Security (VI)

When we have completed the installation wizard, we must go to https://nextcloud.example.com/settings/admin to see the security and setup warnings.

Headers

Most of the warnings are related to the headers, so create a new file just for those:

/etc/nginx/conf.d/nextcloud-example-com/headers:
------------------------------------------------
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

And include it in the server section and in the CSS and JavaScript location:

# HTTPS
server {
    ...

    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# Add headers to serve security related headers
    include conf.d/nextcloud-example-com/headers;

    # Logs
    include conf.d/nextcloud-example-com/logs;

    ...

    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";

        # Add headers to serve security related headers
        include conf.d/nextcloud-example-com/headers;

        # Optional: Don't log access to assets
        access_log off;
    }

    ...
}

Restart nginx:

_$: sudo systemctl restart nginx.service

php-fpm

Another one is related to php-fpm not reading environment variables. Let’s fix that too uncommenting the environment variables:

/etc/php/7.4/fpm/pool.d/www.conf:
---------------------------------
...
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

_$: systemctl restart php7.4-fpm.service

Integrity checks

If your .user.ini and your .htaccess are whown as having integrity problems, first make sure that they were copied to the /var/www/nextcloud directory. If they were, but you are still having trouble with the integrity check, redownload the nextcloud zip and overwrite the previous ones.