search

caprover / one-click-apps

Community Maintained One Click Apps (https://github.com/caprover/caprover)
Apache License 2.0
543 stars 535 forks source link

App Issue: NEXTCLOUD #1138

Closed coffseducation closed 1 month ago

coffseducation commented 2 months ago

Nextcloud Admin - Overview Security & setup warnings

There are some warnings regarding your setup.

Your web server is not properly set up to resolve `.well-known` URLs, failed on: `/.well-known/caldav` For more details see the [documentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-setup-well-known-URL).

I cannot seem to resolve this. I followed this Caprover thread where this issue was resolved but it is not working for me!

Perhaps I missed something? Perhaps the config now needs changing?

Why also is the error only for caldav but not for cardav??

Here is my code:

<%
if (s.forceSsl) {
%>
    server {

        listen       80;

        server_name  <%-s.publicDomain%>;

        # Used by Lets Encrypt
        location /.well-known/acme-challenge/ {
            root <%-s.staticWebRoot%>;
        }

        # Used by CapRover for health check
        location /.well-known/captain-identifier {
            root <%-s.staticWebRoot%>;
        }

        location / {
            return 302 https://$http_host$request_uri;
        }
    }
<%
}
%>

server {

    <%
    if (!s.forceSsl) {
    %>
        listen       80;
    <%
    }
    if (s.hasSsl) {
    %>
        listen              443 ssl http2;
        ssl_certificate     <%-s.crtPath%>;
        ssl_certificate_key <%-s.keyPath%>;
    <%
    }
    %>

        client_max_body_size 500m;

        server_name  <%-s.publicDomain%>;

        # 127.0.0.11 is DNS set up by Docker, see:
        # https://docs.docker.com/engine/userguide/networking/configure-dns/
        # https://github.com/moby/moby/issues/20026
        resolver 127.0.0.11 valid=10s;
        # IMPORTANT!! If you are here from an old thread to set a custom port, you do not need to modify this port manually here!!
        # Simply change the Container HTTP Port from the dashboard HTTP panel
        set $upstream http://<%-s.localDomain%>:<%-s.containerHttpPort%>;

        location / {

    <%
    if (s.redirectToPath) {
    %>
        return 302 <%-s.redirectToPath%>;
    <%
    } else {
    %>

            <%
            if (s.httpBasicAuthPath) {
            %>
                auth_basic           "Restricted Access";
                auth_basic_user_file <%-s.httpBasicAuthPath%>; 
            <%
            }
            %>

                proxy_pass $upstream;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

            <%
            if (s.websocketSupport) {
            %>
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;
            <%
            }
            %>

    <%
    }
    %>

        }

        location = /.well-known/carddav {
          return 301 $scheme://$host:$server_port/remote.php/dav;
        }

        location = /.well-known/caldav {
          return 301 $scheme://$host:$server_port/remote.php/dav;
        }

        # Used by Lets Encrypt
        location /.well-known/acme-challenge/ {
            root <%-s.staticWebRoot%>;
        }

        # Used by CapRover for health check
        location /.well-known/captain-identifier {
            root <%-s.staticWebRoot%>;
        }

        error_page 502 /captain_502_custom_error_page.html;
        location = /captain_502_custom_error_page.html {
                root <%-s.customErrorPagesDirectory%>;
                internal;
        }
}
githubsaturn commented 1 month ago

Run a curl command and try to hit caldav endpoint and see if the redirect is happening

coffseducation commented 1 month ago

Run a curl command and try to hit caldav endpoint and see if the redirect is happening

Thanks very much for the reply! I am not sure if I am doing it right but here is what I get:

 ╭─anarcho@Vampa in ~ via △ v3.30.0 via  via  took 10ms
 ╰─λ curl -I http://89.40.1.227/well-known/caldav
HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 22 Jul 2024 00:58:48 GMT
Content-Type: text/html
Content-Length: 2401
Connection: keep-alive
ETag: "6649f9fd-961"

 ╭─anarcho@Vampa in ~ via △ v3.30.0 via  via  took 958ms
 ╰─λ curl -I https://nextcloud.console.barkingbandicoot.academy/well-known/caldav
HTTP/2 404 
server: nginx
date: Mon, 22 Jul 2024 01:01:22 GMT
content-type: text/html; charset=UTF-8
content-length: 4675
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block
x-powered-by: PHP/8.2.21
set-cookie: oc7w78gkmdm7=6969904649969ce08a7f708a1cd4c690; path=/; secure; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=dBISeGoZkXifYu%2FEfiF6h%2FQDN3OBQnNigAR4NhV%2F17zEpRtOVudAy1EyMZOt7MxnShA9IGjHQLQUNZnr%2BS2XpvLtuXZoOjt3Ip6iw%2FklGCfjmn56FOlXIdpBh4mowyuD; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: oc7w78gkmdm7=6969904649969ce08a7f708a1cd4c690; path=/; secure; HttpOnly; SameSite=Lax
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-dHU2NkNua2VoYmswTVRta2piVG9ESWZkbXoyMTQxb05aeWZEeW8ranVWbz06eGJmeFp4NXQ2OTUrYTFYVng4SEhhOTYwM2tUYTFUSStFSFMwakw3VmtoRT0=' blob:;script-src-elem 'strict-dynamic' 'nonce-dHU2NkNua2VoYmswTVRta2piVG9ESWZkbXoyMTQxb05aeWZEeW8ranVWbz06eGJmeFp4NXQ2OTUrYTFYVng4SEhhOTYwM2tUYTFUSStFSFMwakw3VmtoRT0=' blob:;style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org;font-src 'self' data:;connect-src 'self' blob: stun.nextcloud.com:443;media-src 'self' blob:;frame-src 'self';child-src blob: 'self';frame-ancestors 'self';worker-src blob: 'self';form-action 'self'
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: oc7w78gkmdm7=6969904649969ce08a7f708a1cd4c690; path=/; secure; HttpOnly; SameSite=Lax
x-request-id: xFpI3rUW9dMZrRS75oom
feature-policy: autoplay 'self';camera 'self';fullscreen 'self';geolocation 'none';microphone 'self';payment 'none'
strict-transport-security: max-age=15552000; includeSubDomains
githubsaturn commented 1 month ago

It's .well-known not well-known - if you use the correct URL, you'll see that the redirect is being handled correctly:

 ~ curl -I https://nextcloud.console.barkingbandicoot.academy/.well-known/carddav                                                                                                 

HTTP/2 301 
server: nginx
date: Mon, 22 Jul 2024 01:36:07 GMT
content-type: text/html
content-length: 162
location: https://nextcloud.console.barkingbandicoot.academy:443/remote.php/dav
githubsaturn commented 1 month ago

So your nginx configurations are right. You just need to follow up with NextCloud support to see what the problem is.

coffseducation commented 1 month ago

So your nginx configurations are right. You just need to follow up with NextCloud support to see what the problem is.

Ok, thanks for your assistance Kasra! 🙏