Nextcloud/OwnCloud管理页面上的警告及对应方案
Mar. 26, 2017Nextcloud/OwnCloud内置了配置检查工具,错误信息会被显示在管理页面的顶端。本文列举了一些可能会看到的警告及其解决方案。
[infobox]您可以使用Nextcloud Security Scan查看您的系统是否是最新的并且是否安全。过去,我们已经对公共IP地址进行了扫描,尝试接触到非常过时的系统,并可能在将来再次出现。请保护您的隐私,并保持您的服务器最新!隐私意味着没有安全性。[/infobox]
缓存警告
如果没有配置内存缓存,就会看到以下提示:[warningbox]No memory cache has been configured. To enhance your performance please configure a memcache if available.[/warningbox]
或者是
[warningbox]内存缓存未配置,如果可用,请配置memcache来增强性能。[/warningbox]
ownCloud/Nextcloud支持以下几种内存缓存方式: [ssbluelist]
- APCu (PHP4.0.6+)
- Memcached
- Redis (PHP2.2.6+)
相关教程
APCu:VPS配置ownCloud_memcache【APCu】、Nextcloud/ownCloud配置APCu本地缓存+Memcached分布式缓存Memcache:ownCloud 配置memcache、Nextcloud/ownCloud配置APCu本地缓存+Memcached分布式缓存
Redis:【ownCloud】配置Redis内存缓存
其它警告
[warningbox]{Cache} below version {Version} is installed. for stability and performance reasons we recommend to update to a newer {Cache} version” then you need to upgrade, or, if you’re not using it, remove it.[/warningbox]注:{Cache}至内存缓存方式,{Version}为相应版本
如果你所安装的版本太低或没有安装和启用缓存,就会看到以上警告。可以通过升级版本或彻底删除缓存工具的方式来解决。
Transactional file locking is disabled
[warningbox]Transactional file locking is disabled, this might lead to issues with race conditions.[/warningbox]这是事务文件锁定功能被禁用的缘故。
Nextcloud的事务文件锁定机制能够锁定文件以避免在正常操作期间文件损坏。更多信息可以查看:Transactional File Locking
建议使用HTTPS
如果使用HTTP协议访问Nextcloud/OwnCloud,就会看到以下警告[warningbox]You are accessing this site via HTTP[/warningbox]
或者是
[warningbox]您正在通过HTTP访问该站点,我们强烈建议您按照安全提示配置服务器强制使用HTTPS[/warningbox]
HTTPS是大势所趋,更何况是牵涉文件安全的网页应用。如果你的Nextcloud/Owncloud在外网上跑,使用HTTPS是相当有必要的,而且如果不使用HTTP,就会有部分功能受到限制。
[caption id=“attachment_2091” align=“alignnone” width=“741”]
如果未使用HTTPS,在使用一些插件时也会显示警告[/caption]
以下是一些开启HTTPS的教程:
[ssbluelist]
[/ssbluelist]The test with getenv(“PATH”) only returns an empty response
某些环境没有将有效的PATH变量传递给Nextcloud。 可以阅读php-fpm配置注意事项。解决方法:The test with getenv(“PATH”) only returns an empty response报错解决办法
“Strict-Transport-Security(HSTS)”HTTP头没有配置
开启HTTPS后,会出现这个提示[warningbox]The “Strict-Transport-Security” HTTP header is not configured to least “15552000” seconds. For enhanced security we recommend enabling HSTS as described in our security tips.[/warningbox]
错误在于虽然开启了HTTPS,却使用传统301方式跳转或没有进行强制跳转。
HSTS(HTTP Strict Transport Security)国际互联网工程组织IETE正在推行一种新的Web安全协议。HSTS的作用是强制客户端(如浏览器)使用HTTPS与服务器创建连接。不同于传统301跳转,HSTS不会在跳转过程遭遇网络渗透。
有关HSTS的设置可以参考官方文档:Enable HTTP Strict Transport Security,我也会在以后发布相关中文教程。
/dev/urandom is not readable by PHP
[warningbox]/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our documentation.[/warningbox]错误原因在于PHP无法读取/dev/urandom。这是个严重的问题,可以参考官方文档: Give PHP read access to /dev/urandom
Your Web server is not yet set up properly to allow file synchronization
[warningbox]“Your web server is not yet set up properly to allow file synchronization because the WebDAV interface seems to be broken.”[/warningbox]有关这个问题,在ownCloud官方论坛有详细说明:How to fix CalDAV|CardDAV|WebDAV problems
Outdated NSS / OpenSSL version
[warningbox]“cURL is using an outdated OpenSSL version (OpenSSL/$version). Please update your operating system or features such as installing and updating apps via the app store or Federated Cloud Sharing will not work reliably.”“cURL is using an outdated NSS version (NSS/$version). Please update your operating system or features such as installing and updating apps via the app store or Federated Cloud Sharing will not work reliably.”[/warningbox]
早期的OpenSSL和NSS版本中存在BUG,导致与使用SNI的远程主机相连接的方式不正确。解决这个问题需要将OpenSSL至少升级为1.0.2b或1.0.1d。
[infobox]对于RHEL / CentOS,这个问题尚未解决,该BUG报告页面:Certificate verification fails with multiple https urls [el7/nss][/infobox]
Your Web server is not set up properly to resolve /.well-known/caldav/ or /.well-known/carddav/
错误原因:/.well-known/caldav/和 /.well-known/carddav/没有正确地重定向到Nextcloud的DAV端点有关这个问题,可以参考官方文档:Service discovery
文件完整性检查
这是一个很常见的错误,一般提示为:[warningbox]Some files have not passed the integrity check[/warningbox]
或
[warningbox]某些文件尚未通过完整性检查[/warningbox]
出现这个错误的往往是因为文件缺失、多余。注意:
[infobox]请不要在Nextcloud/OwnCloud程序目录下放置任何其他文件,否则会提示这个错误[/infobox]
往往还会有下面的提示信息:
对于强迫症患者,可以考虑删掉整个程序,重新下载安装。有耐心者可以按照下面的过程查找核对错误文件:
点击"List of invalid files…“查看错误文件列表,你可能看到下面的信息(已标注处理方法):
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- core #核心文件核验
- INVALID_HASH #错误的文件,需要使用正确的替换
- /index.php
- /version.php
- EXTRA_FILE #多余的文件,需要删除
- /test.php
- calendar #日历
- EXCEPTION #错误信息
- OC\IntegrityCheck\Exceptions\InvalidSignatureException
- Signature data not found.
Raw output
==========
Array
(
[core] => Array
(
[INVALID_HASH] => Array
(
[/index.php] => Array
(
[expected] =>
f1c5e2630d784bc9cb02d5a28f55d6f24d06dae2a0fee685f3
c2521b050955d9d452769f61454c9ddfa9c308146ade10546c
fa829794448eaffbc9a04a29d216
[current] =>
ce08bf30bcbb879a18b49239a9bec6b8702f52452f88a9d321
42cad8d2494d5735e6bfa0d8642b2762c62ca5be49f9bf4ec2
31d4a230559d4f3e2c471d3ea094
)
[/version.php] => Array
(
[expected] =>
c5a03bacae8dedf8b239997901ba1fffd2fe51271d13a00cc4
b34b09cca5176397a89fc27381cbb1f72855fa18b69b6f87d7
d5685c3b45aee373b09be54742ea
[current] =>
88a3a92c11db91dec1ac3be0e1c87f862c95ba6ffaaaa3f2c3
b8f682187c66f07af3a3b557a868342ef4a271218fe1c1e300
c478e6c156c5955ed53c40d06585
)
)
[EXTRA_FILE] => Array
(
[/test.php] => Array
(
[expected] =>
[current] =>
09563164f9904a837f9ca0b5f626db56c838e5098e0ccc1d8b
935f68fa03a25c5ec6f6b2d9e44a868e8b85764dafd1605522
b4af8db0ae269d73432e9a01e63a
)
)
)
[calendar] => Array
(
[EXCEPTION] => Array
(
[class] => OC\IntegrityCheck\Exceptions\InvalidSignature
Exception
[message] => Signature data not found.
)
)
)
Your database does not run with “READ COMMITED” transaction isolation level
[warningbox]“Your database does not run with “READ COMMITED” transaction isolation level. This can cause problems when multiple actions are executed in parallel.”[/warningbox]有关这个问题,可以查看官方文档: Database “READ COMMITED” transaction isolation level 来了解如何设置数据库。
