[NC 21 RC1] No info about webfinger and nodeinfo settings

[tflidd]

On the settings, I get these warnings:

The given link redirects me to https://docs.nextcloud.com/server/21/admin_manual/issues/general_troubleshooting.html#service-discovery, however there is only information about .well-known/carddav and .well-known/caldav, nothing about webfinger and nodeinfo.

Since I am using nginx, I was also checking the example config: https://docs.nextcloud.com/server/21/admin_manual/installation/nginx.html?highlight=nginx But nothing about webfinger and nodeinfo on a first sight. However, there were some changes: https://github.com/nextcloud/documentation/pull/5825/files

I suggest to change the landing page by mentioning the webfinger/nodeinfo being generally handled by an updated .htaccess and that nginx users might check their configuration.

NC version: NC21 RC1 webserver: nginx

[tiiiecherle]

I stumbled accross the same problem after upgrading to NC21 using nginx. I solved it by adding this to the nginx config:

        location /.well-known {       
            location = /.well-known/carddav   { return 301 /nextcloud/remote.php/dav/; }
            location = /.well-known/caldav    { return 301 /nextcloud/remote.php/dav/; }

            # according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }

            # anything else is dynamically handled by Nextcloud
            location ^~ /.well-known          { return 301 /nextcloud/index.php$uri; }

            try_files $uri $uri/ =404;
        }

[Lawkss]

I had the same problem on apache. I had to add these lines to htaccess make the warnings go away:

RewriteRule ^.well-known/webfinger /YOURSUBFOLDER/index.php/.well-known/webfinger [R=301,L] RewriteRule ^.well-known/nodeinfo /YOURSUBFOLDER/index.php/.well-known/nodeinfo [R=301,L]

The documentation only mentions carddav and caldav but not webfinger and nodeinfo.

I dont know if this is the correct method, webfinger and nodeinfo are not in the standard htacess anymore that ships with NC21, however the error is still produced by the automatic checks and the link to the documentation does not mention them.

[DerVerruckteFuchs]

I use the Truenas Nextcloud plugin. I have it sitting behind an nginx reverse-proxy. I tried changing the nginx config for the plugin/Freebsd Jail, but that did not work. I tweaked the Nextcloud config on my nginx reverse-proxy and that got rid of the warning messages. I added these two lines:

rewrite ^/.well-known/webfinger /index.php$uri redirect;
rewrite ^/.well-known/nodeinfo /index.php$uri redirect;

Hopefully this helps anyone else using a reverse-proxy. The default nginx config included with the Truenas plugin is just fine, all I needed to really change was server_name and enable IPv6 since I have a dual-stack setup.

[sunjam]

Are you running Social? See these two open issues for possible context:

using Webfinger https://github.com/nextcloud/social/issues/1016

Nodeinfo https://github.com/nextcloud/social/issues/183

[Kixunil]

I wonder in which cases webfinger and nodeinfo are even required. It looks like they are only used by certain apps, so if these apps aren't installed, then not having them configured is fine? (Maybe also caldav only if calendar is installed and carddav if contacts are?)

I'm also concerned about it maybe leaking privacy. Can anyone explain if there are any privacy/security consequences to having them enabled all the time?

[DerVerruckteFuchs]

Are you running Social? See these two open issues for possible context:

using Webfinger https://github.com/nextcloud/social/issues/1016

Nodeinfo https://github.com/nextcloud/social/issues/183

I'm not running Social. There could be the possibility of some other app(s) using webfinger and/or nodeinfo though.

[dysonsphere-startmail]

I stumbled accross the same problem after upgrading to NC21 using nginx. I solved it by adding this to the nginx config:

        location /.well-known {       
            location = /.well-known/carddav   { return 301 /nextcloud/remote.php/dav/; }
            location = /.well-known/caldav    { return 301 /nextcloud/remote.php/dav/; }

            # according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }

            # anything else is dynamically handled by Nextcloud
            location ^~ /.well-known          { return 301 /nextcloud/index.php$uri; }

            try_files $uri $uri/ =404;
        }

This did not get rid of the warnings for my instance. Nextcloud upgrade from 20.0.8 to 21.0.1, nginx/1.18.0 (Ubuntu), Social app not installed

[chrissi55]

Same here, i also can't get rid of these two warnings. Coming from NC 20.0.8 and thought could update to 20.0.9 -> instead the updater pushed me to 21.0.1 directly. So my config is at the moment nginx 1.19 postgresql 13.2 php 8.0.3 ubuntu 20.04.2

my config looks like

location ^~ /.well-known {
location = /.well-known/carddav     { return 301 /remote.php/dav/; }
location = /.well-known/caldav      { return 301 /remote.php/dav/; }
# according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
location = /.well-known/webfinger   { return 301 /index.php$uri; }
location = /.well-known/nodeinfo   { return 301 /index.php$uri; }
location ^~ /.well-known            { return 301 /index.php/$uri; }
try_files $uri $uri/ =404;
}

In my case also the Social App is NOT installed.

But i use a reverse proxy (nginx 1.18) and here my config is

    server_name my.server.name;

    set $upstream LOCAL-IP-OF-NC-SERVER:443;

location / {
    proxy_pass https://$upstream;
    proxy_pass_request_headers on;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    ### Set hash values
    proxy_headers_hash_max_size 512;
    proxy_headers_hash_bucket_size 128;
    proxy_buffering off;
    client_max_body_size 0;
    proxy_connect_timeout 10400;
    proxy_send_timeout 10400;
    proxy_read_timeout 10400;
    proxy_redirect off;
    proxy_ssl_session_reuse on;

    rewrite ^/.well-known/webfinger /index.php$uri redirect;
    rewrite ^/.well-known/nodeinfo /index.php$uri redirect;
    }
}

the two lines from above

Never the less, all this does not solve my problem.

[dysonsphere-startmail]

I noticed that I had the following in my nextcloud.conf:

location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

I modified it to:

location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
  location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

 location = /.well-known/webfinger {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/nodeinfo {
        return 301 $scheme://$host/remote.php/dav;
    }
    location ~ /.well-known/acme-challenge {
      allow all;
    }

I thought it might work, but no dice.

[zeus86]

I stumbled into the same Problem after upgrading to NC21. I don't use the social app, but i want to get rid of the error messages. In the Documentation available under https://docs.nextcloud.com/server/21/Nextcloud_Server_Administration_Manual.pdf (or just https://docs.nextcloud.com/server/21/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=proxy#haproxy ) there are sample-configs for various proxy settings listed. While the older methods for caldav and carddav work fine, there is no mention regarding to webfinger and nodeinfo and how to configure them in traefik or haproxy (which is what i use..). The HAProxy-Settings should also contain a word about configuring this inside of pfsense, because many people are using this setup.

[chrissi55]

So sorry i have to correct my post above...

The settings to nginx (Nextcloud) and nginx (Reverse Proxy) seems to be correct. After having the same messages from one PC with chromium Browser i switched to a tablet device et voila, no messages any longer.

So i cleared the whole browser cache and restartet my chromium - same here - a white tag on green spot appear :-)

Thanks for the help above.

[obakuhl]

I had to add the lines mentioned by @DerVerruckteFuchs in my ReverseProxy configuration after the carddav and caldav entries. Now the messages no longer appear. Thanks 😁

    location /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;
    }

    rewrite ^/.well-known/webfinger /index.php$uri redirect;
    rewrite ^/.well-known/nodeinfo /index.php$uri redirect;

[digitalcircuit]

Very minor optimization of @obakuhl 's post - you don't need to use regular expressions or rewrite rules, just copying the location blocks work too:

    # Nextcloud 20.x configuration
    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }

    # Adjusted to handle webfinger/nodeinfo
    location = /.well-known/webfinger {
        return 301 $scheme://$host/index.php$uri;
    }
    location = /.well-known/nodeinfo {
        return 301 $scheme://$host/index.php$uri;     
    }

[dysonsphere-startmail]

Very minor optimization of @obakuhl 's post - you don't need to use regular expressions or rewrite rules, just copying the location blocks work too:

  # Nextcloud 20.x configuration
  location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
  }
  location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
  }

  # Adjusted to handle webfinger/nodeinfo
  location = /.well-known/webfinger {
      return 301 $scheme://$host/index.php$uri;
  }
  location = /.well-known/nodeinfo {
      return 301 $scheme://$host/index.php$uri;     
  }

I edited my nextcloud.conf file with the above blocks, restarted nginx, cleared browser cache, and restarted browser, but still get the webfinger and nodeinfo warnings.

[chrissi55]

I edited my nextcloud.conf file with the above blocks, restarted nginx, cleared browser cache, and restarted browser, but still get the webfinger and nodeinfo warnings.

Are you concerning the nextcloud.conf file on the nextcloud server or the reverse proxy server?

I ask, because the two settings

location = /.well-known/webfinger {
        return 301 $scheme://$host/index.php$uri;
    }
    location = /.well-known/nodeinfo {
        return 301 $scheme://$host/index.php$uri;     
    }

are set on my proxy server.

these two lines are set in my "nextcloud.conf" on my nextcloud server

location = /.well-known/webfinger   { return 301 /index.php$uri; }
location = /.well-known/nodeinfo   { return 301 /index.php$uri; }

otherwise you can try to set this into your .htaccess file in /var/www/nextcloud (if this is your nc root)

RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]

[dysonsphere-startmail]

I edited my nextcloud.conf file with the above blocks, restarted nginx, cleared browser cache, and restarted browser, but still get the webfinger and nodeinfo warnings.

Are you concerning the nextcloud.conf file on the nextcloud server or the reverse proxy server?

I ask, because the two settings

location = /.well-known/webfinger {
      return 301 $scheme://$host/index.php$uri;
  }
  location = /.well-known/nodeinfo {
      return 301 $scheme://$host/index.php$uri;     
  }

are set on my proxy server.

these two lines are set in my "nextcloud.conf" on my nextcloud server

location = /.well-known/webfinger   { return 301 /index.php$uri; }
location = /.well-known/nodeinfo   { return 301 /index.php$uri; }

otherwise you can try to set this into your .htaccess file in /var/www/nextcloud (if this is your nc root)

RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]

Ok, fair enough. I don't have a reverse proxy so I set my nextcloud.conf as you showed above, but no dice. Then I added the rewrite rules to my .htaccess and again no dice. Here are the files in question, in case I am missing something totally obvious (a likely scenario): .htaccess:

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Download-Options
    Header always set X-Download-Options "noopen"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //
RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]

nextcloud.conf:

server {
    server_name xxxxxx;

    # Add headers to serve security related headers
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

    #I found this header is needed on Ubuntu, but not on Arch Linux. 
    add_header X-Frame-Options "SAMEORIGIN";

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud/;

    access_log /var/log/nginx/nextcloud.access;
    error_log /var/log/nginx/nextcloud.error;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    # rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    # rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    #  last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }
    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # Adjusted to handle webfinger/nodeinfo
    location = /.well-known/webfinger   { return 301 /index.php$uri; }
    location = /.well-known/nodeinfo   { return 301 /index.php$uri; }

    # set max upload size
    client_max_body_size 16G;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xxxxx/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xxxxxxx/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    add_header Strict-Transport-Security "max-age=31536000" always;

    ssl_trusted_certificate /etc/letsencrypt/live/xxxxxxxchain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

}
server {
    if ($host = xxxxxx) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name xxxxxxxx;
    listen 80;
    return 404; # managed by Certbot

}

[chrissi55]

At first set this block

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

into this

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

and delete the two appended lines at the end

[dysonsphere-startmail]

At first set this block

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

into this

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

and delete the two appended lines at the end

Unfortunately this did not work either. I also, then went back to set my nextcloud.conf back to the original, and still no dice. Thanks for your help. I will continue to dig further, let me know of any other possible suggestions if you can.

[digitalcircuit]

Unfortunately this did not work either. I also, then went back to set my nextcloud.conf back to the original, and still no dice. Thanks for your help. I will continue to dig further, let me know of any other possible suggestions if you can.

I think you need to set the webfinger and nodeinfo rewrites to point to a different backend, which tripped me up at first:

-  RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
-  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]
+  RewriteRule ^\.well-known/webfinger /index.php [R=301,L]
+  RewriteRule ^\.well-known/nodeinfo /index.php [R=301,L]

(The above is a guess as I'm not using Apache - I'm not sure if something special needs done for passing $uri to the end of index.php, or if that's handled by it being an Apache rewrite directive.)

[dysonsphere-startmail]

Unfortunately this did not work either. I also, then went back to set my nextcloud.conf back to the original, and still no dice. Thanks for your help. I will continue to dig further, let me know of any other possible suggestions if you can.

I think you need to set the webfinger and nodeinfo rewrites to point to a different backend, which tripped me up at first:

-  RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
-  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]
+  RewriteRule ^\.well-known/webfinger /index.php [R=301,L]
+  RewriteRule ^\.well-known/nodeinfo /index.php [R=301,L]

(The above is a guess as I'm not using Apache - I'm not sure if something special needs done for passing $uri to the end of index.php, or if that's handled by it being an Apache rewrite directive.)

I am using nginx. So right there was my mistake. Just found out that nginx doesn't even use the .htaccess file. So back at square one?

[mddvul22]

If the webfinger and nodeinfo well-known urls are only used by the social app, then the Security and setup warnings section should not warn the admin that they don't exist if the social app is not enabled.

[dysonsphere-startmail]

If the webfinger and nodeinfo well-known urls are only used by the social app, then the Security and setup warnings section should not warn the admin that they don't exist if the social app is not enabled.

If it is true that they are only used by the social app, then for sure that should be the case. I for sure do not even have the social app installed, and still get these messages. I did have it installed at one point, though. Maybe there is something that needs to be purged from the server?

[mddvul22]

I have never had the social app installed, and am getting the warning.

[Kixunil]

Same as @mddvul22 here

[Taxick]

Hi 🙂

First, I will say thanks for the "nextcloud" script - Its a very good script, I use it a lot

I also have the same problem as many others have!

I get this warning in my control panel!

I have tried to fix the problem as suggested in the post https://github.com/nextcloud/documentation/issues/6157#issuecomment-783636288 - No Luck :(

You can see my nextcloud config here: https://pastebin.com/6JpqwGc0

I use:

Nextcloud: 21.0.1 PHP 7.4.3 Ubuntu 20.04 I have used this guide to install NextCloud -> LINK

Please help.

Regards

Thomas

[Fiodin]

The Error comes from an old entry in the NGINX configuration with handling error-pages.

You just have to erease or uncomment these two lines and the error disapears:

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

No more else is to do!

I'm using NGINX directly, so I can't say if these lines exist in the configuration for reverse proxy.

[dysonsphere-startmail]

The Error comes from an old entry in the NGINX configuration with handling error-pages.

You just have to erease or uncomment these two lines and the error disapears:

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

No more else is to do!

I'm using NGINX directly, so I can't say if these lines exist in the configuration for reverse proxy.

I have this in my nextcloud.conf:

 # error_page 403 /core/templates/403.php;
 # error_page 404 /core/templates/404.php;

I restarted nginx and wiped the history of my browser, but still get the errors.

    Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation.
    Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation.

[Fiodin]

It seems stupid, but did you reload or restart NGINX? Sometimes I forget that too...

AND: Don't you have an extra configuration file for your nextcloud that you have ti do that in your basic-configuration-file?

[dysonsphere-startmail]

restarted nginx for sure. not sure what extra configuration file you are referring to. the config file with these error_page lines is in /etc/nginx/conf.d/nextcloud.conf

[sunjam]

hmm, have you checked nextcloud.log for error output as well.

On Wed, Apr 28, 2021, 9:27 AM dysonsphere @.***> wrote:

restarted nginx for sure. not sure what extra configuration file you are referring to. the config file with these error_page lines is in /etc/nginx/conf.d/nextcloud.conf

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nextcloud/documentation/issues/6157#issuecomment-828594691, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANUKZVAJLF55I7HLWVEPETTLAZOHANCNFSM4XK6PAPA .

[Fiodin]

not sure what extra configuration file you are referring to. the config file with these error_page lines is in /etc/nginx/conf.d/nextcloud.conf

This seems to be a bit unusual configuration for me. Usually the confiuration files for the websites are in /etc/nginx/sites-available/ and don't need any filetype ending. You activate them by linking into /etc/nginx/sites-enabled.

And maybe that ist the problem. Maybe you uncommented these lines in that file and there is a configuration file for nextcloud in sites-enabled and so the uncomment there doesn't have any effect.

[dysonsphere-startmail]

hmm. nextcloud is my first go at setting up a webserver. I used the guide here, and with this i created the config file like this:

Step 3: Create a Nginx Config File for Nextcloud Create a nextcloud.conf file in /etc/nginx/conf.d/ directory.

server {
listen 80;
listen [::]:80;
server_name nextcloud.your-domain.com;

# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;

#I found this header is needed on Ubuntu, but not on Arch Linux. 
add_header X-Frame-Options "SAMEORIGIN";

# Path to the root of your installation
root /usr/share/nginx/nextcloud/;

access_log /var/log/nginx/nextcloud.access;
error_log /var/log/nginx/nextcloud.error;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
   return 301 $scheme://$host/remote.php/dav;
}

location ~ /.well-known/acme-challenge {
  allow all;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
   rewrite ^ /index.php;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
   deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
   deny all;
 }

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
   include fastcgi_params;
   fastcgi_split_path_info ^(.+\.php)(/.*)$;
   try_files $fastcgi_script_name =404;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_param PATH_INFO $fastcgi_path_info;
   #Avoid sending the security headers twice
   fastcgi_param modHeadersAvailable true;
   fastcgi_param front_controller_active true;
   fastcgi_pass unix:/run/php/php7.2-fpm.sock;
   fastcgi_intercept_errors on;
   fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
   try_files $uri/ =404;
   index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    # Optional: Don't log access to assets
    access_log off;

}

location ~* .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args;

Optional: Don't log access to other assets

    access_log off;

} } there is nothing in /etc/nginx/sites-enabled. and only a file names "default" in /etc/nginx/sites-available/

I have never had any issues with these errors until upgrading to NC21

[Fiodin]

ok... You can put the configuration file there and it is working, but it is not the recommened way.

But your configuration file seems to be old. Please compare and check it with the one of the official documentation: https://docs.nextcloud.com/server/21/admin_manual/installation/nginx.html

The robots.txt section could be shortened to:

location = /robots.txt {
                return 200 "User-agent: *\nDisallow: /\n";
        }

Ans still your installation seems a bit weird... Why is your root directory for nextcloud in /usr/share/ and not in /var/www/ as usual? There is a reason why under linux there are specific dorectorys for the stuff. Have you any clue what you done there? Or have you just followed the guide? And why didn't you follow the official admin guide?

BTW: It was the same on my installation until upgrading to 21. AND: IMPORTAND: How do you redirect the http site to https?!?!? And where is the IPv6 section for the https site?!?! Finally: I hope you changed the certbot to snap. The installation described in your guide is no more supported....

[dysonsphere-startmail]

I just followed the guide I linked to. I found it a bit easier to understand than the official admin guide. This was my first attempt at setting this type of thing up, so for sure I am still learning :). I will follow the official guide the next time I need to set up an instance as I am getting more familiar with networking and linux over the past year or so. I will examine the config file more closely. Thanks for your help. I don't mean to take up more of your time on this. I will continue to search and learn. Cheers.

[wwwwiii]

I compared and messed a bit around with the offical nginx page. Am unable the fix the issue. As dysonsphere is mentioning are the official manuels just unclear for newbies.

I have like 10 servers running like this since 10.0 without any isseus als receiving a A+ rating on ssl labs and de nextcloud file

Am using the same config as @dysonsphere-startmail. Changing what solved the isseus for you? Solution is a bit unclear.

which part should i change?

The following 2 rules are only needed for the user_webfinger app.

# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
   return 301 $scheme://$host/remote.php/dav;
}

location ~ /.well-known/acme-challenge {
  allow all;
}

Thanks in advance

[wwwwiii]

I have this in my nextcloud.conf:

error_page 403 /core/templates/403.php;

error_page 404 /core/templates/404.php;

thats solves this:

Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation.

not this one:

Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation.

[dysonsphere-startmail]

Hi @wwwwiii , Thanks for adding to this conversation. I tried uncommenting: error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; But I still get the webfinger error. I am wondering if it may have something to do with my Collabora server alos running on the same machine with nginx? But I have no problem with these errors with a similar setup of Nextcloud + Collabora with Apache on a different machine. I am an amateur at webservers and don't have too much time to learn all the details. Maybe in time I will figure this out. In the mean time the instance is working fine and I still get A+ rating on ssl labs.

[wwwwiii]

Yeah it is a little detail but i dont want any errors.

I guess it something related to the htaccess file but since nginx does not support it... I treid mulitple things. I would not mind just muting those errors aswell since am not using any off those.

Mine is running standalone meaning. Running nextcloud on ubuntu 21lts I upgraded all instances from lts 16 sql mariadn 10.5 php7.4

[AndreKoepke]

The solution from @tiiiecherle working fine for me. I just removed /nextcloud-part, because my nc-instance is running on root-level.

[UmairRaza]

I use the Truenas Nextcloud plugin. I have it sitting behind an nginx reverse-proxy. I tried changing the nginx config for the plugin/Freebsd Jail, but that did not work. I tweaked the Nextcloud config on my nginx reverse-proxy and that got rid of the warning messages. I added these two lines:

rewrite ^/.well-known/webfinger /index.php$uri redirect;
rewrite ^/.well-known/nodeinfo /index.php$uri redirect;

Hopefully this helps anyone else using a reverse-proxy. The default nginx config included with the Truenas plugin is just fine, all I needed to really change was server_name and enable IPv6 since I have a dual-stack setup.

Hello! I am new to nextcloud. I have the same following errors :
-Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation.
-Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation.

I am using nginx. How can i find whether it is working on Reverse proxy. HOw can i solve this warnings?

Thank you

[jonathanmmm]

So sorry i have to correct my post above...

The settings to nginx (Nextcloud) and nginx (Reverse Proxy) seems to be correct. After having the same messages from one PC with chromium Browser i switched to a tablet device et voila, no messages any longer.

So i cleared the whole browser cache and restartet my chromium - same here - a white tag on green spot appear :-)

Thanks for the help above.

Same here, had to include on the reverse proxy. And using Ctrl+Shift+I or rightclick Inspect, going to Network, disable Cache and reloading and they are gone. So it seems the check website doesn't delete the cache when reloading. A force cache reload, should be triggered or an info and a small guide, like I gave should be given. Otherwise people will try changing and changing settings, without noticing they may have fixed it at some point, because of caching.

[stephang]

My apologies for spamming this issue with the same commit. Tried to conform to the contribution guidelines, so hopefully the resulting PR is more of less fine.

[k3a]

Suggested Nginx default configuration seems to be the culprit!

It says:

fastcgi_intercept_errors on;

That causes Nginx to intercept HTTP error codes returned by the PHP script with the configured error page or nginx default error pages. See the documentation.

Normally /.well-known/nodeinfo in NextCloud is supposed to return HTTP 404 with {"message":"nodeinfo not supported"} JSON. If you have fastcgi_intercept_errors on, default Nginx not found page (or configured custom error page) will be returned for any 404 code, causing this error message to be printed in the Administration/Settings.

So to fix this, just set it to off:

fastcgi_intercept_errors off;

Changing redirects to 301 and even redirecting these requests to remote.php/dav to "fix" this are IMO all wrong.

[jkroepke]

on nginx, define

fastcgi_intercept_errors off;

and

            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }

fix all the warnings.

[dysonsphere-startmail]

on nginx, define

fastcgi_intercept_errors off;

and

            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }

fix all the warnings.

This worked for me. Thanks @jkroepke !

[hansaya]

If you are using haproxy you can use this config to get the warnings disappear. Hopefully this will help someone.

    acl         url_red_dav var(txn.txnpath) -m str -i /.well-known/caldav
    acl         url_red_dav var(txn.txnpath) -m str -i /.well-known/carddav
    acl         url_red_inf var(txn.txnpath) -m str -i /.well-known/webfinger
    acl         url_red_inf var(txn.txnpath) -m str -i /.well-known/nodeinfo
    http-request redirect code 301 location /remote.php/dav/  if  url_red_dav 
    http-request redirect code 301 location /index.php%[capture.req.uri]  if  url_red_inf 

[DonPicciotto]

The Error comes from an old entry in the NGINX configuration with handling error-pages.

You just have to erease or uncomment these two lines and the error disapears:

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

No more else is to do!

I'm using NGINX directly, so I can't say if these lines exist in the configuration for reverse proxy.

After 2 hours, finally! Thanks!

[zeus86]

The Error comes from an old entry in the NGINX configuration with handling error-pages. You just have to erease or uncomment these two lines and the error disapears:

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

No more else is to do! I'm using NGINX directly, so I can't say if these lines exist in the configuration for reverse proxy.

After 2 hours, finally! Thanks!

Awesome, this finally was the missing clue, works with nginx+haproxy on pfsense, thank you very much!

[shelterx]

Old issue but the haproxy configuratiom really needs to go into the documentation, it does mention caldav and carddav. But it still doesn't mention webfinger or nodeinfo.

I used a slightly less complex approach than the one that was posted here, here's what i did:

    # needed for nextcloud
    acl url_discovery path /.well-known/caldav /.well-known/carddav
    http-request redirect location /remote.php/dav/ code 301 if url_discovery
    acl url_discovery_finger_node path /.well-known/webfinger /.well-known/nodeinfo
    http-request redirect location /index.php%[capture.req.uri] code 301 if url_discovery_finger_node

[elgorro]

I've added a PR #8007 for webfinger and nodeinfo.