nextcloud update 21 error message with /.well-known/webfinger & /.well-known/nodeinfo

RedJohn14 commented 3 years ago

After I have upgraded my nextcloud to nextcloud version 21 I have this error messages:

I see this error messages in the chrome developer console tab console

overview:1 Refused to connect to 'http://mynextcloud.de/index.php/.well-known/webfinger' because it violates the following Content Security Policy directive: "connect-src 'self'".

overview:1 Refused to connect to 'http://mynextcloud.de/index.php/.well-known/nodeinfo' because it violates the following Content Security Policy directive: "connect-src 'self'".

I have the following config in use:

one docker container with nextcloud:fpm-alpine one docker container with nginx:alpine and the nginx config from here https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

one docker container with traefik

the nginx container have some traefik 2 lables like this here:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-app.entrypoints=http"
      - "traefik.http.routers.nextcloud-app.rule=Host(`mynextcloud.de`)"
      - "traefik.http.middlewares.nextcloud-app-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.nextcloud-app.middlewares=nextcloud-app-https-redirect"
      - "traefik.http.routers.nextcloud-app-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-app-secure.rule=Host(`mynextcloud.de`)"
      - "traefik.http.routers.nextcloud-app-secure.tls=true"
      - "traefik.http.routers.nextcloud-app-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-app-secure.service=nextcloud-app"
      - "traefik.http.services.nextcloud-app.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.nextcloud-app-secure.middlewares=nextcloud-dav,secHeaders@file"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"

(https://goneuland.de/nextcloud-server-mit-docker-compose-und-traefik-installieren/)

Nextcloud can open without errors, BUT in the overview I have this error messages:

Dein Web-Server ist nicht richtig eingerichtet um "/.well-known/webfinger" aufzulösen. Weitere Informationen findest Du in der Dokumentation.
Dein Web-Server ist nicht richtig eingerichtet um "/.well-known/nodeinfo" aufzulösen. Weitere Informationen findest Du in der Dokumentation.

Any ideas how to fix? I search now for some days ... :-( This error messages is after nextcloud 21 update

gibald commented 3 years ago

I manage to correct the error, but maybe there is something better to do. Traefik need to manage the redirection, here the interesting label:

      - "traefik.http.routers.nextcloud.middlewares=nextcloud-dav, nextcloud-wellknown"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-wellknown.replacepathregex.regex=^(/.well-known.*)"
      - "traefik.http.middlewares.nextcloud-wellknown.replacepathregex.replacement=/index.php$${1}"

RedJohn14 commented 3 years ago

Es gelingt mir, den Fehler zu korrigieren, aber vielleicht gibt es etwas Besseres zu tun. Traefik muss die Umleitung verwalten, hier das interessante Label:

      - "traefik.http.routers.nextcloud.middlewares=nextcloud-dav, nextcloud-webfinger"
      - "traefik.http.middlewares.nextcloud-dav.redirectregex.regex=/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-dav.redirectregex.replacement=/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=^https://mynextcloud.com(/.well-known.*)"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://mynextcloud.com/index.php$${1}"

@gibald Thanks for your answer ;-) I have tested the lables like this:

      traefik.http.routers.nc-nxtc.middlewares: nc-nxtc, nc-dav, nc-webfinger, nc-sslheaders
      # # Middleware cloud adds additional headers:
      traefik.http.middlewares.nc-nxtc.headers.customFrameOptionsValue: SAMEORIGIN
      traefik.http.middlewares.nc-nxtc.headers.framedeny: true
      traefik.http.middlewares.nc-nxtc.headers.sslredirect: true
      traefik.http.middlewares.nc-nxtc.headers.stsIncludeSubdomains: true
      traefik.http.middlewares.nc-nxtc.headers.stsPreload: true
      traefik.http.middlewares.nc-nxtc.headers.stsSeconds: 15552000
      traefik.http.middlewares.nc-sslheaders.headers.customRequestHeaders.X-Forwarded-Proto: https

      traefik.http.middlewares.nc-dav.replacepathregex.regex: ^/.well-known/ca(l|rd)dav
      traefik.http.middlewares.nc-dav.replacepathregex.replacement: /remote.php/dav/
      traefik.http.middlewares.nc-webfinger.redirectregex.regex: ^https://mynextcloud.com(/.well-known.*)
      traefik.http.middlewares.nc-webfinger.redirectregex.replacement: https://mynextcloud.com/index.php$${1}

BUT I have still the "error" messages in nextcloud webinterface. :-(

Any idea? Can you share me your config? I have used new nginx config from here:

https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

Traefik make the ssl connections and connected to nextcloud via http in the backend (container).

jokay commented 3 years ago

@gibald thx this works for me, but any chance the https://mynextcloud.com/ part can be generic as well?

I tried this, without success ...

- traefik.http.middlewares.nextcloud-dav.redirectregex.regex=/.well-known/ca(rd|l)dav
- traefik.http.middlewares.nextcloud-dav.redirectregex.replacement=/remote.php/dav/
- traefik.http.middlewares.nextcloud-wellknown.redirectregex.regex=/.well-known/(.*)
- traefik.http.middlewares.nextcloud-wellknown.redirectregex.replacement=/index.php$${1}

and

- traefik.http.middlewares.nextcloud-wellknown.redirectregex.regex=/.well-known/(webfinger|nodeinfo)
- traefik.http.middlewares.nextcloud-wellknown.redirectregex.replacement=/index.php$${1}

RedJohn14 commented 3 years ago

@gibald thx this works for me, but any chance the https://mynextcloud.com/ part can be generic as well?

@jokay Did you use nginx with fpm? Can you share me your traefik config, nginx config? Any special settings in nextcloud? My config have the error also with this changes ... :-(

gibald commented 3 years ago

I have the new nginx config too. I pretty sure you have to remove the "^" before "/.well-known/ca(l|rd)dav". It give you a error with "/.well-known/caldav", no ? Try with the double "$", like : traefik.http.middlewares.nc-webfinger.redirectregex.replacement: https://mynextcloud.com/index.php${1}

I need it because I'm using another style, you are using yaml.

@gibald thx this works for me, but any chance the https://mynextcloud.com/ part can be generic as well?

Maybe with a better regex. I add the host because i add a loop like /index.php/index.php/index.php/index.php/.well-known/webfinger

jokay commented 3 years ago

@jokay Did you use nginx with fpm? Can you share me your traefik config, nginx config? Any special settings in nextcloud? My config have the error also with this changes ... :-(

yes, with nginx config from official documentation, adapted to serve on http only (same setup as you).

I suspect the ^ as well, like @gibald already wrote.

jokay commented 3 years ago

@RedJohn14 this is the config I use:

This is the nginx confd

upstream php-handler {
    server fpm:9000;
    #server unix:/var/run/php/php7.4-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name {your-domain-for-nextcloud};

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/html;

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The following 6 rules are borrowed from `.htaccess`

        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }

        try_files $uri $uri/ =404;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ \.(?:css|js|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

and traefik labels I use

labels:
  - traefik.enable=true
  - traefik.http.routers.nextcloud.entrypoints=https
  - traefik.http.routers.nextcloud.tls=true
  - traefik.http.routers.nextcloud.rule=Host(`{your-domain-for-nextcloud}`)
  - traefik.http.services.nextcloud.loadbalancer.server.port=80
  - traefik.http.middlewares.nextcloud-dav.redirectregex.regex=/.well-known/ca(rd|l)dav
  - traefik.http.middlewares.nextcloud-dav.redirectregex.replacement=/remote.php/dav/
  - traefik.http.middlewares.nextcloud-wellknown.redirectregex.regex=^https://{your-domain-for-nextcloud}(/.well-known.*)
  - traefik.http.middlewares.nextcloud-wellknown.redirectregex.replacement=https://{your-domain-for-nextcloud}/index.php$${1}
  - traefik.http.routers.nextcloud.middlewares=nextcloud-dav@docker,nextcloud-wellknown@docker

RedJohn14 commented 3 years ago

I have the new nginx config too. I pretty sure you have to remove the "^" before "/.well-known/ca(l|rd)dav". It give you a error with "/.well-known/caldav", no ? Try with the double "$", like : traefik.http.middlewares.nc-webfinger.redirectregex.replacement: https://mynextcloud.com/index.php${1}

I need it because I'm using another style, you are using yaml.

@gibald thx this works for me, but any chance the https://mynextcloud.com/ part can be generic as well?

Maybe with a better regex. I add the host because i add a loop like /index.php/index.php/index.php/index.php/.well-known/webfinger

@gibald @jokay Okay have now edit my config (yes see that you used some other .yml style.

      traefik.http.middlewares.nc-dav.replacepathregex.regex: /.well-known/ca(l|rd)dav
      traefik.http.middlewares.nc-dav.replacepathregex.replacement: /remote.php/dav/
      traefik.http.middlewares.nc-webfinger.redirectregex.regex: https://mynextcloud.com(/.well-known.*)
      traefik.http.middlewares.nc-webfinger.redirectregex.replacement: https://mynextcloud.com/index.php$${1}

BUT I have still the error :-( any ideas? Sorry ...

gibald commented 3 years ago

edit: Ok doubled $ for escaping is needed for you as well

jokay commented 3 years ago

@RedJohn14 strange.. can you compare the configs I posted?

info

The only warning I still get is for php-imagick which is already discussed here.

RedJohn14 commented 3 years ago

try:

      traefik.http.middlewares.nc-dav.replacepathregex.regex: /.well-known/ca(l|rd)dav
      traefik.http.middlewares.nc-dav.replacepathregex.replacement: /remote.php/dav/
      traefik.http.middlewares.nc-webfinger.redirectregex.regex: https://mynextcloud.com(/.well-known.*)
      traefik.http.middlewares.nc-webfinger.redirectregex.replacement: https://mynextcloud.com/index.php${1}

I only remove one $ at the end

@gibald With this setting I have this error message:

Invalid interpolation format for "labels" option in service "nginx-nc": "https://mynexcloud.com/index.php${1}"

RedJohn14 commented 3 years ago

@RedJohn14 strange.. can you compare the configs I posted?

The only warning I still get is for php-imagick which is already discussed here.

@jokay Yes I compare configs, you are using same configs, I have only "other" .yml style and have error still ... :-(

Yes the other issue I have too, but can fix it manual. Any idea to install php-imagick in nextcloud-fpm-alpine?

RedJohn14 commented 3 years ago

What about setting your domain instead of ~mynexcloud.com~?

@gibald @jokay

Yes I have insert my domain in my .yml config but if i try docker-compose up -d I have this error message:

error message: Invalid interpolation format for "labels" option in service "nginx-nc": "https://mynextcloud.com/index.php${1}"

lable config:

      traefik.http.middlewares.nc-dav.replacepathregex.regex: /.well-known/ca(l|rd)dav
      traefik.http.middlewares.nc-dav.replacepathregex.replacement: /remote.php/dav/
      traefik.http.middlewares.nc-webfinger.redirectregex.regex: https://mynextcloud.com(/.well-known.*)
      traefik.http.middlewares.nc-webfinger.redirectregex.replacement: https://mynextcloud.com/index.php${1}

I think my label config is some different like yours. Any idea what my mistake is?

jokay commented 3 years ago

Well then I'm out of ideas 😉

gibald commented 3 years ago

Your error Invalid interpolation format for "labels" option in service "nginx-nc": "https://mynextcloud.com/index.php${1}" is because of my bad idea, you also need the double $ fro escaping.

You can try :

traefik.http.middlewares.nc-dav.replacepathregex.regex: ^/.well-known/ca(l|rd)dav
traefik.http.middlewares.nc-dav.replacepathregex.replacement: /remote.php/dav/
traefik.http.middlewares.nc-webfinger.replacepathregex.regex: ^(/.well-known.*)
traefik.http.middlewares.nc-webfinger.replacepathregex.replacement: /index.php$${1}

I update my solution, i didn't saw the difference between RedirectRegex and ReplacePathRegex

RedJohn14 commented 3 years ago

Your error Invalid interpolation format for "labels" option in service "nginx-nc": "https://mynextcloud.com/index.php${1}" is because of my bad idea, you also need the double $ fro escaping.

You can try :
traefik.http.middlewares.nc-dav.replacepathregex.regex: ^/.well-known/ca(l|rd)dav
traefik.http.middlewares.nc-dav.replacepathregex.replacement: /remote.php/dav/
traefik.http.middlewares.nc-webfinger.replacepathregex.regex: ^(/.well-known.*)
traefik.http.middlewares.nc-webfinger.replacepathregex.replacement: /index.php$${1}
I update my solution, i didn't saw the difference between RedirectRegex and ReplacePathRegex

@gibald Okay I will try, I have updated now my traefik labels to the other style and it fix the error. I will try your solutions now!

RedJohn14 commented 3 years ago

Your error Invalid interpolation format for "labels" option in service "nginx-nc": "https://mynextcloud.com/index.php${1}" is because of my bad idea, you also need the double $ fro escaping.

You can try :
traefik.http.middlewares.nc-dav.replacepathregex.regex: ^/.well-known/ca(l|rd)dav
traefik.http.middlewares.nc-dav.replacepathregex.replacement: /remote.php/dav/
traefik.http.middlewares.nc-webfinger.replacepathregex.regex: ^(/.well-known.*)
traefik.http.middlewares.nc-webfinger.replacepathregex.replacement: /index.php$${1}
I update my solution, i didn't saw the difference between RedirectRegex and ReplacePathRegex

Okay this settings fix also my issue ;-) THANK you very much for your support !!!

jokay commented 3 years ago

I update my solution, i didn't saw the difference between RedirectRegex and ReplacePathRegex

@gibald works and is generic, thank you very much for this 🎉

ggriffinorg commented 3 years ago

Hi Folks,

TY for all the suggested solutions and time invested. I managed to fix it this way:

Source: https://twatzl.eu/blog/2020-08-01_5_nextcloud/

  - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
  - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"
  - "traefik.http.middlewares.nc-header.headers.referrerPolicy=no-referrer"
  - "traefik.http.middlewares.nc-header.headers.stsSeconds=31536000"
  - "traefik.http.middlewares.nc-header.headers.forceSTSHeader=true"
  - "traefik.http.middlewares.nc-header.headers.stsPreload=true"
  - "traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true"
  - "traefik.http.middlewares.nc-header.headers.browserXssFilter=true"
  - "traefik.http.middlewares.nc-header.headers.customFrameOptionsValue=SAMEORIGIN"
  - "traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
  - "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-dav,nc-header"

BR G.

martinezpenya commented 3 years ago

"traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"

"traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"

"traefik.http.middlewares.nc-header.headers.referrerPolicy=no-referrer"

"traefik.http.middlewares.nc-header.headers.stsSeconds=31536000"

"traefik.http.middlewares.nc-header.headers.forceSTSHeader=true"

"traefik.http.middlewares.nc-header.headers.stsPreload=true"

"traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true"

"traefik.http.middlewares.nc-header.headers.browserXssFilter=true"

"traefik.http.middlewares.nc-header.headers.customFrameOptionsValue=SAMEORIGIN"

"traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"

"traefik.http.routers.nextcloud-secure.middlewares=nextcloud-dav,nc-header"

After lot of search this solution worked for me. Thank you!

khartahk commented 3 years ago

Is there a way to do the same with traefik 1.7.x?

This only fixes (card|cal)dav

traefik.dav.frontend.redirect.permanent: "true"
traefik.dav.frontend.redirect.regex: "https://{{ nextcloud_domain }}/.well-known/(card|cal)dav"
traefik.dav.frontend.redirect.replacement: "https://{{ nextcloud_domain }}/remote.php/dav/"
traefik.wellKnown.frontend.redirect.permanent: "true"
traefik.wellKnown.frontend.redirect.regex: "https://{{ nextcloud_domain }}/(.well-known/.+)"
traefik.wellKnown.frontend.redirect.replacement: "https://{{ nextcloud_domain }}/index.php/$1"

jokay commented 3 years ago

Is there a way to do the same with traefik 1.7.x?

@khartahk yes, see here.

khartahk commented 3 years ago

Very funy. :) But OK I see your point.

I've already upgraded now to traefik 2.5 but it's still throwing me the webfinger and nodeinfo warning when using:

traefik.http.middlewares.nc-wellknown.replacepathregex.regex: ^(/.well-known/.*)
traefik.http.middlewares.nc-wellknown.replacepathregex.replacement: /index.php$${1}

I've also tried redirectregex instead of replacepathregex also with no luck.

and I have this in my nginx which is running in front of nextcloud-fpm image:

location ^~ /.well-known {
    # The following 6 rules are borrowed from `.htaccess`

    location = /.well-known/carddav     { return 301 /remote.php/dav/; }
    location = /.well-known/caldav      { return 301 /remote.php/dav/; }
    ## Anything else is dynamically handled by Nextcloud
    location ^~ /.well-known            { return 301 /index.php$uri; }

    try_files $uri $uri/ =404;
}

jokay commented 3 years ago

:wink: you can use the official nginx config from the manual this works for me.

jokay commented 3 years ago

I use the nextcloud-fpm container as well, this is what I use as config:

nginx.conf

upstream php-handler {
    server fpm:9000;
    #server unix:/var/run/php/php7.4-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name nextcloud.{yourdomain.com};

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/html;

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The following 6 rules are borrowed from `.htaccess`

        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }

        try_files $uri $uri/ =404;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ \.(?:css|js|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

and the labels on the nextcloud-web (default nginx) container:

labels:
  - traefik.enable=true
  - traefik.http.routers.nextcloud.entrypoints=https
  - traefik.http.routers.nextcloud.rule=Host(`nextcloud.{yourdomain.com}`)
  - traefik.http.services.nextcloud.loadbalancer.server.port=80
  - traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(rd|l)dav
  - traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/
  - traefik.http.middlewares.nextcloud-wellknown.replacepathregex.regex=^(/.well-known.*)
  - traefik.http.middlewares.nextcloud-wellknown.replacepathregex.replacement=/index.php$${1}
  - traefik.http.routers.nextcloud.middlewares=nextcloud-dav@docker,nextcloud-wellknown@docker

jokay commented 3 years ago

With this the only warning which remains (if you don't change the official container by yourself) is the following:

khartahk commented 3 years ago

Hm, I think I have basically the same settings:

nginx.conf

labels on nextcloud-nginx (default nginx) container:

labels:
  traefik.enable: "{{ nextcloud_available_externally }}"
  traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
  traefik.http.routers.nextcloud.tls.certresolver: "letsencrypt"
  traefik.http.routers.nextcloud.tls.domains[0].main: "{{ nextcloud_domain }}"
  traefik.http.routers.nextcloud.middlewares: "nc-dav@docker,nc-wellknown@docker,nc-header@docker"
  traefik.http.services.nextcloud.loadbalancer.server.port: "80"
  traefik.http.services.nextcloud.loadbalancer.passhostheader: "true"
  traefik.http.middlewares.nc-dav.replacepathregex.regex: ^/.well-known/ca(l|rd)dav
  traefik.http.middlewares.nc-dav.replacepathregex.replacement: /remote.php/dav/
  traefik.http.middlewares.nc-wellknown.replacepathregex.regex: ^(/.well-known/.*)
  traefik.http.middlewares.nc-wellknown.replacepathregex.replacement: /index.php$${1}
  traefik.http.middlewares.nc-header.headers.referrerPolicy: "no-referrer"
  traefik.http.middlewares.nc-header.headers.stsSeconds: "15552000"
  traefik.http.middlewares.nc-header.headers.forceSTSHeader: "true"
  traefik.http.middlewares.nc-header.headers.stsPreload: "true"
  traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains: "true"
  traefik.http.middlewares.nc-header.headers.browserXssFilter: "true"
  traefik.http.middlewares.nc-header.headers.customFrameOptionsValue: "SAMEORIGIN"
  traefik.http.middlewares.nc-header.headers.contentSecurityPolicy: "default-src 'self';frame-ancestors 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' data:;font-src 'self' data:"

but I still have the same errors:

jokay commented 3 years ago

Yes, looks very similar, can't see where the problem may be 🧐

romprod commented 2 years ago

  - traefik.http.middlewares.nextcloud-wellknown.replacepathregex.regex=^(/.well-known.*)
  - traefik.http.middlewares.nextcloud-wellknown.replacepathregex.replacement=/index.php$${1}
  - traefik.http.routers.nextcloud.middlewares=nextcloud-dav@docker,nextcloud-wellknown@docker

This worked for me

khartahk commented 2 years ago

Hey, I had to remove the second $ sign in my config to make it work. I'm using ansible docker_container module to deploy so I guess it handles that differently.

Here's the diff

 nextcloud_labels:
   traefik.http.routers.nextcloud.middlewares: "nc-dav@docker,nc-wellknown@docker,nc-header@docker"
   traefik.http.middlewares.nc-dav.replacepathregex.regex: "^/.well-known/ca(l|rd)dav"
   traefik.http.middlewares.nc-dav.replacepathregex.replacement: "/remote.php/dav/"
   traefik.http.middlewares.nc-wellknown.replacepathregex.regex: "^(/.well-known.*)"
-  traefik.http.middlewares.nc-wellknown.replacepathregex.replacement: "/index.php$${1}"
+  traefik.http.middlewares.nc-wellknown.replacepathregex.replacement: "/index.php${1}"

nextcloud / docker

nextcloud update 21 error message with /.well-known/webfinger & /.well-known/nodeinfo #1443

nginx.conf