietPi:~# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2023-01-08 13:30:18 CET; 1min 20s ago
Docs: man:nginx(8)
Process: 23109 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
CPU: 33ms

Jan 08 13:30:18 DietPi systemd[1]: Starting A high performance web server and a reverse proxy server…
Jan 08 13:30:18 DietPi nginx[23109]: nginx: [emerg] duplicate location “/” in /etc/nginx/sites-enabled/default:11
Jan 08 13:30:18 DietPi nginx[23109]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Failed with result ‘exit-code’.
Jan 08 13:30:18 DietPi systemd[1]: Failed to start A high performance web server and a reverse proxy server.
root@DietPi:~#

root@DietPi:~# journalctl -xe
Jan 08 13:09:01 DietPi systemd[1]: Starting Clean php session files…
░░ Subject: A start job for unit phpsessionclean.service has begun execution
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit phpsessionclean.service has begun execution.
░░
░░ The job identifier is 7010.
Jan 08 13:09:01 DietPi systemd[1]: phpsessionclean.service: Succeeded.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit phpsessionclean.service has successfully entered the ‘dead’ state.
Jan 08 13:09:01 DietPi systemd[1]: Finished Clean php session files.
░░ Subject: A start job for unit phpsessionclean.service has finished successfully
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit phpsessionclean.service has finished successfully.
░░
░░ The job identifier is 7010.
Jan 08 13:10:01 DietPi CRON[22713]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:10:01 DietPi CRON[22714]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:10:07 DietPi CRON[22713]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:15:01 DietPi CRON[22821]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:15:01 DietPi CRON[22822]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:15:09 DietPi CRON[22821]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:17:01 DietPi CRON[22827]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jan 08 13:17:01 DietPi CRON[22828]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 08 13:17:01 DietPi CRON[22827]: pam_unix(cron:session): session closed for user root
Jan 08 13:20:01 DietPi CRON[22871]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:20:01 DietPi CRON[22872]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:20:07 DietPi CRON[22871]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:25:01 DietPi CRON[22979]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:25:01 DietPi CRON[22980]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:25:08 DietPi CRON[22979]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:28:52 DietPi dhclient[537]: DHCPREQUEST for 192.168.2.5 on eth0 to 192.168.2.1 port 67
Jan 08 13:28:52 DietPi dhclient[537]: DHCPACK of 192.168.2.5 from 192.168.2.1
Jan 08 13:28:53 DietPi dhclient[537]: bound to 192.168.2.5 – renewal in 1400 seconds.
Jan 08 13:30:01 DietPi CRON[23100]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:30:01 DietPi CRON[23101]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:30:12 DietPi CRON[23100]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:30:18 DietPi systemd[1]: Stopping A high performance web server and a reverse proxy server…
░░ Subject: A stop job for unit nginx.service has begun execution
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A stop job for unit nginx.service has begun execution.
░░
░░ The job identifier is 7068.
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Succeeded.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit nginx.service has successfully entered the ‘dead’ state.
Jan 08 13:30:18 DietPi systemd[1]: Stopped A high performance web server and a reverse proxy server.
░░ Subject: A stop job for unit nginx.service has finished
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A stop job for unit nginx.service has finished.
░░
░░ The job identifier is 7068 and the job result is done.
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Consumed 31.117s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit nginx.service completed and consumed the indicated resources.
Jan 08 13:30:18 DietPi systemd[1]: Starting A high performance web server and a reverse proxy server…
░░ Subject: A start job for unit nginx.service has begun execution
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit nginx.service has begun execution.
░░
░░ The job identifier is 7068.
Jan 08 13:30:18 DietPi nginx[23109]: nginx: [emerg] duplicate location “/” in /etc/nginx/sites-enabled/default:11
Jan 08 13:30:18 DietPi nginx[23109]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ An ExecStartPre= process belonging to unit nginx.service has exited.
░░
░░ The process’ exit code is ‘exited’ and its exit status is 1.
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Failed with result ‘exit-code’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit nginx.service has entered the ‘failed’ state with result ‘exit-code’.
Jan 08 13:30:18 DietPi systemd[1]: Failed to start A high performance web server and a reverse proxy server.
░░ Subject: A start job for unit nginx.service has failed
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit nginx.service has finished with a failure.
░░
░░ The job identifier is 7068 and the job result is failed.
root@DietPi:~#

hemertje · 8 January 2023 12:46

With the following NC is working

/etc/nginx/sites-dietpi/dietpi-nextcloud.conf

Based on: documentation/admin_manual/installation/nginx-subdir.conf.sample at master · nextcloud/documentation · GitHub

Redirect webfinger and nodeinfo requests to Nextcloud endpoint

location /.well-known/webfinger { return 301 /nextcloud/index.php$request_uri; }
location /.well-known/nodeinfo { return 301 /nextcloud/index.php$request_uri; }

location ^~ /nextcloud {

    # Omit Nginx version on error response
    server_tokens off;

    # Set max upload size
    client_max_body_size 1048576M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml app>

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Specify how to handle directories -- specifying `/nextcloud/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /nextcloud/index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /nextcloud/index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = /nextcloud {
            if ( $http_user_agent ~ ^DavClnt ) {
                    return 302 /nextcloud/remote.php/webdav/$is_args$args;
            }
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
    location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends
    # `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
            fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
            set $path_info $fastcgi_path_info;
            try_files $fastcgi_script_name =404;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS $https;
            fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
            fastcgi_param front_controller_active true; # Enable pretty URLs without /index.php/
            fastcgi_pass php;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
            fastcgi_max_temp_file_size 0; # Allow downloads > 1 GiB: https://github.com/nextcloud/documentation/pull/7979
    }

    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
            try_files $uri /nextcloud/index.php$request_uri;
            expires 6M; # Cache-Control policy borrowed from `.htaccess`
            access_log off; # Optional: Don't log access to assets
    }

    location ~ \.woff2?$ {
            try_files $uri /nextcloud/index.php$request_uri;
            expires 7d; # Cache-Control policy borrowed from `.htaccess`
            access_log off; # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /nextcloud/remote {
            return 301 /nextcloud/remote.php$request_uri;
    }

    location /nextcloud {
            try_files $uri $uri/ /nextcloud/index.php$request_uri;
    }

}

But having these warnings

There are some warnings regarding your setup.

Your web server is not properly set up to resolve “/.well-known/webfinger”. Further information can be found in the documentation .

Your web server is not properly set up to resolve “/.well-known/nodeinfo”. Further information can be found in the documentation .

Joulinar · 8 January 2023 13:02

You did not remove the default location block from default configuration file as I stated above. Therefore you have a duplicate root directory configured.

hemertje · 8 January 2023 13:20

Strange, probably forgot to save the file after editing
Edited default , saved it, edited the config file with your version , restart NC

we are getting there

There are some warnings regarding your setup.
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips .

hemertje · 8 January 2023 13:34

‘default’ contains

add_header Strict-Transport-Security “max-age=31536000” always; # managed by Certbot

and is missing the 'includeSubDomains" 'option

‘config’ contains

#add_header Strict-Transport-Security “max-age=15768000; includeSubDomains” always;

hemertje · 8 January 2023 16:13

Brute-force protection

hemertje:

Cloud and Backup Systems Software Options - DietPi.com Docs

You can configure Nextcloud via CLI from command line.
To simplify this, DietPi has added a shortcut to the otherwise necessary

sudo -u www-data php /var/www/nextcloud/occ

Simply run ncc from your console:

ncc list

root@DietPi:~# sudo -u www-data php /var/www/nextcloud/occ
Nextcloud 25.0.2

Usage:
  command [options] [arguments]

Options:
  -h, --help            Display this help message
  -q, --quiet           Do not output any message
  -V, --version         Display this application version
      --ansi            Force ANSI output
      --no-ansi         Disable ANSI output
  -n, --no-interaction  Do not ask any interactive question
      --no-warnings     Skip global warnings, show command output only
  -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Available commands:
  check                                  check dependencies of the server environment
  help                                   Display help for a command
  list                                   List commands
  status                                 show some status information
  upgrade                                run upgrade routines after installation of a new release. The release has to be installed before.
 activity
  activity:send-mails                    Sends the activity notification mails
 app
  app:disable                            disable an app
  app:enable                             enable an app
  app:getpath                            Get an absolute path to the app directory
  app:install                            install an app
  app:list                               List all available apps
  app:remove                             remove an app
  app:update                             update an app or all apps
 background
  background:ajax                        Use ajax to run background jobs
  background:cron                        Use cron to run background jobs
  background:webcron                     Use webcron to run background jobs
 background-job
  background-job:execute                 Execute a single background job manually
  background-job:list                    List background jobs
 broadcast
  broadcast:test                         test the SSE broadcaster
 circles
  circles:check                          Checking your configuration
  circles:maintenance                    Clean stuff, keeps the app running
  circles:manage:config                  edit config/type of a Circle
  circles:manage:create                  create a new circle
  circles:manage:destroy                 destroy a circle by its ID
  circles:manage:details                 get details about a circle by its ID
  circles:manage:edit                    edit displayName or description of a Circle
  circles:manage:join                    emulate a user joining a Circle
  circles:manage:leave                   simulate a user joining a Circle
  circles:manage:list                    listing current circles
  circles:manage:setting                 edit setting for a Circle
  circles:members:add                    Add a member to a Circle
  circles:members:details                get details about a member by its ID
  circles:members:level                  Change the level of a member from a Circle
  circles:members:list                   listing Members from a Circle
  circles:members:remove                 remove a member from a circle
  circles:members:search                 Change the level of a member from a Circle
  circles:memberships                    index and display memberships for local and federated users
  circles:remote                         remote features
  circles:shares:files                   listing shares files
  circles:sync                           Sync Circles and Members
  circles:test                           testing some features
 config
  config:app:delete                      Delete an app config value
  config:app:get                         Get an app config value
  config:app:set                         Set an app config value
  config:import                          Import a list of configs
  config:list                            List all configs
  config:system:delete                   Delete a system config value
  config:system:get                      Get a system config value
  config:system:set                      Set a system config value
 dav
  dav:create-addressbook                 Create a dav addressbook
  dav:create-calendar                    Create a dav calendar
  dav:delete-calendar                    Delete a dav calendar
  dav:list-calendars                     List all calendars of a user
  dav:move-calendar                      Move a calendar from an user to another
  dav:remove-invalid-shares              Remove invalid dav shares
  dav:retention:clean-up
  dav:send-event-reminders               Sends event reminders
  dav:sync-birthday-calendar             Synchronizes the birthday calendar
  dav:sync-system-addressbook            Synchronizes users to the system addressbook
 db
  db:add-missing-columns                 Add missing optional columns to the database tables
  db:add-missing-indices                 Add missing indices to the database tables
  db:add-missing-primary-keys            Add missing primary keys to the database tables
  db:convert-filecache-bigint            Convert the ID columns of the filecache to BigInt
  db:convert-mysql-charset               Convert charset of MySQL/MariaDB to use utf8mb4
  db:convert-type                        Convert the Nextcloud database to the newly configured one
 encryption
  encryption:change-key-storage-root     Change key storage root
  encryption:decrypt-all                 Disable server-side encryption and decrypt all files
  encryption:disable                     Disable encryption
  encryption:enable                      Enable encryption
  encryption:encrypt-all                 Encrypt all files for all users
  encryption:list-modules                List all available encryption modules
  encryption:migrate-key-storage-format  Migrate the format of the keystorage to a newer format
  encryption:set-default-module          Set the encryption default module
  encryption:show-key-storage-root       Show current key storage root
  encryption:status                      Lists the current status of encryption
 federation
  federation:sync-addressbooks           Synchronizes addressbooks of all federated clouds
 files
  files:cleanup                          cleanup filecache
  files:recommendations:recommend
  files:repair-tree                      Try and repair malformed filesystem tree structures
  files:scan                             rescan filesystem
  files:scan-app-data                    rescan the AppData folder
  files:transfer-ownership               All files and folders are moved to another user - outgoing shares and incoming user file shares (optionally) are moved as well.
 group
  group:add                              Add a group
  group:adduser                          add a user to a group
  group:delete                           Remove a group
  group:info                             Show information about a group
  group:list                             list configured groups
  group:removeuser                       remove a user from a group
 integrity
  integrity:check-app                    Check integrity of an app using a signature.
  integrity:check-core                   Check integrity of core code using a signature.
  integrity:sign-app                     Signs an app using a private key.
  integrity:sign-core                    Sign core using a private key.
 l10n
  l10n:createjs                          Create javascript translation files for a given app
 log
  log:file                               manipulate logging backend
  log:manage                             manage logging configuration
  log:tail                               Tail the nextcloud logfile
  log:watch                              Watch the nextcloud logfile
 maintenance
  maintenance:data-fingerprint           update the systems data-fingerprint after a backup is restored
  maintenance:mimetype:update-db         Update database mimetypes and update filecache
  maintenance:mimetype:update-js         Update mimetypelist.js
  maintenance:mode                       set maintenance mode
  maintenance:repair                     repair this installation
  maintenance:repair-share-owner         repair invalid share-owner entries in the database
  maintenance:theme:update               Apply custom theme changes
  maintenance:update:htaccess            Updates the .htaccess file
 notification
  notification:generate                  Generate a notification for the given user
  notification:test-push                 Generate a notification for the given user
 preview
  preview:repair                         distributes the existing previews into subfolders
  preview:reset-rendered-texts           Deletes all generated avatars and previews of text and md files
 recognize
  recognize:classify                     Classify all files with the current settings in one go (will likely take a long time)
  recognize:cleanup-tags                 Delete all tags that have no files associated with them anymore
  recognize:download-models              Download the necessary machine learning models
  recognize:recrawl                      Go through all files again
  recognize:remove-legacy-tags           Remove tags set by old recognize versions
  recognize:reset-faces                  Remove all face detections from previously classified files
  recognize:reset-tags                   Remove all tags from previously classified files
 security
  security:bruteforce:reset              resets bruteforce attemps for given IP address
  security:certificates                  list trusted certificates
  security:certificates:import           import trusted certificate in PEM format
  security:certificates:remove           remove trusted certificate
 serverinfo
  serverinfo:update-storage-statistics   Triggers an update of the counts related to storages used in serverinfo
 sharing
  sharing:cleanup-remote-storages        Cleanup shared storage entries that have no matching entry in the shares_external table
  sharing:expiration-notification        Notify share initiators when a share will expire the next day.
 support
  support:report                         Generate a system report
 tag
  tag:add                                Add new tag
  tag:delete                             delete a tag
  tag:edit                               edit tag attributes
  tag:list                               list tags
 text
  text:reset                             Reset a text document
 theming
  theming:config                         Set theming app config values
 trashbin
  trashbin:cleanup                       Remove deleted files
  trashbin:expire                        Expires the users trashbin
  trashbin:restore                       Restore all deleted files
  trashbin:size                          Configure the target trashbin size
 twofactorauth
  twofactorauth:cleanup                  Clean up the two-factor user-provider association of an uninstalled/removed provider
  twofactorauth:disable                  Disable two-factor authentication for a user
  twofactorauth:enable                   Enable two-factor authentication for a user
  twofactorauth:enforce                  Enabled/disable enforced two-factor authentication
  twofactorauth:state                    Get the two-factor authentication (2FA) state of a user
 update
  update:check                           Check for server and app updates
 user
  user:add                               adds a user
  user:add-app-password                  Add app password for the named user
  user:delete                            deletes the specified user
  user:disable                           disables the specified user
  user:enable                            enables the specified user
  user:info                              show user info
  user:lastseen                          shows when the user was logged in last time
  user:list                              list configured users
  user:report                            shows how many users have access
  user:resetpassword                     Resets the password of the named user
  user:setting                           Read and modify user settings
 versions
  versions:cleanup                       Delete versions
  versions:expire                        Expires the users file versions
 workflows
  workflows:list                         Lists configured workflows
root@DietPi:~# ncc
-bash: ncc: command not found
root@DietPi:~# ncc list
-bash: ncc: command not found
root@DietPi:~#

The information on the DietPi website can be updated

The separate app “Brute-force settings” is no longer needed with Nextcloud 25, because it’s already included. The “Brute-force IP Whitelist settings” can be found under “Administration Settings” → “Security”.

lhttps://help.nextcloud.com/t/nextcloud-25-0-1-is-there-bruteforce-app-is-not-compatible/149693

App is now released alongside with Nextcloud core, thus this page is deprecated.

hemertje · 9 January 2023 19:11

any idea how to fix this as it is enabled in the ‘default’ file?

hemertje · 9 January 2023 19:12

can the DietPi Wiki be updated with the above info?

Jappe · 9 January 2023 20:56

Just remove the # and it will be overwrite the default config.

hemertje · 10 January 2023 19:47

So the ‘default’ and the ‘config’ files do not work together?
Which has priority for the options?

Joulinar · 10 January 2023 20:03

just to avoid a misunderstanding. What config file you mean exactly

hemertje · 11 January 2023 18:14

the one we are editing for two weeks allready

/etc/nginx/sites-available/default

and

nano /etc/nginx/sites-dietpi/dietpi-nextcloud.conf

Jappe · 11 January 2023 18:47

I think he means /etc/nginx/sites-available/default as default and /etc/nginx/sites-dietpi/dietpi-nextcloud.conf as config.
And in the nextcloud.conf the line is commented?!

#add_header Strict-Transport-Security “max-age=15768000; includeSubDomain

hemertje · 11 January 2023 19:43

the file

/etc/nginx/sites-available/default

contains

add_header Strict-Transport-Security “max-age=31536000” always; # managed by Certbot

and is missing the 'includeSubDomains" 'option

the file

/etc/nginx/sites-dietpi/dietpi-nextcloud.conf

contains

#add_header Strict-Transport-Security “max-age=15768000; includeSubDomains” always;

and disabled

so “max-age=31536000” is set ON and enabled inside ‘default’

still I get the warning:

There are some warnings regarding your setup.
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips

Why is > add_header Strict-Transport-Security “max-age=31536000” always; # managed by Certbot
in ‘default’ not recognized and used?

Joulinar · 11 January 2023 20:44

I’m lost in your configuration files. Not sure what you do. I did again a test install and for me values correctly set inside dietpi-nextcloud.conf. The value is not commented by a #

root@DietPiR5S:~# cat /etc/nginx/sites-dietpi/dietpi-nextcloud.conf | grep Strict-Transport-Security
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
root@DietPiR5S:~#

As well, the setting is clearly done by our tool dietpi-letsencrypt at the end of creating certificates.

...
[  OK  ] DietPi-LetsEncrypt | Comment in /etc/nginx/sites-dietpi/dietpi-nextcloud.conf converted to setting:    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
[  OK  ] DietPi-LetsEncrypt | systemctl restart nginx

Means, I don’t have these warnings. All looking correct inside NC.

Jappe · 11 January 2023 20:54

I think he used this https://dietpi.com/forum/t/nextcloud-problems-questions/15415/82?u=jappe as template, where the HSTS line is commented out.

Because in your nextcloud-conf you have a locationsection which handles all the configs for your /nextcloud, while the default config handles everything else, whch should be nothing in your case?
Maybe you run certbot before you set up the subdomain and changed the webroot? So certbot added the line to the default config? Just a guess.

Joulinar · 11 January 2023 20:59

Doesn’t matter, on a default system it is working correctly. As the topic is 2 weeks old now, thinks might have mixed. He should simply remove the # manually inside dietpi-nextcloud.conf. Done.