Warnings in the configuration Nextcloud

Hello, I’m trying to solve these errors in nextcloud and I was not successful, (raspberry pi 4 4gb) my web server is nginx with nextclound in subfolder, I would like some help on the forum.

There are some warnings in the configuration.

Your web server is not properly configured to resolve "/.well-known/webfinger". More information can be found in the documentation ↗.
Your web server is not properly configured to resolve "/.well-known/nodeinfo". More information can be found in the documentation ↗.
Your web server is not properly configured to resolve "/.well-known/caldav". More information can be found in the documentation ↗.
Your web server is not properly configured to resolve "/.well-known/carddav". More information can be found in the documentation ↗.
The PHP module "imagick" is not enabled, although the theming application is. For favicon generation to work correctly, you need to install and enable this module.
PHP modules "gmp" and/or "bcmath" are not enabled. If you use WebAuthn passwordless authentication, these modules are required.

If I’m not mistaken, some of the messages could be ignored

@MichaIng could you have a check

At least I ignore the last two messages on my system. Imagick is deprecated I think and I don’t use passwordless webauth, so I don’t need gmp / bcmath. If OP also don’t use this, he can ignore them as well.

The first messages are more important, but I wonder if OP installed nextcloud via dietpi-software or not. Normally the nginx config should include this.
config files when using nginx and nextcloud is in a subfolder of the webroot

I installed nextcloud and nginx using dietpi-software

Interesting.
Indeed, then @MichaIng should have a look.

The imagick module is not required, and even seen as possible security issue. A matter of discussion on GitHub, but many, including us and some official Nextcloud appliances, chose to not ship it.

The other two modules are explained: If you don’t use WebAuthn, you don’t need them, as Jappe mentioned.

The first four warnings however should not appear. Can you show the output of:

cat /etc/nginx/sites-dietpi/dietpi-dav_redirect.conf
grep -E 'webfinger|nodeinfo' /etc/nginx/sites-dietpi/dietpi-nextcloud.conf
curl -IL 127.0.0.1/.well-known/caldav
curl -IL 127.0.0.1/.well-known/nodeinfo
cat /etc/nginx/sites-dietpi/dietpi-dav_redirect.conf
grep -E 'webfinger|nodeinfo' /etc/nginx/sites-dietpi/dietpi-nextcloud.conf
curl -IL 127.0.0.1/.well-known/caldav
curl -IL 127.0.0.1/.well-known/nodeinfo
cat: /etc/nginx/sites-dietpi/dietpi-dav_redirect.conf: No such file or directory
grep: /etc/nginx/sites-dietpi/dietpi-nextcloud.conf: No such file or directory
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 19 Nov 2022 03:53:44 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146
Connection: keep-alive

HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 19 Nov 2022 03:53:44 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146
Connection: keep-alive

That’s strange, we create the file explicitly during install.

https://github.com/MichaIng/DietPi/blob/63216e53d97a21de635f81582cf66b682f09102a/dietpi/dietpi-software#L4615-L4620

Following should create the file

echo '# Redirect Cal/CardDAV requests to Nextcloud endpoint:
location = /.well-known/carddav { return 301 /nextcloud/remote.php/dav/; }
location = /.well-known/caldav  { return 301 /nextcloud/remote.php/dav/; }' > /etc/nginx/sites-dietpi/dietpi-dav_redirect.conf

Please also show:

ls -l /etc/nginx/sites-dietpi
grep '\[85\]' /boot/dietpi/.installed
dpkg -l | grep nginx

I inserted the code from @Joulinar before placing your @MichaIng

2 errors disappeared, need to solve
/.well-known/webfinger"
“/.well-known/nodeinfo”

ls -l /etc/nginx/sites-dietpi
grep '\[85\]' /boot/dietpi/.installed
dpkg -l | grep nginx
total 24
-rw-r--r-- 1 root root  580 Oct 10 21:34 Sonarr.conf
-rw-r--r-- 1 root root 1054 Oct 10 22:38 Tautuuli.conf
-rw-r--r-- 1 root root  205 Nov 19 08:56 dietpi-dav_redirect.conf
-rw-r--r-- 1 root root  880 Jul 16 00:12 jellyfin.conf
-rw-r--r-- 1 root root  382 Apr 15  2022 ombi.conf
-rw-r--r-- 1 root root 1558 Oct 16 21:11 qbt.conf
aSOFTWARE_INSTALL_STATE[85]=2
ii  libnginx-mod-http-echo                                      1.18.0-6.1+deb11u3               arm64        Bring echo and more shell style goodies to Nginx
ii  nginx-common                                                1.18.0-6.1+deb11u3               all          small, powerful, scalable web/proxy server - common files
ii  nginx-light                                                 1.18.0-6.1+deb11u3               arm64        nginx web/proxy server (basic version)
ii  python3-certbot-nginx                                       1.10.1-1                         all          Nginx plugin for Certbot
Your web server is not properly configured to resolve "/.well-known/webfinger". More information can be found in the documentation ↗.
Your web server is not properly configured to resolve "/.well-known/nodeinfo". More information can be found in the documentation ↗.
The PHP module "imagick" is not enabled, although the theming application is. For favicon generation to work correctly, you need to install and enable this module.
PHP modules "gmp" and/or "bcmath" are not enabled. If you use WebAuthn passwordless authentication, these modules are required.

Please reinstall Nextcloud, and keep the console output somewhere. If it still does not work, post the whole console output of the process here. The Nginx Nextcloud configs were completely missing, so the install failed at some point last time, or written files got lost:

dietpi-software reinstall 114

This error appeared now.
my HSTS is activated, I tried to install again using dietpi-letsencrypt and even so the warning does not disappear

the other warnings disappeared with the reinstallation of nextcloud

HTTP header "Strict-Transport-Security" is not set to at least "15552000" seconds. For added security, it is recommended to enable HSTS as described in security tips ↗.
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Enhancement Strict-Transport-Security was already set.
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/default

I’m not sure where the Nginx module of Certbot stores the HSTS settings to. Can you show the output of:

grep -ri 'Strict-Transport-Security' /etc/nginx

It would be great if we could finish one issue first before introducing another one as it could lead to confusion for other reading the post.

I think the other warnings got resolved now, isn’t it?

yes, only this HSTS warning remains

@Joulinar excuse me.

grep -ri 'Strict-Transport-Security' /etc/nginx
/etc/nginx/sites-available/default:    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot

The directive looks good, 1 year lifetime instead of the minimum required 1/2 year. Let’s see whether it is returned as expected:

curl -IL https://your.domain/
curl -IL https://your.domain/nextcloud/

Mask your domain name for privacy reasons :wink:.

curl -IL https://your.domain/
curl -IL https://your.domain/nextcloud/
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Nov 2022 14:38:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 612
Last-Modified: Fri, 15 Apr 2022 21:33:34 GMT
Connection: keep-alive
ETag: "6259e4ae-264"
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes

HTTP/1.1 302 Found
Server: nginx
Date: Sat, 19 Nov 2022 14:38:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: oc_sessionPassphrase=yaxG4hzHzr0PCPDSkjrDj4Ir90m%2BYI8LBcn3PsSj8Kj7pNBYPhDyMJZo84TrSn%2FSQgRGw4VCQO1BytjykhJlwBJERPjvJ6x%2F%2BgAscdMwY0A8aM2F2Iv%2BEt5rAdOK1OJY; path=/nextcloud; secure; HttpOnly; SameSite=Lax
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-SFJNeHg2VlB1VFU5K29lcXM3bmlOOVpyd1pYVmpBYlkwVDBSZzBQaWx2bz06Y1hSamhzZ2Z3WFJsemFpWis5cUlSYkVUdU1hZjlsNzM2VmRjeXhEVTJjMD0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: ocpz43zbdqc8=g1k1ulcrf4mdplo2gf47lt3kei; path=/nextcloud; secure; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: https://your.domain/nextcloud/login
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Nov 2022 14:38:16 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 13355
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: oc_sessionPassphrase=dl07UtmB5I2ML4MWAdniRvhT61gG09H5Pj1U03qnk%2FxBDSZJ4dePXvHO8%2Fock4bu8aZgKNcWKZbMDaBi7fI9%2Bdd85LaLEFJj3Yj1Bz6rj2TlrWcNwjD09GW3jcKVq8lE; path=/nextcloud; secure; HttpOnly; SameSite=Lax
Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: ocpz43zbdqc8=57rvbj427n49or6n7rgkksvl1h; path=/nextcloud; secure; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
X-Request-Id: KxtkqeWo1wkQQzqi0XL9
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self';frame-ancestors 'self';form-action 'self'
Feature-Policy: autoplay 'self';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'
X-Robots-Tag: none
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block

Ah I think I know the issue. Can you show:

cat /etc/nginx/sites-available/default

EDIT: From Nginx docs:

There could be several add_header directives. These directives are inherited from the previous configuration level if and only if there are no add_header directives defined on the current level.

So we need to add the header to the Nextcloud config explicitly. This is what I don’t like about Nginx. Not intuitive, leads to much duplicate directives, and it this does not apply to headers only (but not everything, inconsistent), but other directives as well, making it difficult to find reasons/issues by times, at least for me.

Solved with: v8.11 · MichaIng/DietPi@99eca3a · GitHub
In your case:

G_CONFIG_INJECT 'add_header[[:blank:]]+Strict-Transport-Security[[:blank:]]' '	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;' /etc/nginx/sites-dietpi/dietpi-nextcloud.conf '^[[:blank:]]*add_header[[:blank:]]'
systemctl restart nginx