After updating some test servers to Nextcloud 12, some warnings are showing on Admin page:

• Some files have not passed the integrity check. (@greavette reported a similar issue)
• The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. (@Christopher_Suttles reported the same issue)
• The “Strict-Transport-Security” HTTP header is not configured to at least “15552000” seconds.
• No memory cache has been configured.
• The PHP Opcache is not properly configured.

About the files integrity check:

[details=Technical information]

Technical information

The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results

• core
  • INVALID_HASH
    • .htaccess
  • EXTRA_FILE
    • 3rdparty/guzzle/guzzle/docs/conf.pyc

Raw output

Array
(
[core] => Array
(
[INVALID_HASH] => Array
(
[.htaccess] => Array
(
[expected] => da8e0075f23227b107fc705aa1b20378107d3a1c195d96ed13e5f4f25c38d6c660aab75be183ae5799a4ff7eae0ea739a14c944430ee8bb9e9a824235aa136eb
[current] => 11e2db30f0cf23df1b5aa1cdf329a8c88d253f86e43f9e7af1b30969eb0175030103b138e2f7ab7608c902bbb57a5d578c2c0ca09f3abf2ef83415f4bc6f6e20
)

            )

        [EXTRA_FILE] => Array
            (
                [3rdparty/guzzle/guzzle/docs/conf.pyc] => Array
                    (
                        [expected] => 
                        [current] => 103e7520c3fcfb9c2a7be7b4a610270a946246ac22dd585a6e40785fa9523ab23d9b69a88208ee6ac52da1f074f01411393ab5d0e3274a5067819f7b4a56095f
                    )

            )

    )

)

Regarding the .htaccess file:

  Updating   : nextcloud-12.0.0-1.ns7.noarch
warning: /usr/share/nextcloud/.htaccess created as /usr/share/nextcloud/.htaccess.rpmnew

This seems to do the trick for the integrity check messages:

• This was done before accessing Nextcloud admin page:
  To see the file differences…

# diff /usr/share/nextcloud/.htaccess.rpmnew /usr/share/nextcloud/.htaccess
16a17
>     Header set X-Frame-Options "SAMEORIGIN"
57,58d57
<   RewriteCond %{HTTP_USER_AGENT}  DavClnt
<   RewriteRule ^$         /remote.php/webdav/          [L,R=302]
80a80,83
> #### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
> 
> ErrorDocument 403 /core/templates/403.php
> ErrorDocument 404 /core/templates/404.php

and replace the old .htaccess file…

mv /usr/share/nextcloud/.htaccess.rpmnew /usr/share/nextcloud/.htaccess

• And after that looked to get rid of Nextcloud integrity check warning messages:

rm /usr/share/nextcloud/3rdparty/guzzle/guzzle/docs/conf.pyc
rm /usr/share/nextcloud/3rdparty/guzzle/guzzle/docs/conf.pyo		# once conf.pyc is gone integrity check warns about conf.pyo

The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”.
Putting the newer .htaccess file in place, also got rid of the X-Frame-Options warning.
With the older .htaccess file the X-Frame-Options header was being duplicated.

Has Nextcloud 12 been tested enough by the nethserver team to warrant an update? I see lots to update in my software center but don’t want to risk breaking my Nextcloud.

What kind of testing is done by the Nethserver team before a release is made to the software center?

Thanks!

It’s recorded by the issue tracker: Nextcloud: update to 12.0.0 · Issue #5306 · NethServer/dev · GitHub

Here @robb and @fasttech did the QA tests. It seems the problem pointed out by @dnutan wasn’t spotted.

You did the right choice. I’d like a way to disable updates for a specific module from the Software center, like I can do on my Android smartphone.

I understand your concerns, but all updates (if executed in the right order) are non-disruptive.
This is the kind of service we offer in the Enterprise edition which have automatic updates enabled by default.

As I can see, the problem is only cosmetic.
Nevertheless, Marc do you think we should take care to replace the old .htaccess file with new one?

Thanks @davidep for relaying the testing done for updates.

I would encourage everyone who can run Nethserver in a VM to take a backup of Nethserver before any updates are applied. I’m right now running two nethserver’s…one for prod and one for test. I’ll test any upgrades on my test nethserver fist. I also run both my test/prod nethservers in a VM and take nightly scheduled backups and even take an extra backup before any upgrades are done. Better safe than sorry!

I’m very encouraged to hear you mention that you would like to be able to update specific modules from the Software Center! I would like to strongly suggest that the nethserver team build in this functionality. I see Nethserver becoming too critical as a service for any office using nethserver for their day to day operations. Forcing a business to upgrade potential critical fixes as an all or nothing upgrade while potentially breaking another service that they currently rely on is counter-productive to trying to encourage more businesses to use nethserver. Just my two cents…

Whoops! I didn’t see your comment there @giacomo.

It’s not clear to me…

• Does Nextcloud allows manual changes to its .htaccess/.user.ini files?
  • If true, then the rpmnew file is ok to me, but some notes in the manual would be welcome. The server admin will have to check both pair of files to see if there’s any change to merge.
  • Otherwise, if manual changes are not allowed, the file can be replaced.

The file belongs to nextcloud package and it’s not marked as configuration file.
But we can improve it and allow modifications.

Should I proceed this way?

Making an extensive testing is key here.

We can easy fix that getting our @quality_team stronger. @greavette it looks like an application! Am I wrong?

Observations:

• Some .htaccess/.user.ini modifications are handled from Nextcloud UI and from config.php
• While the edition of nextcloud’s .htaccess/.user.ini file is not disallowed, lately some recommendations suggest to handle some settings from the document root, php.ini, httpd.conf files instead.
• Integrity checks are triggered at installation/update time or manually; (the integrity of .htaccess is checked against a hash)

So the rpmnew way could be appropriate already, just adding some notes in the manual.

Nextcloud admin:

• will be notified of integrity check errors (and take care of them)
• will have to set the unmodified .htaccess.rpmnew to .htaccess
• do an integrity check rescan
• then can modify the .htaccess file