search

nextcloud / helm

A community maintained helm chart for deploying Nextcloud on Kubernetes.
GNU Affero General Public License v3.0
336 stars 268 forks source link

Error: Accessing site insecurely via HTTP | Config Question #589

Closed vodanet closed 4 months ago

vodanet commented 4 months ago

nextcloud helm chart: nextcloud-5.2.0 Kubernetes: RKE2

Hello,

I have an RKE2 cluster and the Helm Chart installed. I use NGINX ingress controller (rke2).

nextcloud.domain.de can be accessed via https with a valid Let'sEncrypt certificate.

This is my Values.Yaml for Ingress:

...
ingress:
  enabled: true
  className: nginx
  annotations: {}
  nginx.ingress.kubernetes.io/proxy-body-size: 4G
  kubernetes.io/tls-acme: "false"
  cert-manager.io/cluster-issuer: letsencrypt-prod
  # Keep this in sync with the README.md:
  nginx.ingress.kubernetes.io/server-snippet: |-
    server_tokens off;
    proxy_hide_header X-Powered-By;
    rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
    rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      deny all;
    }
    location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
      deny all;
    }
  tls:
    - secretName: fullchain1
      hosts:
        - nextcloud.{{domain}}
  labels: {}
  path: /
  pathType: Prefix

this is my Config.php:

<?php
$CONFIG = array (
  'force_language" => "en',
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'upgrade.disable-web' => true,
  'passwordsalt' => 'lrdBJbBcp0Pqn2XbQ6Ry6RT7+0UqEP',
  'secret' => 'ViA/SQg9AUXrNZ9uWjOz45V2dJ9/yalLDj/GXkarjaoVrTVK',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'nextcloud.domain.de',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'sqlite3',
  'version' => '29.0.3.4',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'nextcloud',
  'installed' => true,
  'instanceid' => 'ocot1fydyq7p',
);

In the admin area I see (among other things) these two red errors: The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. For more details see the documentation ↗. Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead. Without it some important web functionality like "copy to clipboard" or "service workers" will not work! For more details see the documentation ↗.

I had:

  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'nextcloud.domain.de',
  ),

The IP of the ingress controller has already been added -> without any change.

What else do I need to adjust?

Many thanks for the help! Daniel

vodanet commented 4 months ago

If found a solution. Thanks

jessebot commented 4 months ago

Please post your solution so others can learn :)

blakjak44 commented 3 months ago

Ran into the same issue and figured I'd post my solution here. Note that I'm running bare metal with MetalLB configured for BGP and Ingress-NGINX.

I made several changes so I can't say specifically if all were required, but they were as follows:

  1. Solution to The reverse proxy header configuration is incorrect.

    • Update the Ingress-NGINX deployment. The important section in the values.yaml was here:
controller:
  config:
    use-forwarded-headers: "true"
  service:
    externalTrafficPolicy: Local

  1. Solution to Accessing site insecurely via HTTP.

    Simply set the value of phpClientHttpsFix.enabled to true

Hopefully this helps anyone else who might stumble across this.