gstone/nextcloud-selfhosted
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0e0a6ff1ebd66947aecdcaf91caef83ef89e4819
nextcloud-selfhosted/nextcloud-review.md
Thomas Gräfenstein 0e0a6ff1eb add trusted proxy, post-install/upgrade hooks, occ docs and admin review 
- Add TRUSTED_PROXIES=caddy to fix reverse proxy header warning
- Add post-installation hook: maintenance window, phone region, DB indices, MIME migrations
- Add post-upgrade hook: DB indices and MIME migrations
- Add occ commands section to README
- Add nextcloud-review.md with admin warning fixes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-22 16:33:40 +01:00

5.1 KiB
Raw Blame History

Nextcloud Admin Warnings Review

1. Reverse Proxy Forwarded Headers

Problem: Nextcloud doesn't see the correct client IP because Caddy isn't sending the required forwarded headers, or Nextcloud isn't configured to trust them.

Fix: Two changes needed:

a) Caddyfile — Caddy already sets X-Forwarded-For and X-Forwarded-Proto by default, so no Caddyfile changes are strictly needed. However, verify Caddy is on the proxy network and connects to nextcloud:80.

b) Nextcloud config — Add trusted proxy config. Run inside the Nextcloud container:

sudo docker exec -u www-data nextcloud php occ config:system:set trusted_proxies 0 --value="caddy"
sudo docker exec -u www-data nextcloud php occ config:system:set forwarded_for_headers 0 --value="HTTP_X_FORWARDED_FOR"

Alternatively, add these environment variables to nextcloud/.env:

TRUSTED_PROXIES=caddy

2. Log Errors (16 errors since March 15)

Problem: 16 errors logged. These need to be inspected to determine the cause.

Fix: Check the logs:

sudo docker exec -u www-data nextcloud php occ log:watch
# or
sudo docker exec -u www-data nextcloud php occ log:list
# or read the log file directly
sudo docker exec nextcloud cat /var/www/html/data/nextcloud.log | tail -50

Review and address the specific errors. Common causes after a fresh install include missing config values (several of which are listed below).

3. Maintenance Window Start Time

Problem: No maintenance window configured, so heavy background jobs run at any time.

Fix:

sudo docker exec -u www-data nextcloud php occ config:system:set maintenance_window_start --type=integer --value=1

This sets the maintenance window to start at 1:00 UTC (3:00 AM CEST). Adjust the value (0-23) to match your low-usage hours.

4. MIME Type Migrations

Problem: New MIME types are available but not yet applied.

Fix:

sudo docker exec -u www-data nextcloud php occ maintenance:repair --include-expensive

This may take a while on large instances but is fine on a fresh install.

5. Missing Database Indices

Problem: Missing optional indices on filecache and properties tables that improve query performance.

Fix:

sudo docker exec -u www-data nextcloud php occ db:add-missing-indices

6. AppAPI Deploy Daemon

Problem: No default deploy daemon configured for external apps (ExApps).

Fix: This is only needed if you plan to use ExApps (like the AI assistant apps). If not, this warning can be ignored.

If you want to set it up, it requires a Docker Socket Proxy or direct Docker access from Nextcloud. This is a more involved setup — see the AppAPI documentation.

Recommendation: Ignore unless you need ExApps.

7. Two-Factor Authentication Not Enforced

Problem: 2FA providers are available but not mandatory for all users.

Fix: To enforce 2FA for all users:

sudo docker exec -u www-data nextcloud php occ twofactorauth:enforce --on

Make sure you have a 2FA provider app installed and configured (e.g., TOTP) before enforcing, or you may lock yourself out. Install TOTP first:

sudo docker exec -u www-data nextcloud php occ app:install twofactor_totp

Then set up 2FA for your admin account via the web UI before enforcing.

8. Default Phone Region

Problem: No default phone region set for validating phone numbers without country code.

Fix:

sudo docker exec -u www-data nextcloud php occ config:system:set default_phone_region --value="DE"

Use the appropriate ISO 3166-1 code for your region (DE = Germany).

9. Server ID Not Configured

Problem: No server ID set. Only matters for multi-server setups.

Fix: Even on a single server, setting it avoids the warning:

sudo docker exec -u www-data nextcloud php occ config:system:set instanceid --value="$(openssl rand -hex 5)"

Note: Only do this on a fresh install. On an existing instance, instanceid is already set automatically — check first:

sudo docker exec -u www-data nextcloud php occ config:system:get instanceid

If it returns a value, this warning may be about a different server-id config. In that case, set server_id instead:

sudo docker exec -u www-data nextcloud php occ config:system:set server_id --value="nextcloud-1"

Quick-Fix Summary (run in order)

# 1. Trusted proxy
sudo docker exec -u www-data nextcloud php occ config:system:set trusted_proxies 0 --value="caddy"

# 3. Maintenance window (1:00 UTC)
sudo docker exec -u www-data nextcloud php occ config:system:set maintenance_window_start --type=integer --value=1

# 4. MIME type migrations
sudo docker exec -u www-data nextcloud php occ maintenance:repair --include-expensive

# 5. Missing DB indices
sudo docker exec -u www-data nextcloud php occ db:add-missing-indices

# 8. Phone region
sudo docker exec -u www-data nextcloud php occ config:system:set default_phone_region --value="DE"

# 9. Server ID
sudo docker exec -u www-data nextcloud php occ config:system:set server_id --value="nextcloud-1"
Reference in New Issue View Git Blame Copy Permalink