this post was submitted on 28 Aug 2023
15 points (100.0% liked)

Selfhosted

40183 readers
729 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I am using one of the official Nextcloud docker-compose files to setup an instance behind a SWAG reverse proxy. SWAG is handling SSL and forwarding requests to Nextcloud on port 80 over a Docker network. Whenever I go to the Overview tab in the Admin settings, I see this security warning:

    The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

I have X-Robots-Tag set in SWAG. Is it safe to ignore this warning? I am assuming that Nextcloud is complaining about this because it still thinks its communicating over an insecured port 80 and not aware of the fact that its only talking via SWAG. Maybe I am wrong though. I wanted to double check and see if there was anything else I needed to do to secure my instance.

SOLVED: Turns out Nextcloud is just picky with what's in X-Robots-Tag. I had set it to SWAG's recommended setting of noindex, nofollow, nosnippet, noarchive, but Nextcloud expects noindex, nofollow.

top 2 comments
sorted by: hot top controversial new old
[–] [email protected] 5 points 1 year ago (1 children)

You can use a page like https://httpstatus.io/ to check all transferred HTTP headers, or simply inspect the responses in your browser DevTools. If all the headers are present as Nextcloud wants them to be, you can discard the warnings, if there are headers set wrongly, adjust your SWAG settings.

[–] [email protected] 3 points 1 year ago

Okay, nvm. Security checks work even with the proxy. It turns out Nextcloud is just picky with some of the fields. For example, I had set X-Robots-Tag to SWAG's recommended default of noindex, nofollow, nosnippet, noarchive, but Nextcloud expects only noindex, nofollow.