enable psalm-security workflow again

Signed-off-by: szaimen <szaimen@e.mail.de>

.github/dependabot.yml

@@ -92,6 +92,9 @@ updates:
   schedule:
     interval: "daily"
     time: "12:00"
+  ignore:
+    - dependency-name: "redis"
+      update-types: ["version-update:semver-major"]
   open-pull-requests-limit: 10
   labels:
   - 3. to review

Containers/apache/Caddyfile

@@ -11,24 +11,34 @@
     # Notify Push
     route /push/* {
         uri strip_prefix /push
-        reverse_proxy {$NEXTCLOUD_HOST}:7867
+        reverse_proxy {$NEXTCLOUD_HOST}:7867 {
+            # trusted_proxies placeholder
+        }
     }
 
     # Talk
     route /standalone-signaling/* {
         uri strip_prefix /standalone-signaling
-        reverse_proxy {$TALK_HOST}:8081
+        reverse_proxy {$TALK_HOST}:8081 {
+            # trusted_proxies placeholder
+        }
     }
 
     # Collabora
     route /browser/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
     route /hosting/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
     route /cool/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
 
     # Onlyoffice
@@ -37,6 +47,7 @@
         reverse_proxy {$ONLYOFFICE_HOST}:80 {
             header_up X-Forwarded-Host {http.request.host}/onlyoffice
             header_up X-Forwarded-Proto https
+            # trusted_proxies placeholder
         }
     }
 
@@ -45,7 +56,10 @@
         rewrite /.well-known/carddav /remote.php/dav
         rewrite /.well-known/caldav /remote.php/dav
         header Strict-Transport-Security max-age=31536000;
-        reverse_proxy localhost:8000
+        reverse_proxy localhost:8000 {
+            # See https://github.com/nextcloud/all-in-one/issues/828
+            # trusted_proxies placeholder
+        }
     }
 
     # TLS options

Containers/apache/start.sh

@@ -21,17 +21,30 @@ if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
 
-# Change the Caddyfile
+# Change variables in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
     export PROTOCOL="http"
     export NC_DOMAIN=""
-    CADDYFILE="$(sed 's|auto_https.*|auto_https off|' /Caddyfile)"
 else
     export PROTOCOL="https"
+fi
+
+# Change the auto_https in case of reverse proxies
+if [ "$APACHE_PORT" != '443' ]; then
+    CADDYFILE="$(sed 's|auto_https.*|auto_https off|' /Caddyfile)"
+else
     CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
 echo "$CADDYFILE" > /Caddyfile
 
+# Change the trusted_proxies in case of reverse proxies
+if [ "$APACHE_PORT" != '443' ]; then
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies private_ranges|' /Caddyfile)"
+else
+    CADDYFILE="$(sed 's|trusted_proxies private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
+fi
+echo "$CADDYFILE" > /Caddyfile
+
 # Add caddy path
 mkdir -p /mnt/data/caddy/
 

Containers/borgbackup/backupscript.sh

@@ -37,6 +37,13 @@ if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! [ -f "$BORG_BACKU
     exit 1
 fi
 
+# Do not continue if this file exists (needed for simple external blocking)
+if [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
+    echo "Not continuing because aio-lockfile exists - it seems like a script is externally running which is locking the backup archive."
+    echo "If this should not be the case, you can fix this by deleting the 'aio-lockfile' file from the backup archive directory."
+    exit 1
+fi
+
 # Create lockfile
 if [ "$BORG_MODE" = backup ] || [ "$BORG_MODE" = restore ]; then
     touch "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"

Containers/collabora/Dockerfile

@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:21.11.5.1.1
+FROM collabora/code:21.11.5.3.1
 
 USER root
 

Containers/mastercontainer/Dockerfile

@@ -1,11 +1,11 @@
 # Docker CLI is a requirement
-FROM docker:20.10.16-dind-alpine3.15 as dind
+FROM docker:20.10.17-dind-alpine3.16 as dind
 
 # Caddy is a requirement
 FROM caddy:2.5.1-alpine as caddy
 
 # From https://github.com/docker-library/php/blob/master/8.0/bullseye/apache/Dockerfile
-FROM php:8.0.19-apache-bullseye
+FROM php:8.0.20-apache-bullseye
 
 EXPOSE 80
 EXPOSE 8080

Containers/nextcloud/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/nextcloud/docker/blob/master/23/fpm-alpine/Dockerfile
-FROM php:8.0.19-fpm-alpine3.15
+FROM php:8.0.20-fpm-alpine3.15
 
 # Custom: change id of www-data user as it needs to be the same like on old installations
 RUN set -ex; \
@@ -85,7 +85,7 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
 RUN { \
-        echo 'opcache.interned_strings_buffer=16'; \
+        echo 'opcache.interned_strings_buffer=32'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.revalidate_freq=60'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
@@ -105,7 +105,7 @@ RUN { \
 VOLUME /var/www/html
 
 
-ENV NEXTCLOUD_VERSION 23.0.5
+ENV NEXTCLOUD_VERSION 23.0.6
 
 RUN set -ex; \
     apk add --no-cache --virtual .fetch-deps \

Containers/nextcloud/entrypoint.sh

@@ -307,6 +307,7 @@ else
     php /var/www/html/occ app:update notify_push
 fi
 php /var/www/html/occ config:system:set trusted_proxies 0 --value="127.0.0.1"
+php /var/www/html/occ config:system:set trusted_proxies 1 --value="::1"
 php /var/www/html/occ config:app:set notify_push base_endpoint --value="https://$NC_DOMAIN/push"
 
 # Collabora

Containers/redis/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/docker-library/redis/blob/master/6.2/alpine/Dockerfile
-FROM redis:6.2.6-alpine3.15
+FROM redis:6.2.7-alpine
 
 RUN apk add --update --no-cache openssl bash
 

Containers/talk/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:focal-20220426
+FROM ubuntu:focal-20220531
 
 EXPOSE 3478
 

develop.md

@@ -31,5 +31,5 @@ Go to https://github.com/nextcloud-releases/all-in-one/actions/workflows/repo-sy
 1. Verify that no job is running here: https://github.com/nextcloud-releases/all-in-one/actions/workflows/promote-to-beta.yml
 2. Go to https://github.com/nextcloud-releases/all-in-one/actions/workflows/promote-to-latest.yml, click on `Run workflow`.
 
-## Where to find the VPS builds?
+## Where to find the VPS and other builds?
 This is documented here: https://github.com/nextcloud-releases/all-in-one/tree/main/.build

docker-compose.yml

@@ -11,7 +11,7 @@ services:
     container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed
     volumes:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation
     ports:
       - 80:80 # Can be removed when running behind a reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       - 8080:8080

docker-rootless.md

@@ -0,0 +1,12 @@
+# Docker rootless
+
+You can run AIO with docker rootless by following the steps below.
+
+0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
+1. Install docker rootless by following the official documentation: https://docs.docker.com/engine/security/rootless/#install. The easiest way is installing it **Without packages**. Further limitations, distribution specific hints, etc. are discussed on the same site. Also do not forget to enable the systemd service, which may not be enabled always by default. See https://docs.docker.com/engine/security/rootless/#usage. (`systemctl --user enable docker`)
+1. Do not forget to set the mentioned environmental variables and in best case add them to your `~/.bashrc` file as shown!
+1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`)
+1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `-e DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly).
+1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or docker-compose file (after installing docker rootles) are things that are mentioned in point 3.
+
+**Please note:** All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. For changing Nextcloud's datadir, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). This logically also applies to the NEXTCLOUD_MOUNT option.

php/composer.lock

@@ -8,22 +8,22 @@
     "packages": [
         {
             "name": "guzzlehttp/guzzle",
-            "version": "7.4.3",
+            "version": "7.4.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/guzzle.git",
-                "reference": "74a8602c6faec9ef74b7a9391ac82c5e65b1cdab"
+                "reference": "1dd98b0564cb3f6bd16ce683cb755f94c10fbd82"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab",
-                "reference": "74a8602c6faec9ef74b7a9391ac82c5e65b1cdab",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82",
+                "reference": "1dd98b0564cb3f6bd16ce683cb755f94c10fbd82",
                 "shasum": ""
             },
             "require": {
                 "ext-json": "*",
                 "guzzlehttp/promises": "^1.5",
-                "guzzlehttp/psr7": "^1.8.3 || ^2.1",
+                "guzzlehttp/psr7": "^1.9 || ^2.4",
                 "php": "^7.2.5 || ^8.0",
                 "psr/http-client": "^1.0",
                 "symfony/deprecation-contracts": "^2.2 || ^3.0"
@@ -112,7 +112,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/guzzle/issues",
-                "source": "https://github.com/guzzle/guzzle/tree/7.4.3"
+                "source": "https://github.com/guzzle/guzzle/tree/7.4.5"
             },
             "funding": [
                 {
@@ -128,7 +128,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-05-25T13:24:33+00:00"
+            "time": "2022-06-20T22:16:13+00:00"
         },
         {
             "name": "guzzlehttp/promises",
@@ -216,16 +216,16 @@
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.2.1",
+            "version": "2.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "c94a94f120803a18554c1805ef2e539f8285f9a2"
+                "reference": "13388f00956b1503577598873fffb5ae994b5737"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/c94a94f120803a18554c1805ef2e539f8285f9a2",
-                "reference": "c94a94f120803a18554c1805ef2e539f8285f9a2",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/13388f00956b1503577598873fffb5ae994b5737",
+                "reference": "13388f00956b1503577598873fffb5ae994b5737",
                 "shasum": ""
             },
             "require": {
@@ -249,7 +249,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "2.2-dev"
+                    "dev-master": "2.4-dev"
                 }
             },
             "autoload": {
@@ -311,7 +311,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.2.1"
+                "source": "https://github.com/guzzle/psr7/tree/2.4.0"
             },
             "funding": [
                 {
@@ -327,7 +327,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-03-20T21:55:58+00:00"
+            "time": "2022-06-20T21:43:11+00:00"
         },
         {
             "name": "http-interop/http-factory-guzzle",

php/src/Data/ConfigurationManager.php

@@ -199,12 +199,19 @@ class ConfigurationManager
         }
 
         $dnsRecordIP = gethostbyname($domain);
+        if ($dnsRecordIP === $domain) {
+            $dnsRecordIP = '';
+        }
 
         // Validate IP
         if(!filter_var($dnsRecordIP, FILTER_VALIDATE_IP)) {
             throw new InvalidSettingConfigurationException("DNS config is not set for this domain or the domain is not a valid domain! (It was found to be set to '" . $dnsRecordIP . "')");
         }
 
+        if (!filter_var($dnsRecordIP, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+            throw new InvalidSettingConfigurationException("It seems like the ip-address is set to an internal or reserved ip-address. This is not supported. (It was found to be set to '" . $dnsRecordIP . "')");
+        }
+
         // Check if port 443 is open
         $connection = @fsockopen($domain, 443, $errno, $errstr, 10);
         if ($connection) {

php/src/Docker/DockerActionManager.php

@@ -431,6 +431,13 @@ class DockerActionManager
             $tagArray = explode(':', $output['Config']['Image']);
             $tag = $tagArray[1];
             apcu_add($cacheKey, $tag);
+            /**
+             * @psalm-suppress TypeDoesNotContainNull
+             */
+            if ($tag === null) {
+                error_log("No tag was found when getting the current channel. You probably did not follow the documentation correctly. Changing the channel to the default 'latest'.");
+                $tag = 'latest';
+            }
             return $tag;
         } catch (\Exception $e) {
             error_log('Could not get current channel ' . $e->getMessage());

php/templates/containers.twig

@@ -16,7 +16,7 @@
     </header>
 
     <div class="content">
-        <h1>Nextcloud AIO v1.4.0</h1>
+        <h1>Nextcloud AIO v1.4.2</h1>
 
         {% set isAnyRunning = false %}
         {% set isAnyRestarting = false %}

readme.md

@@ -78,7 +78,7 @@ Only those (if you access the Mastercontainer Interface internally via port 8080
 On macOS, there are two things different in comparison to Linux: instead of using `--volume /var/run/docker.sock:/var/run/docker.sock:ro`, you need to use `--volume /var/run/docker.sock.raw:/var/run/docker.sock:ro` to run it after you installed [Docker Desktop](https://www.docker.com/products/docker-desktop/). You also need to add `-e DOCKER_SOCKET_PATH="/var/run/docker.sock.raw"`to the startup command. Apart from that it should work and behave the same like on Linux.
 
 ### How to run it on Windows?
-On Windows, the following command should work after you installed [Docker Desktop](https://www.docker.com/products/docker-desktop/):
+On Windows, the following command should work in the command prompt after you installed [Docker Desktop](https://www.docker.com/products/docker-desktop/):
 
 ```
 docker run -it ^
@@ -293,11 +293,21 @@ if ! [ -d "$TARGET_DIRECTORY" ]; then
     exit 1
 fi
 
+if [ -f "$SOURCE_DIRECTORY/aio-lockfile" ]; then
+    echo "Not continuing because aio-lockfile already exists."
+    exit 1
+fi
+
+touch "$SOURCE_DIRECTORY/aio-lockfile"
+
 if ! rsync --stats --archive --human-readable --delete "$SOURCE_DIRECTORY/" "$TARGET_DIRECTORY"; then
     echo "Failed to sync the backup repository to the target directory."
     exit 1
 fi
 
+rm "$SOURCE_DIRECTORY/aio-lockfile"
+rm "$TARGET_DIRECTORY/aio-lockfile"
+
 umount "$DRIVE_MOUNTPOINT"
 
 if docker ps --format "{{.Names}}" | grep "^nextcloud-aio-nextcloud$"; then
@@ -317,8 +327,6 @@ Afterwards apply the correct permissions with `sudo chown root:root /root/backup
 1. Add the following new line to the crontab if not already present: `0 20 * * 7 /root/backup-script.sh` which will run the script at 20:00 on Sundays each week. 
 1. save and close the crontab (when using nano are the shortcuts for this `Ctrl + o` -> `Enter` and close the editor with `Ctrl + x`).
 
-⚠️ **Attention:** Make sure that the execution of the script does not collide with the daily backups from AIO (if configured) since the target backup repository might get into an inconsistent state. (There is no check in place that checks this.)
-
 ### How to change the default location of Nextcloud's Datadir?
 You can configure the Nextcloud container to use a specific directory on your host as data directory. You can do so by adding the environmental variable `NEXTCLOUD_DATADIR` to the initial startup of the mastercontainer. Allowed values for that variable are strings that start with `/` and are not equal to `/`.
 
@@ -358,6 +366,9 @@ You can then navigate to the apps management page, activate the external storage
 
 Be aware though that these locations will not be covered by the built-in backup solution!
 
+### How to run this with docker rootless?
+You can run AIO also with docker rootless. How to do this is documented here: [docker-rootless.md](https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md)
+
 ### Huge docker logs
 When your containers run for a few days without a restart, the container logs that you can view from the AIO interface can get really huge. You can limit the loge sizes by enabling logrotate for docker container logs. Feel free to enable this by following those instructions: https://sandro-keil.de/blog/logrotate-for-docker-container/
 

reverse-proxy.md

@@ -14,7 +14,66 @@ In order to run Nextcloud behind a reverse proxy, you need to specify the port t
 
 **Please note:** Since the Apache container gets spawned by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because you will fail! Only the documented way will work!
 
-### Caddy
+### Apache
+
+<details>
+
+<summary>click here to expand</summary>
+
+**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!
+
+Add this as a new Apache site config:
+
+(The config below assumse that you are using certbot to get your certificates. You need to create them first in order to make it work.)
+
+```
+<VirtualHost *:80>
+    ServerName <your-nc-domain>
+
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+    RewriteCond %{SERVER_NAME} =<your-nc-domain>
+    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName <your-nc-domain>
+
+    # Reverse proxy
+    RewriteEngine On
+    ProxyPreserveHost On
+    RewriteCond %{HTTP:Upgrade} websocket [NC]
+    RewriteCond %{HTTP:Connection} upgrade [NC]
+    RewriteRule .* "ws://localhost:11000/$1" [P,L]
+    ProxyPass / http://localhost:11000/
+    ProxyPassReverse / http://localhost:11000/
+
+    # Enable h2, h2c and http1.1
+    Protocols h2 h2c http/1.1
+
+    # SSL
+    SSLEngine on
+    Include /etc/letsencrypt/options-ssl-apache.conf
+    SSLCertificateFile /etc/letsencrypt/live/<your-nc-domain>/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/<your-nc-domain>/privkey.pem
+
+    # Disable HTTP TRACE method.
+    TraceEnable off
+    <Files ".ht*">
+        Require all denied
+    </Files>
+</VirtualHost>
+```
+
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `localhost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
+
+To make the config work you can run the following command:
+`sudo a2enmod rewrite proxy proxy_http proxy_wstunnel ssl headers http2`
+
+</details>
+
+### Caddy (Recommended)
 
 <details>
 
@@ -24,12 +83,11 @@ Add this to your Caddyfile:
 
 ```
 https://<your-nc-domain>:443 {
-    header Strict-Transport-Security max-age=31536000;
     reverse_proxy localhost:11000
 }
 ```
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `localhost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
 
 </details>
 
@@ -58,7 +116,7 @@ location / {
     }
 ```
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `localhost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
 
 </details>
 
@@ -122,7 +180,7 @@ Of course you need to modify `<your-nc-domain>` to the domain on which you want
             [http.services.nc-svc.loadBalancer]
                 passHostHeader = true
                 [[http.services.nc-svc.loadBalancer.servers]]
-                    url = "http://locahost:11000"
+                    url = "http://localhost:11000"
     ```
 
 2. Add to the bottom of the `middlewares.toml` file in the Treafik rules folder the following content:
@@ -132,10 +190,6 @@ Of course you need to modify `<your-nc-domain>` to the domain on which you want
         [http.middlewares.nc-middlewares-secure-headers.headers]
             hostsProxyHeaders = ["X-Forwarded-Host"]
             sslRedirect = true
-            stsSeconds = 63072000
-            stsIncludeSubdomains = true
-            stsPreload = true
-            forceSTSHeader = true
             referrerPolicy = "same-origin"
             X-Robots-Tag = "none"
     ```
@@ -150,7 +204,7 @@ Of course you need to modify `<your-nc-domain>` to the domain on which you want
 
 ---
 
-Of course you need to modify `<your-nc-domain>` in the nextcloud.toml to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
+Of course you need to modify `<your-nc-domain>` in the nextcloud.toml to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `localhost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
 
 </details>
 
@@ -242,7 +296,7 @@ https://<your-nc-domain>:8443 {
 }
 ```
 
-Of course you need to modify `<your-nc-domain>` in the nextcloud.toml to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
+Of course you need to modify `<your-nc-domain>` in the nextcloud.toml to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `localhost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
 
 Afterwards should the AIO interface be accessible via `https://ip.address.of.the.host:8443`. You can alternatively change the domain to a different subdomain by using `https://<your-alternative-domain>:443` instead of `https://<your-nc-domain>:8443` in the Caddyfile and use that to access the AIO interface.
 
@@ -251,5 +305,5 @@ If something does not work, follow the steps below:
 1. Make sure to exactly follow the whole reverse proxy documentation step-for-step from top to bottom!
 1. Make sure that the reverse proxy is running on the host OS or if running in a container, connected to the host network. If that is not possible, substitute `localhost` in the default configurations by the ip-address that you can easily get when running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (The command only works on Linux)
 1. Make sure that the mastercontainer is able to spawn other containers. You can do so by checking that the mastercontainer indeed has access to the Docker socket which might not be positioned in one of the suggested directories like `/var/run/docker.sock` but in a different directory, based on your OS and the way how you installed Docker. The mastercontainer logs should help figuring this out. You can have a look at them by running `sudo docker logs nextcloud-aio-mastercontainer` after the container is started the first time.
-1. Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running `nc -z locahost 11000; echo $?` from inside the reverse proxy container. If the output is `0`, everything works. Alternatively you can of course use instead of `locahost` the ip-address of the host here for the test.
+1. Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running `nc -z localhost 11000; echo $?` from inside the reverse proxy container. If the output is `0`, everything works. Alternatively you can of course use instead of `localhost` the ip-address of the host here for the test.
 1. Try to configure everything from scratch if it still does not work!