WebDAV & Traefik subfolder

[Numline1]

Hello! First of all, thanks for an awesome package, I finally managed to find one decent and working docker image for Nextcloud!

I'm running my own docker compose setup. The Nextcloud container is running in a subfolder at https://local.domain/nextcloud. I managed to use Traefik for this, the config looks something like this:

    labels:
      - "traefik.enable=true"
      - "traefik.backend=nextcloud"
      - "traefik.port=80"
      - "traefik.frontend.redirect.regex=^(.*)/nextcloud$$"
      - "traefik.frontend.redirect.replacement=$$1/nextcloud/"
      - "traefik.frontend.rule=PathPrefix: /nextcloud; ReplacePathRegex: ^/nextcloud/(.*) /$$1"

All was fine until this point, until I tried to use WebDAV. The example from this repo didn't quite cut it, since it's meant to be used for a subdomain, not a subfolder. Besides, the current rules should suffice.

Then I did some digging and found nginx.conf which has these lines in it:

        location = /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
        location = /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;

which basically forces the redirect back to "/" (https://local.domain/remote.php/dav) instead of /nextcloud/...

There is currently no way to rewrite this rule. I had to cat the nginx.conf file, save it on a host, update it to be something like this:

        location = /.well-known/carddav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;
        location = /.well-known/caldav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;

and then mount it, read only, because it kept getting rewritten, and that solved the issue.

Proposed solution: Either finding a traefik rule that would work or allowing an env variable that'd be able to do this dynamically.

The other issue I found is basically forcing HSTS. This kinda screwed me over, because it feels slightly too opinionated for a Nextcloud image to force HSTS (and permanent redirects as well, although that's more understandable). It resulted in my entire domain being HSTS enabled, which blocked an access to non-TLS services, including Traefik Web UI :(

Anyway, that's all my feedback, hopefully something can be worked out :) Thanks again!

[crazy-max]

Hi @Numline1, indeed if you use this image under a subfolder it can hurt :) I think the env var can fix this. I will do some digging aroung this. Thanks for your input.

[crazy-max]

Ok according to https://docs.nextcloud.com/server/stable/admin_manual/issues/general_troubleshooting.html#service-discovery and https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-nginx we have to handle subfolder if defined.

[Numline1]

The second link you posted is the setup I went for (adding /nextcloud) to the redirect URL in nginx config. That works, WebDAV is accessible (although I still can't write files to it, but that's probably a separate issue with Windows and MacOS WebDAV implementations). Nextcloud still shows a warning in the admin section, saying the WebDAV paths are not properly configured, but as I mentioned, it's properly accessible. No further Traefik rules were needed besides the ones in the original post :)

[crazy-max]

@Numline1 Ok, can you post your traefik rules and nginx.conf ? I'm working on a better way to impl this.

[Numline1]

Hey @crazy-max and happy holidays :) Sure, here's my docker-compose section for Nextcloud (I removed the MariaDB, Redis and cron parts)

nextcloud:
    image: crazymax/nextcloud:latest
    container_name: nextcloud
    restart: always
    depends_on:
      - nextcloud-mariadb
      - nextcloud-redis
    volumes:
      - ~/docker/nextcloud/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - "/mnt/alien-storage-1/nextcloud:/data"
    labels:
      - "traefik.enable=true"
      - "traefik.backend=nextcloud"
      - "traefik.port=80"
      - "traefik.frontend.redirect.regex=^(.*)/nextcloud$$"
      - "traefik.frontend.redirect.replacement=$$1/nextcloud/"
      - "traefik.frontend.rule=PathPrefix: /nextcloud; ReplacePathRegex: ^/nextcloud/(.*) /$$1"
    environment:
      - TZ=${TZ}
      - MEMORY_LIMIT=512M
      - UPLOAD_MAX_SIZE=2048M
      - OPCACHE_MEM_SIZE=128
      - APC_SHM_SIZE=128M
      - DB_TYPE=mysql
      - DB_HOST=nextcloud-mariadb
      - DB_NAME=nextcloud
      - DB_USER=nextcloud
      - DB_PASSWORD=${NEXTCLOUD_MARIADB_PASSWORD}

Here's the affected section in Nginx

        location = /.well-known/carddav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;
        }

        location = /.well-known/caldav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;
        }

(I just updated the conf and statically linked it to the container, overwriting the one in /etc/nginx...)

Hope it helps :)

[enchained]

@Numline1 did you already had your nextcloud set up? When I use your settings and go to https://mydomain.com/nextcloud/ it shows up admin account creation page, but without any js or styles, they are 404 in the Network tab and are trying to load without /nextcloud/ subdirectory. You didn't change anything else in that nginx.conf? I saw other differences in manual in the subdomain vs subdir, but if I add "nextcloud" to everywhere where it is in the second variant, https://mydomain.com/nextcloud/ just says "File not found". If I add it just to the two last ones (with js, css and pics) in addition to yours, I'm still getting 404 on them for some reason... Maybe someone will have any idea how to fix that?

[Numline1]

@enchained oh yeah, I forgot about one more thing. The config.php in your /data/config directory should have a

  'overwritewebroot' => '/nextcloud',

line added to it. This'll tell the Nextcloud app itself it's running from a subdirectory.

Nextcloud 15 doc reference - https://docs.nextcloud.com/server/15/admin_manual/configuration_server/reverse_proxy_configuration.html

[enchained]

@Numline1 Thank you so much! Totally forgot about that one too. I've been trying for days to set up Nextcloud in the subdirectory using official container but had no luck (its compose even screwed my other services too due to nginx-proxy bug about ignoring HTST env vars completely). But now everything finally works thanks to you and @crazy-max of course. Even the HTST issue is fixed after I changed env var HSTS_HEADER to max-age=0; includeSubDomains. I also was able to successfully upload files via webdav from windows 10 using netdrive.

[enchained]

@Numline1 another question - is your certificate valid with this subdirectory setup? Cause mine is not: chrome says NET::ERR_CERT_AUTHORITY_INVALID and it's name is TRAEFIK DEFAULT CERT

[Numline1]

@enchained depends. The certificate I use in Traefik is a Letsencrypt certificate. I use DNS challenge instead of HTTP challenge to face the fact I'm using a local domain.

ERR_CERT_AUTHORITY_INVALID usually means your certificate is self signed, hence the browser warning you're getting.

[crazy-max]

@Numline1 Thanks for your input, I will put changes to the image asap

[crazy-max]

Check the latest CHANGELOG

[Numline1]

@crazy-max nicely done, thanks :) 👍