docker-traefik icon indicating copy to clipboard operation
docker-traefik copied to clipboard
verified publisher icon htpcBeginner

ERRORS middleware "nextcloud-middleware-secure-headers@file" does not exist

Open grasuoare opened this issue 4 years ago • 3 comments

Hi all,

First i would like to thank you all for those tutorials. They made my life better. :)

For days now i'm struggling with this traefik error: "middleware "nextcloud-middleware-secure-headers@file" does not exist" that brings a 404 error.

I managed to install nextcloud from your last tutorial. All went good until i tried to solve the errors from overview tab. The steps of what i did:

  • modify middlewares.toml with the script from the repo. Below you can find how it looks:
[http.middlewares]
  [http.middlewares.middlewares-basic-auth]
    [http.middlewares.middlewares-basic-auth.basicAuth]
      realm = "Traefik2 Basic Auth"
      usersFile = "/shared/.htpasswd"

  [http.middlewares.middlewares-rate-limit]
    [http.middlewares.middlewares-rate-limit.rateLimit]
      average = 100
      burst = 50

  [http.middlewares.middlewares-secure-headers]
    [http.middlewares.middlewares-secure-headers.headers]
      accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
      accessControlMaxAge = 100
      hostsProxyHeaders = ["X-Forwarded-Host"]
      sslRedirect = true
      stsSeconds = 63072000
      stsIncludeSubdomains = true
      stsPreload = true
      forceSTSHeader = true
#      frameDeny = true #overwritten by customFrameOptionsValue
      customFrameOptionsValue = "allow-from https:xxxxx" #CSP takes care of this but may be needed for organizr. 
      contentTypeNosniff = true 
      browserXssFilter = true 
#      sslForceHost = true # add sslHost to all of the services
#      sslHost = "example.com"
      referrerPolicy = "same-origin" 
#      Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
#      the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
#      contentSecurityPolicy = "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
      featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" 
      [http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
        X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
        server = ""

  [http.middlewares.middlewares-oauth]
    [http.middlewares.middlewares-oauth.forwardAuth]
      address = "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
      trustForwardHeader = true
      authResponseHeaders = ["X-Forwarded-User"]

  ###(NEXTCLOUD) Let's give them a new name so it won't conflict with others
  [http.middlewares.nextcloud-middlewares-secure-headers]
    ### Change the name here as well
    [http.middlewares.nextcloud-middlewares-secure-headers.headers]
  ### Comment out this line as Nextcloud uses quite a few methods for different apps
#      accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
      accessControlMaxAge = 100
      hostsProxyHeaders = ["X-Forwarded-Host"]
      sslRedirect = true
      stsSeconds = 63072000
      stsIncludeSubdomains = true
      stsPreload = true
      forceSTSHeader = true
#      frameDeny = true #overwritten by customFrameOptionsValue
  ### We will modify this value for Nextcloud to remove the X-Frame-Options error:
      customFrameOptionsValue = "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
      contentTypeNosniff = true 
      browserXssFilter = true
#      sslForceHost = true # add sslHost to all of the services
#      sslHost = "example.com"
      referrerPolicy = "same-origin"
#      Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
#      the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
#      contentSecurityPolicy = "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
      featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
  ### Change the middleware name here as well  
      [http.middlewares.nextcloud-middlewares-secure-headers.headers.customResponseHeaders]
    ### We just need to set this to none
        X-Robots-Tag = "none"
        server = ""

### This section redirects requests for Nextcloud calendar and contacts service discovery
### source: https://docs.nextcloud.com/server/21/admin_manual/issues/general_troubleshooting.html#service-discovery
  [http.middlewares.nextcloud-redirect]
    [http.middlewares.nextcloud-redirect.redirectRegex]
      permanent = true
      regex = "https://(.*)/.well-known/(card|cal)dav"
      replacement = "https://${1}/remote.php/dav/"

And also modified the middleware-chains.toml file. Now is looking like this:

[http.middlewares]
  [http.middlewares.chain-no-auth]
    [http.middlewares.chain-no-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers"]

  [http.middlewares.chain-basic-auth]
    [http.middlewares.chain-basic-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-basic-auth"]

  [http.middlewares.chain-oauth]
    [http.middlewares.chain-oauth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-oauth"]

  [http.middlewares.chain-nextcloud]
    [http.middlewares.chain-nextcloud.chain]
      middlewares = [ "middlewares-rate-limit", "nextcloud-middleware-secure-headers", "nextcloud-redirect"]

And also added the chain line to the nextcloud container frm my .yml file. Below the label part of it:

    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.rule=Host(`cloud.$DOMAINNAME`)"
      - "traefik.http.routers.nextcloud.tls=true"
      ## Middlewares
      - "traefik.http.routers.nextcloud.middlewares=chain-nextcloud@file"
      ## HTTP Services
      - "traefik.http.routers.nextcloud.service=nextcloud"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"

I really dont understand where is the problem and if you can help me.

Thank you, Paul

grasuoare avatar May 27 '21 17:05 grasuoare

Hi,

It looks like a litle syntax error. You define the middleware like nextcloud-middlewares-secure-headers with an s and You to call it without in the middleware chain.

-- Chris

c-dst avatar May 27 '21 21:05 c-dst

Thank you so much! Works like a champ! <3

grasuoare avatar May 28 '21 15:05 grasuoare

As i see now, after all settings from above I still have the errors:

MySQL is used as database but does not support 4-byte characters. To be able to handle 4-byte characters (like emojis) without issues in filenames or comments for example it is recommended to enable the 4-byte support in MySQL. For further details read the documentation page about this.
The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

grasuoare avatar Jun 16 '21 16:06 grasuoare