I am currently deploying NextCloud using the official Helm chart which includes Nginx and PHP-FPM. However, I am facing an issue with the DAVx⁵ app on Android, where it reports a "PropFind method not allowed" error. It seems this issue has been previously documented in other issues, but the provided solutions do not resolve the problem and are not applicable to Kubernetes Ingress setups.
Actual Behavior:
When attempting to connect using DAVx⁵, the app encounters an error stating that the PropFind method is not allowed. This indicates a potential misconfiguration in either the Nginx setup or the Kubernetes Ingress rules that restrict HTTP methods essential for DAVx⁵'s operation.
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET HEAD POST OPTIONS PUT PATCH DELETE PROPFIND MKCOL REPORT"
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For"
It does not make any sense because it's not on the ingress side; it's about the nextcloud-nginx container.
Once I add those annotations to the ingress and test Davx5 again, it shows that those methods
are allowed, but I'm still encountering a 405 error.
2024-04-23 19:13:32 5350 [network.HttpClient] <-- END HTTP (157-byte body)
2024-04-23 19:13:32 5350 [servicedetection.DavResourceFinder] No resource found
EXCEPTION at.bitfire.dav4jvm.exception.HttpException: HTTP 405
at at.bitfire.dav4jvm.DavResource.checkStatus(DavResource.kt:3)
at at.bitfire.dav4jvm.DavResource.checkStatus(DavResource.kt:1)
at at.bitfire.dav4jvm.DavResource.processMultiStatus(DavResource.kt:2)
at at.bitfire.dav4jvm.DavResource.propfind(DavResource.kt:76)
at at.bitfire.davdroid.servicedetection.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.kt:37)
at at.bitfire.davdroid.servicedetection.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.kt:301)
at at.bitfire.davdroid.servicedetection.DavResourceFinder.findInitialConfiguration(DavResourceFinder.kt:29)
at at.bitfire.davdroid.servicedetection.DavResourceFinder.findInitialConfiguration(DavResourceFinder.kt:4)
at at.bitfire.davdroid.ui.setup.LoginModel$detectResources$job$1$configuration$1.invoke(LoginModel.kt:3)
at at.bitfire.davdroid.ui.setup.LoginModel$detectResources$job$1$configuration$1.invoke(LoginModel.kt:1)
at kotlinx.coroutines.InterruptibleKt$runInterruptible$2.invokeSuspend(Interruptible.kt:59)
at kotlinx.coroutines.InterruptibleKt$runInterruptible$2.invoke(Interruptible.kt:13)
at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:16)
at kotlinx.coroutines.BuildersKt.withContext(Unknown Source:41)
at org.apache.commons.text.WordUtils.runInterruptible$default(WordUtils.java:9)
at at.bitfire.davdroid.ui.setup.LoginModel$detectResources$job$1.invokeSuspend(LoginModel.kt:38)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:9)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:111)
at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:4)
at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:3)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:98)
```
So, those Kubernetes annotations are essentially ineffective and permit
unrestricted access. I'm not entirely convinced that this is beneficial for security purposes.
Wayout
It appears that the "discovery" functionality is not functioning properly. However,
it is possible to manually configure DAVx5 to sync contacts by obtaining the URL from
the web interface. It seems like the URL format is:
https://nextcloud.domain.org/remote.php/dav/addressbooks/users/username/contacts/
Addional
If someone could provide annotations for CORS, HSTS, etc. to enhance security, caching, and load balancing, I would greatly appreciate it. If someone revised my configuration from a high availability (HA) and security best practices standpoint, or offered criticism, I would be very grateful.
It's quite odd that nginx is disclosing its version.
I believe it's preferable to disable server tokens by default in the configuration of the nextcloud-nginx container.
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.25.5</center>
</body>
</html>
Issue Description:
I am currently deploying NextCloud using the official Helm chart which includes Nginx and PHP-FPM. However, I am facing an issue with the DAVx⁵ app on Android, where it reports a "PropFind method not allowed" error. It seems this issue has been previously documented in other issues, but the provided solutions do not resolve the problem and are not applicable to Kubernetes Ingress setups.
Actual Behavior: When attempting to connect using DAVx⁵, the app encounters an error stating that the PropFind method is not allowed. This indicates a potential misconfiguration in either the Nginx setup or the Kubernetes Ingress rules that restrict HTTP methods essential for DAVx⁵'s operation.
Logs and Errors
Logs from DavX5
```bash 2024-04-23 18:08:44 3338 [network.HttpClient] <-- END HTTP (162-byte body) 2024-04-23 18:08:44 3338 [at.bitfire.dav4jvm.DavResource] Redirected, new location = https://nextcloud.domain.org/remote.php/dav 2024-04-23 18:08:44 3338 [network.HttpClient] --> PROPFIND https://nextcloud.domain.org/remote.php/dav h2 2024-04-23 18:08:44 3338 [network.HttpClient] Depth: 0 2024-04-23 18:08:44 3338 [network.HttpClient] User-Agent: DAVx5/4.3.16-gplay (2024/04/14; dav4jvm; okhttp/4.12.0) Android/14 2024-04-23 18:08:44 3338 [network.HttpClient] Accept-Language: en-US, en;q=0.7, *;q=0.5 2024-04-23 18:08:44 3338 [network.HttpClient] Content-Type: application/xml; charset=utf-8 2024-04-23 18:08:44 3338 [network.HttpClient] Content-Length: 198 2024-04-23 18:08:44 3338 [network.HttpClient] Host: nextcloud.domain.org 2024-04-23 18:08:44 3338 [network.HttpClient] Connection: Keep-Alive 2024-04-23 18:08:44 3338 [network.HttpClient] Accept-Encoding: gzip 2024-04-23 18:08:44 3338 [network.HttpClient] Cookie: __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=m9mP9pEbF9zPiMg2Kgt6ghDxtoFqtgmyk7FzV5%2ByWdh47jq5q20laNNZ%2BltR7wQH5wxUu5d6lfYoURfL1E5F%2BQPH3C13Zipc5sSQEiVYGoKyRvi1lXmVEU8Wcu8fIOww; oc4sncy5go9g=902649cb2332def72f7f651f52a27fba; stickounet=1713888525.944.11986.785516|ec59da9da29dd3ab51c3e45939dab7d1; __Host-nc_sameSiteCookielax=true 2024-04-23 18:08:44 3338 [network.HttpClient] 2024-04-23 18:08:44 3338 [network.HttpClient]405 Not Allowed
Environment
Kubernetes distribution: k3s
Helm Chart Version: https://nextcloud.github.io/helm/ nextcloud/nextcloud 4.6.6
values.yaml
```yaml image: repository: core.harbor.domain.org/docker-nextcloud # fpm version ingress: enabled: true className: nginx annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" kubernetes.io/ingress.class: "nginx" kubernetes.io/tls-acme: "true" nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/enable-websocket: "true" nginx.ingress.kubernetes.io/hsts-include-subdomains: "true" nginx.ingress.kubernetes.io/hsts-max-age: "31536000" nginx.ingress.kubernetes.io/hsts-preload: "true" nginx.ingress.kubernetes.io/hsts: "true" nginx.ingress.kubernetes.io/keep-alive: "75" nginx.ingress.kubernetes.io/proxy-body-size: '0' nginx.ingress.kubernetes.io/session-cookie-name: "stickounet" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/server-snippet: |- server_tokens off; proxy_hide_header X-Powered-By; rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last; rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last; rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:autotest|occ|issue|indie|db_|console) { deny all; } tls: - secretName: nextcloud-tls hosts: - nextcloud.domain.org labels: {} path: / pathType: Prefix phpClientHttpsFix: enabled: true protocol: https phpConfigs: custom.ini: | upload_max_filesize = 10000M post_max_size = 10000M max_input_time = 3600 max_execution_time = 3600 output_buffering = 0 memory_limit 10000M opcache.enable=1 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=10000 opcache.memory_consumption=1024 opcache.save_comments = 1 opcache.revalidate_freq = 60 opcache.validate_timestamps = 0 opcache.jit = 1255 opcache.jit_buffer_size = 128M www.conf: | [www] user = www-data group = www-data listen = 127.0.0.1:9000 pm = dynamic pm.max_children = 120 pm.start_servers = 12 pm.min_spare_servers = 11 pm.max_spare_servers = 34 defaultConfigs: .htaccess: false redis.config.php: false apache-pretty-urls.config.php: false apcu.config.php: true apps.config.php: true autoconfig.php: true smtp.config.php: false configs: rediscluster.config.php: |- 'true', 'memcache.distributed' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis.cluster' => [ 'seeds' => [ 'redis-cluster:6379' ], 'failover_mode' => \RedisCluster::FAILOVER_ERROR, 'timeout' => 0.0, 'read_timeout' => 0.0, 'password' => getenv('REDISCLUSTERPWD'), 'dbindex' => 0, ] ); } proxy.config.php: |- array( '0' => '127.0.0.1', '1' => '10.0.0.0/8', ), 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), ); chunk.config.php: |- '100MB', ); preview.config.php: |- array( '0' => 'OC\\Preview\\BMP', '1' => 'OC\\Preview\\GIF', '2' => 'OC\\Preview\\HEIC', '3' => 'OC\\Preview\\Image', '4' => 'OC\\Preview\\Imaginary', '5' => 'OC\\Preview\\JPEG', '6' => 'OC\\Preview\\Krita', '7' => 'OC\\Preview\\MP3', '8' => 'OC\\Preview\\MP4', '9' => 'OC\\Preview\\MarkDown', '10' => 'OC\\Preview\\Movie', '11' => 'OC\\Preview\\Movie', '12' => 'OC\\Preview\\OpenDocument', '13' => 'OC\\Preview\\PDF', '14' => 'OC\\Preview\\PNG', '15' => 'OC\\Preview\\TIFF', '16' => 'OC\\Preview\\TXT', '17' => 'OC\\Preview\\TXT', '18' => 'OC\\Preview\\XBitmap', ), 'preview_imaginary_url' => 'http://imaginary:9000', 'preview_max_filesize_image' => 100, 'preview_max_x' => 8192, 'preview_max_y' => 8192, ); extraEnv: - name: TZ value: 'Europe/Warsaw' # https://github.com/nextcloud/docker/issues/1288 # https://www.postgresql.org/docs/current/libpq-envars.html - name: PGSSLMODE value: 'verify-ca' - name: PGSSLROOTCERT value: '/certs/root.crt' - name: PGSSLCERT value: '/certs/client.crt' - name: PGSSLKEY value: '/certs/client.key' - name: REDISCLUSTERPWD valueFrom: secretKeyRef: name: nextcloud--redis-redis-cluster key: redis-password - name: PHP_MEMORY_LIMIT value: '10000M' - name: PHP_UPLOAD_LIMIT value: '10000M' extraVolumes: - name: bashrc configMap: name: container-bashrc - name: postgresqlrc configMap: name: container-postgresqlrc - name: psql-bouncer secret: secretName: nextcloud--psql-pg-db-pgbouncer items: - key: pgbouncer-frontend.ca-roots path: root.crt mode: 0777 - key: pgbouncer-frontend.crt path: client.crt mode: 0600 - key: pgbouncer-frontend.key path: client.key mode: 0777 extraVolumeMounts: - name: psql-bouncer mountPath: "/psql/bouncer" - name: bashrc mountPath: /root/.bashrc subPath: bashrc readOnly: true - name: postgresqlrc mountPath: /root/.postgresqlrc subPath: postgresqlrc readOnly: true nginx: enabled: true image: repository: core.harbor.domain.org/replication/nginx tag: mainline-alpine pullPolicy: Always containerPort: 80 config: default: true internalDatabase: enabled: false name: nextcloud externalDatabase: enabled: true type: postgresql existingSecret: enabled: true secretName: lalala usernameKey: ololoev passwordKey: ololo hostKey: pgbouncer-host databaseKey: dbname mariadb: enabled: false postgresql: enabled: false redis: enabled: false cronjob: enabled: true lifecycle: postStartCommand: - "/bin/sh" - "-c" - | mkdir /certs cat /psql/bouncer/client.key > /certs/client.key cat /psql/bouncer/client.crt > /certs/client.crt cat /psql/bouncer/root.crt > /certs/root.crt chown -R www-data:www-data /certs chmod 0600 /certs/* affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - nextcloud topologyKey: "kubernetes.io/hostname" ```Explicit CORS ingress annotations do not resolve the issue with auto-discovery
I checked this https://github.com/nextcloud/helm/issues/410 and tested by adding
It does not make any sense because it's not on the ingress side; it's about the nextcloud-nginx container. Once I add those annotations to the ingress and test Davx5 again, it shows that those methods are allowed, but I'm still encountering a 405 error.
DAVx5 logs after adding excplicit CORS annotations
```bash 2024-04-23 19:13:32 5350 [network.HttpClient] --> PROPFIND https://nextcloud.domain.org/ h2 2024-04-23 19:13:32 5350 [network.HttpClient] Depth: 0 2024-04-23 19:13:32 5350 [network.HttpClient] User-Agent: DAVx5/4.3.16-gplay (2024/04/14; dav4jvm; okhttp/4.12.0) Android/14 2024-04-23 19:13:32 5350 [network.HttpClient] Accept-Language: en-US, en;q=0.7, *;q=0.5 2024-04-23 19:13:32 5350 [network.HttpClient] Content-Type: application/xml; charset=utf-8 2024-04-23 19:13:32 5350 [network.HttpClient] Content-Length: 198 2024-04-23 19:13:32 5350 [network.HttpClient] Host: nextcloud.domain.org 2024-04-23 19:13:32 5350 [network.HttpClient] Connection: Keep-Alive 2024-04-23 19:13:32 5350 [network.HttpClient] Accept-Encoding: gzip 2024-04-23 19:13:32 5350 [network.HttpClient] Cookie: __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=pk5ZtvMczxv9NDTpvGHK5jpn%2FtjouU7lgLxyziS7rgiRRE3XkGNLzM4VJZXe7U1wq%2BdccZyf7mLlIaERwsGVDIL9N9CT3w6ASnW7NREBynQLowqjsipIcivVWdqdKS%2BW; oc4sncy5go9g=b42d9a10347aa65d7a8ad1a755536214; stickounet=1713892414.005.13187.415743|ec59da9da29dd3ab51c3e45939dab7d1; __Host-nc_sameSiteCookielax=true 2024-04-23 19:13:32 5350 [network.HttpClient] 2024-04-23 19:13:32 5350 [network.HttpClient]405 Not Allowed
So, those Kubernetes annotations are essentially ineffective and permit unrestricted access. I'm not entirely convinced that this is beneficial for security purposes.
Wayout
It appears that the "discovery" functionality is not functioning properly. However, it is possible to manually configure DAVx5 to sync contacts by obtaining the URL from the web interface. It seems like the URL format is:
https://nextcloud.domain.org/remote.php/dav/addressbooks/users/username/contacts/Addional
If someone could provide annotations for CORS, HSTS, etc. to enhance security, caching, and load balancing, I would greatly appreciate it. If someone revised my configuration from a high availability (HA) and security best practices standpoint, or offered criticism, I would be very grateful.
It's quite odd that nginx is disclosing its version. I believe it's preferable to disable server tokens by default in the configuration of the nextcloud-nginx container.