Nextcloud Security & setup warnings

As my first response to seeing an unfamiliar Error is to google the error and find a good fix, so i wanted to pay back some of the many blogs that I have used to find fixes to my own issues by documenting the errors and fixes that I did.

So this won't be a long or deep post and instead is a set of notes on errors and issues I ran into with Nextcloud and the fixes that I did. These all came from the Security & setup warnings checks.

PHP configuration option output_buffering must be disabled

PHP configuration option output_buffering must be disabled

Best resource : NextCloud Docs

Fix : For this we need to disable Output buffering.

But in both the .user.ini and .htaccess this was set to output_buffering = 0

Looking in /etc/php/7.4/apache2/php.ini I can see that this is set to 4096

I changed this to output_buffering = off based on the comments in the config file.

After a quick apache restart the error cleared.

One useful tip I found was to create a info.php in your root www folder with the following

<?php

phpinfo();

Then when I load this page I get the PHP config and can check the current value and find the php.ini file.

Strict-Transport-Security

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Best Resource : Nextcloud Docs

Fix : This one is just a simple as the docs say. and after adding the following to my virtual hosts file in /etc/apache2/sites-enabled/000-default-le-ssl.conf

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

But I did also need to install mod_headers using a2enmod headers and after the normal Apache restart systemctl restart apache2 we are all good.

The database is missing some indexes

  • The database is missing some indexes. Due to the fact that adding indexes on big tables could take some time they were not added automatically. By running "occ db:add-missing-indices" those missing indexes could be added manually while the instance keeps running. Once the indexes are added queries to those tables are usually much faster.
  • Missing index "cards_abiduri" in table "oc_cards".

Fix : This error is extremely helpful and as expected after running the following command the error cleared.

sudo -u www-data ./occ db:add-missing-indices

occ is located in your webroot and for some odd reason I needed to set the execute bit chmod +x occ

The database is missing some primary key

  • The database is missing some primary keys. Due to the fact that adding primary keys on big tables could take some time they were not added automatically. By running "occ db:add-missing-primary-keys" those missing primary keys could be added manually while the instance keeps running.
  • Missing primary key on table "oc_federated_reshares".
  • Missing primary key on table "oc_systemtag_object_mapping".
  • Missing primary key on table "oc_comments_read_markers".
  • Missing primary key on table "oc_collres_resources".
  • Missing primary key on table "oc_collres_accesscache".
  • Missing primary key on table "oc_filecache_extended".

Best Resource : The Error message

Fix : Just like the last one the Nextcloud devs gave the fix right away in the error message.

sudo -u www-data ./occ db:add-missing-primary-keys

Some columns in the database are missing a conversion to big int

Error

  • Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running 'occ db:convert-filecache-bigint' those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read the documentation page about this.
  • federated_reshares.share_id
  • filecache_extended.fileid
  • share_external.id
  • share_external.parent

Best Resource : The Error Message.

Fix : More easy ones the sudo -u www-data ./occ db:convert-filecache-bigint command works right away.

Your web server is not properly set up to resolve

  • Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
  • Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

Best Resource : Nextcloud forum

Fix : The Fixes in the referenced docs did not work for me, though that may be more to my limitations with Apache Mod_rewrite than any issues with the docs.

What I ended up doing is adding the redirects in my apache config

Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav /nextcloud/remote.php/dav

i