My browser shows a mixed content warning (Connection is Not Secure)
If you are serving your Nextcloud over HTTPS your browser will very likely warn you with a yellow warnings sign about your connection not being secure.
Chrome will show no green HTTPS lock sign, Firefox will show you the following image
Note that this warning is not red and won't block the page like the following images which signal a serious issue:
What is the cause of the (yellow) error message
This warning is caused by mixed passive content and means that your page loads passive resources from non HTTPS resources, such as:
This allows a possible attacker to perform a MITM (man-in-the-middle) attack by serving you different images or audio/video.
Why doesn't the News app fix it
The News app fully prevents mixed active content by only allowing HTTPS iframes from known locations; other possible mixed active content elements such as <script> are stripped from the feed. Because images and audio/video are an integral part of a feed, we can not simply strip them.
Since an attacker can not execute code in contrast to mixed active content, but only replace images/audio/video in your feed reader, this is not considered to be a security issue. If, for whatever reason (e.g. feed which would allow fishing), this is a security problem for you, contact the specific feed provider and ask him to serve his feed content over HTTPS.
Why don't you simply use an HTTPS image/audio/video proxy
For the same reason that we can't fix non HTTPS websites: It does not fix the underlying issue but only silences it. If you are using an image HTTPS proxy, an attacker can simply attack your image proxy since the proxy fetches insecure content. Even worse: if your image proxy serves these images from the same domain as your Nextcloud installation you are vulnerable to XSS via SVG images. In addition, people feel safe when essentially they are not.
Since most people don't understand mixed content and don't have two domains and a standalone server for the image proxy, it is very likely they will choose to host it under the same domain.
Because we care about our users' security and don't want to hide security warnings, we won't fix (aka silence) this issue.
The only fix for this issue is that feed providers serve their content over HTTPS.
I am getting: Exception: Some\Class does not exist errors in my nextcloud.log
This is very often caused by missing or old files, e.g. by failing to upload all the News app files or errors during installation. Before you report a bug, please recheck if all files from the archive are in place and accessible.
Feeds not updated
Feeds can be updated using Nextcloud's system cron or an external updater via the API The feed update is not run in Webcron and AJAX cron mode!
- Check if you are using the system cron (Cron) setting on the admin page. AJAX and Web cron will not update feeds
- Check if the cronjob exists with crontab -u www-data -e (replace www-data with your httpd user)
- Check the file permissions of the cron.php file and if www-data (or whatever your httpd user is called like) can read and execute that script
- Check if you can execute the cron with sudo -u www-data php -f nextcloud/cron.php (replace www-data with your httpd user)
- Check your data/nextcloud.log for errors
- Check if the cronjob is ever executed by placing an error_log('updating'); in the background job file. If the cronjob runs, there should be an updating log statement in your httpd log.
- If there is no updating statement in your logs check if your cronjob is executed by executing a different script
- Check if the oc_jobs table has a reserved_at entry with a value other than 0. If it does for whatever reason, set it to 0. You can check this by executing:
SELECT * from oc_jobs WHERE class LIKE '%News%' ORDER BY id;
You will get two rows where column
reserved_at by executing
UPDATE oc_jobs SET reserved_at = 0 WHERE id = <id from above SELECT statement>;
- If your cron works fine, but Nextcloud's cronjobs are never executed, file a bug in server
- Check if your configuration is set to not use the system cron.
- Consult the documentation of the updater
- Check your data/nextcloud.log for errors
Adding feeds that use self-signed certificates
If you want to add a feed that uses a self-signed certificate that is not signed by a trusted CA the request will fail with "SSL certificate is invalid". A common solution is to turn off the certificate verification which is wrong and makes your installation vulnerable to MITM attacks. Therefore turning off certificate verification is not supported.
If you have control over the feed in question, consider signing your certificate for free on one of the following providers:
If you do not have control over the chosen feed, you should download the certificate from the feed's website and add it to your server's trusted certificates. The exact procedure however may vary depending on your distribution.
Is There An Subscription URL To Easily Subscribe To Feeds
By appending ?subscribe_to=SOME_URL to your News app URL, you can launch the News app with a pre-filled URL, e.g.:
Database table grows too big
By default, Nextcloud News purges old news items above a certain threshold each time it fetches new news items. The maximum number of items per feed
that should be kept during the purging can be defined through the “Maximum read count per feed” setting in the admin UI or the
value in the config. (Note: The “Purge interval” (
autoPurgeMinimumInterval) setting is ignored and does not have any effect.)
However, unread or starred items are exempt from the purging. If your users have subscribed to some high-volume feeds where a lot of items remain unread, this can lead to an oversized news table over time. As a consequence, the database upgrade of the news app can take several hours, during which Nextcloud cannot be used.
occ news:updater:after-update [--purge-unread] [<purge-count>] can be used to manually purge old news items across the instance. With
--purge-unread option, unread items are also purged (starred items are still exempt). If
purge-count is not specified, the configured
autoPurgeCount is used.
The purge count only applies to the items that are purged. For example, when purging a feed that has 100 unread items, 100 starred read
items and 100 unstarred read items, using a
purge-count of 50 would keep all unread and starred items and the latest 50 read items. Using
purge-count of 50 along with
--purge-unread would keep the all starred items plus the latest 50 from the set of unread and read items.