BSDHowTo.ch
How To...	Why not..?	Scripts	Patches

How to get rid of all the warnings in Nextcloud

Last update: 2022-09-04

Introduction

After the installation of Nextcloud you check for security & setup warnings in the administration panel. Although you followed the pkg-readme for Nextcloud to the point you get some yellow entries there. In this article I show you how you can get rid of these.

Before we start

For this how to I assume that you install your Nextcloud on OpenBSD

from packages(7)
use httpd(8) as web server
follow all relevant pkg-readmes to the point
use redis as your memory cache

Blocking access to data directory

The security check gives you the following red error:

Your data directory and files are probably accessible from the Internet.

You have a number of location lines in your httpd.conf(5) that should block access to sensible files and directories of your Nextcloud installation. Just prepend the name on each of these lines with the path /nextcloud:

location "/nextcloud/.ht*"      { block }
location "/nextcloud/.user*"    { block }
location "/nextcloud/3rdparty*" { block }
location "/nextcloud/AUTHORS"   { block }
location "/nextcloud/COPYING"   { block }
location "/nextcloud/config*"   { block }
location "/nextcloud/console*"  { block }
location "/nextcloud/data*"     { block }
location "/nextcloud/lib*"      { block }
location "/nextcloud/occ*"      { block }

Properly resolve different paths

You see four warnings that start with “Your web server is not properly set up to resolve” followed by these paths:

/nextcloud/ocm-provider/
/nextcloud/ocs-provider/
/.well-known/caldav
/.well-known/carddav
/.well-known/webfinger

Add the following location blocks to your httpd.conf(5) and the warnings are gone:

location match "/nextcloud/oc[ms]%-provider/" {
request rewrite "$DOCUMENT_URI/index.php"
fastcgi socket "/run/php-fpm.sock"
    pass
}

location "/.well-known/caldav" {
    block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav"
}

location "/.well-known/carddav" {
    block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav"
}

location "/.well-known/webfinger" {
    block return 301 "https://$SERVER_NAME/nextcloud/public.php?service=webfinger"
}

Warnings about PHP

The check shows you two error messages about PHP:

The test with getenv(“PATH”) only returns an empty response
The PHP memory limit is below the recommended value of 512MB

To make these two disappear you can add the following two lines to /etc/php-fpm.conf:

env[PATH] = /usr/local/bin:/usr/bin:/bin
php_admin_value[memory_limit] = 512M

Another complaint by Nextcloud is that the module imagick is missing. You can add this module by installing and enabling it:

$ doas pkg_add -i pecl80-imagick
$ cd /etc/php-8.0.sample
$ doas ln -sf ../php-8.0.sample/imagick.ini ../php-8.0/

Don’t forget to restart php-fpm:

$ doas rcctl restart php80_fpm

Different user of directories

Nextcloud check complains about a long list of directories which are not owned by the user the web server is running under (www). You can change this with the following command:

$ find /var/www/nextcloud/apps -type d -exec doas chown www {} \;

I strongly recommend you to do this because it will allow Nextcloud to update the installed apps and install new ones.