Always need to re-login on sync clients

tuaris · October 1, 2023, 6:34pm

Nextcloud version (eg, 20.0.5): 27.0.0
Operating system and version (eg, Ubuntu 20.04): 13.2-RELEASE-p3
Apache or nginx version (eg, Apache 2.4.25): 2.4.57
PHP version (eg, 7.4): 8.1.20

The issue you are facing:

I am being signed out of Nextcloud automatically approximately every 12 - 48 hours. I have been unable to determine what is causing that.

On my Windows desktop, I noticed the icon change, then I have to manually log in again. The session appears to be cached since I am not prompted for a password.

On my Android device, I need to re-enter the URL, and re-enter my username and password.

The only recent change was upgrading to version 27.0.0

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

Update to 27.0.0
Log into devices
Wait a day or two, notice you have been logged out

Logs shows a lot of failed logins coming from my devices. It’s almost as if the clients themselves are “forgetting” the credentials.

The output of your Nextcloud log in Admin > Logging:

Info	no app in context	IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip: 192.168.0.85]	
2023-10-01T13:19:44-0400
Info	core	Bruteforce attempt from "192.168.0.85" detected for action "login".	
2023-10-01T13:19:43-0400
Warning	core	Login failed: 'daniel' (Remote IP: '192.168.0.85')	
2023-10-01T13:19:43-0400

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxxxxxxxxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxxxxxxxx',
  'datadirectory' => '/media/cloud/data',
  'dbtype' => 'mysql',
  'version' => '27.0.0.8',
  'dbname' => 'nextcloud',
  'dbhost' => 'mysql.xxxxxxxxxxxxx.tld',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxxxxxxxxxxxxxxxxxxxx',
  'installed' => true,
  'forcessl' => true,
  'theme' => '',
  'maintenance' => false,
  'trusted_domains' => 
  array (
    0 => 'cloud.xxxxxxxxxxxxxxx.tld',
  ),
  'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'forceSSLforSubdomains' => false,
  'loglevel' => 0,
  'trashbin_retention_obligation' => 'auto',
  'overwrite.cli.url' => 'https://cloud.xxxxxxx.tld/',
  'htaccess.RewriteBase' => '/',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/media/cloud/data/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' => 
  array (
    0 => 
    array (
      0 => 'memcache.xxxxxxxxxx.tld',
      1 => 11211,
    ),
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'redis.xxxxxxxxxxx.tld',
    'port' => 6379,
  ),
  'app_install_overwrite' => 
  array (
    0 => 'user_pwauth',
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

192.168.0.85 - daniel [01/Oct/2023:12:17:11 -0400] "HEAD /remote.php/dav/files/daniel/InstantUpload/20230922_152149.jpg HTTP/1.1" 401 -
192.168.0.85 - daniel [01/Oct/2023:12:17:11 -0400] "MKCOL /remote.php/dav/uploads/daniel/bd28e244b453264fdf8f80177c0dd841 HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "PROPFIND /remote.php/dav/uploads/daniel/bd28e244b453264fdf8f80177c0dd841 HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "HEAD /remote.php/dav/files/daniel/InstantUpload/20230922_152151.jpg HTTP/1.1" 401 -
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "MKCOL /remote.php/dav/uploads/daniel/b40eba491d7b9e353f3d4cce9c95ba0e HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "PROPFIND /remote.php/dav/uploads/daniel/b40eba491d7b9e353f3d4cce9c95ba0e HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:12 -0400] "HEAD /remote.php/dav/files/daniel/InstantUpload/20230922_152152.jpg HTTP/1.1" 401 -
192.168.0.85 - daniel [01/Oct/2023:12:17:13 -0400] "MKCOL /remote.php/dav/uploads/daniel/dca39db776b3a557314a6e7453b6e120 HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:13 -0400] "PROPFIND /remote.php/dav/uploads/daniel/dca39db776b3a557314a6e7453b6e120 HTTP/1.1" 401 415
192.168.0.85 - daniel [01/Oct/2023:12:17:13 -0400] "HEAD /remote.php/dav/files/daniel/InstantUpload/20230922_152144.jpg HTTP/1.1" 401 -

The nextcloud.log

{"reqId":"yr7x26pYORud9vUhVpvp","level":0,"time":"2023-10-01T00:45:03+00:00","remoteAddr":"192.168.0.85","user":"--","app":"webdav","method":"MKCOL","url":"/remote.php/dav/uploads/daniel/a146bc92b8bc6173dd6be2a5d0115817","message":"No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.25.0","version":"27.0.0.8","exception":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/lib/Server.php","line":364,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/remote.php","line":172,"args":["/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":152,"message":"No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect","exception":{},"CustomMessage":"No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect"}}

just · October 1, 2023, 7:46pm

tuaris:

Info	no app in context	IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip: 192.168.0.85]	
2023-10-01T13:19:44-0400
Info	core	Bruteforce attempt from "192.168.0.85" detected for action "login".	
2023-10-01T13:19:43-0400
Warning	core	Login failed: 'daniel' (Remote IP: '192.168.0.85')	
2023-10-01T13:19:43-0400

Says you’ve been bruteforced. You’ll probably want to adjust this or trying disabling that app.

It is also likely that the problem stems from your actual browser based on how you’ve set it up. Or, could be how your device handles account credentials is what is giving it amnesia. Looks like a client side problem, but I’m not sure.

tuaris · October 21, 2023, 11:17pm

First I tried adding my local LAN subnet to the whitelist, no luck. Then I disabled the brute force app just last night and still getting kicked off the clients. Desktop and Mobile. It’s really odd.

just · October 21, 2023, 11:33pm

Disabling the app does not mean you are not still throttled. You’ll need to analyze your logs and such. Read the brute force documentation and github. Report the issue there if it helps once you analyze things more.

tuaris · November 22, 2023, 9:01pm

I just wonder what changed between 26.x and 27.x that would cause the issue to start all of a sudden.

All I notice in the logs is that this message appears right before the client gets logged out and starts to log the throttling messages:

{"reqId":"PCRntgMgK2ndQCQGJEHQ","level":0,"time":"2023-11-22T20:34:44+00:00","remoteAddr":"204.147.185.230","user":"--","app":"webdav","method":"PROPFIND","url":"/remote.php/dav/files/person/","message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","userAgent":"Mozilla/5.0 (Windows) mirall/3.10.1stable-Win64 (build 20231025) (Nextcloud, windows-10.0.17763 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"27.1.0.7","exception":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/lib/Server.php","line":365,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/remote.php","line":172,"args":["/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":152,"message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","exception":{},"CustomMessage":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured"}}

It’s almost as if the server is giving the clients a token that expires before the client knows to renew it? Maybe a theory? I did check the time on the server and the clients, it’s all in sync.

tuaris · March 6, 2024, 7:48pm

I decided to test using app tokens. I set one up for my Android client, logs in just fine no errors. A few days later I get the “Upload failed log in again” “Wrong username or password” message.

According to my security settings page, the app token was last used 19 hours ago.

Log shows no entries from that time ('loglevel' => 3)

{"reqId":"nGL397c7xAswVZCRL9ra","level":3,"time":"2024-03-02T20:36:40+00:00","
{"reqId":"JzF6UtRnoxB7eQeNjSyb","level":3,"time":"2024-03-02T20:36:41+00:00","
{"reqId":"pO6uRKbVlGper46OnFgv","level":3,"time":"2024-03-02T20:38:33+00:00","
{"reqId":"MycyZ2IZV58VTR4LLVWV","level":3,"time":"2024-03-02T20:40:12+00:00","
{"reqId":"xM470WqXbH9xBGLACKeh","level":3,"time":"2024-03-02T20:40:53+00:00","
{"reqId":"VFeBBfpqvJIjp8rXzKBb","level":3,"time":"2024-03-04T17:38:09+00:00","
{"reqId":"32QTg46IJZCXKV3cJFrQ","level":3,"time":"2024-03-05T02:45:35+00:00","
{"reqId":"D0Ur4VAWTKdEPdSx17of","level":3,"time":"2024-03-06T19:42:36+00:00","

I’m currently at v28.0.1

tuaris · March 6, 2024, 7:57pm

Seems like I can’t use the same token to log in again, the client returns a 401 error on the screen and server logs shows:

{"reqId":"h6ZXnS3bDdVEkwWl1e89","level":0,"time":"2024-03-06T19:55:15+00:00","remoteAddr":"192.168.0.85","user":"--","app":"webdav","method":"HEAD","url":"/remote.php/dav","message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.28.0","version":"28.0.1.1","exception":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/lib/Server.php","line":370,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/usr/local/www/nextcloud/remote.php","line":172,"args":["/usr/local/www/nextcloud/apps-pkg/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":152,"message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","exception":{},"CustomMessage":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured"}}

I made a new token, scanned the QR code, then the app crashed. Yet, it seems to have logged me in. (I guess app tokens are one time use only)

Cause of error

Exception in thread "main" java.lang.RuntimeException: Unable to start activity ComponentInfo{com.nextcloud.client/com.owncloud.android.ui.activity.FileDisplayActivity}: java.lang.ClassCastException: java.util.ArrayList cannot be cast to java.util.Stack
    at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2858)
    at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2933)
    at android.app.ActivityThread.-wrap11(Unknown Source:0)
    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1612)
    at android.os.Handler.dispatchMessage(Handler.java:105)
    at android.os.Looper.loop(Looper.java:164)
    at android.app.ActivityThread.main(ActivityThread.java:6710)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.Zygote$MethodAndArgsCaller.run(Zygote.java:240)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:770)
Caused by: Exception in thread "main" java.lang.ClassCastException: java.util.ArrayList cannot be cast to java.util.Stack
    at com.owncloud.android.ui.activity.FileDisplayActivity.loadSavedInstanceState(FileDisplayActivity.java:296)
    at com.owncloud.android.ui.activity.FileDisplayActivity.onCreate(FileDisplayActivity.java:269)
    at android.app.Activity.performCreate(Activity.java:6980)
    at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1214)
    at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2811)
    at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2933)
    at android.app.ActivityThread.-wrap11(Unknown Source:0)
    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1612)
    at android.os.Handler.dispatchMessage(Handler.java:105)
    at android.os.Looper.loop(Looper.java:164)
    at android.app.ActivityThread.main(ActivityThread.java:6710)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.Zygote$MethodAndArgsCaller.run(Zygote.java:240)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:770)

App information

ID: com.nextcloud.client
Version: 30280090
Build flavor: generic

Device information

Brand: lge
Device: elsa
Model: LG-US996
Id: OPR1.170623.032
Product: elsa_nao_us

Firmware

SDK: 26
Release: 8.0.0
Incremental: 183241436cd40

tuaris · April 24, 2024, 12:00am

This problem doesn’t seem to be going away

I don’t think this has anything to do with blacklists or rate limiting. So far I am only seeing this on a single user. This is the only user that’s also using the Android app in addition to the desktop clients. I’m suspecting something with file sync is causing an error, but I do not know test/prove that.

When the Android client gets blocked, it also appears to prevent login from the browser, which I guess makes sense since both are on the same wifi network:

I wonder if that’s causing the desktop clients to sign out? Or maybe not… since I am also experiencing desktop client get signed out that’s on a completely different network.

Also, when I look in the security settings for that user, I see multiple copies of sessions for the same devices going back all the way to about a year ago when I upgraded to v27:

I’m pretty sure that’s related.

I’m still convinced there was a bug introduced in version 27. I don’t know how to narrow it down. Logs are not helping.

JimmyKater · April 24, 2024, 6:01am

pls always try to upgrade to the latest (point-) release of your chosen version. Maybe this is/was a known bug and got solved in the meanwhile

tuaris · May 3, 2024, 5:25am

I’ve been on 28.0.1 for a few months. I see 29 was recently released. I’ll upgrade to it next chance i get. The issue is pretty bad. Today I had the desktop client log itself out twice in a period of just under an hour. That’s the worst I’ve observed so far. I’m pretty convinced it has something to do with the Android client app.

JimmyKater · May 3, 2024, 5:31am

you seem to be pretty easy to become conviced by something

anyways… regarding some of your posted errormessages from above, I, myself, am pretty convinced that either your server isn’t setup correctly or your android-app.

Still we don’t know anything about your server environment neither about your problematic mobile device

tuaris · May 3, 2024, 6:35am

Lol, I’m just documenting my thought process. I’ve been troubleshooting this for almost half a year.

My server and environment information has been posted, but I’ll repeat it again (and add some extra detail) since this thread has gotten pretty long (and updates have been installed since then):

Nextcloud version: 28.0.4 (just updated from 28.0.1 a few moments ago)
Operating system and version: FreeBSD 13.2-RELEASE-p11
Apache version: 2.4.59
PHP version: 8.2.18
Android 8
Android client (installed from F-Droid): 3.29.0 (upgraded to that from 3.28.2 as I wrote this)
Desktop client: Windows 10, Ubuntu 20.04, FreeBSD 13, etc. Current Version at: 3.13.0

The setup is nothing too exotic. It’s a dedicated system provisioned for NextCloud when I decided to migrate from Owncloud a few years ago. Then another dedicated system where I have HAProxy in front of NextCloud/Apache using the Proxy protocol on port 8088. In front of that is Varnish and Hitch. (yes, I do still have the problem if I bypass HAProxy, Varnish, and Hitch).

Apache Virtual host config in httpd.conf

<VirtualHost *:8088>
	RemoteIPProxyProtocol On
    RemoteIPProxyProtocolExceptions 127.0.0.1

    DocumentRoot "/usr/local/www/nextcloud"
    ServerName cloud.XXXXREDACTEDXXXXX.net

    ServerAlias cloud.XXXXREDACTEDXXXXX.* cloud
    php_admin_value open_basedir "/media/cloud/data:/tmp:/usr/local/www/nextcloud:/var/log/nextcloud"

    ErrorLog /var/log/cloud.XXXXREDACTEDXXXXX.net-error.log
    TransferLog /var/log/cloud.XXXXREDACTEDXXXXX.net-access.log

    <Directory "/usr/local/www/nextcloud">
        AllowOverride All
        Require all granted
        Options FollowSymLinks MultiViews
    </Directory>

    <IfModule mod_dav.c>
        Dav off
    </IfModule>
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/usr/local/www/nextcloud"
    ServerName cloud.XXXXREDACTEDXXXXX.net

    ServerAlias cloud.XXXXREDACTEDXXXXX.* cloud
    php_admin_value open_basedir "/media/cloud/data:/tmp:/usr/local/www/nextcloud:/var/log/nextcloud"

    ErrorLog /var/log/cloud.XXXXREDACTEDXXXXX.net-error.log
    TransferLog /var/log/cloud.XXXXREDACTEDXXXXX.net-access.log

    <Directory "/usr/local/www/nextcloud">
        AllowOverride All
        Require all granted
        Options FollowSymLinks MultiViews
    </Directory>

    <IfModule mod_dav.c>
        Dav off
    </IfModule>

    SSLEngine on
    SSLCertificateFile /usr/local/etc/ssl/certs/XXXXREDACTEDXXXXX.net.cert.pem
    SSLCertificateKeyFile /usr/local/etc/ssl/private/XXXXREDACTEDXXXXX.net.key.pem
    SSLCACertificateFile /usr/local/etc/ssl/certs/XXXXREDACTEDXXXXX-ca-bundle.pem
</VirtualHost>

HA Proxy:

frontend CacheFrontend
    bind    *:8080 accept-proxy
    mode http
    default_backend cloud

backend cloud
    server            default-server cloud.XXXXREDACTEDXXXXX.com:8088 send-proxy-v2

Varnish (in addition to it’s default out of the box caching, it’s redirecting HTTP to HTTPS)

varnishd_config="/usr/local/etc/varnish.d/default.vcl"
varnishd_storage="malloc,6G"
varnishd_extra_flags="-p feature=+http2 -a 127.0.0.1:8000,PROXY"

The VCL: /usr/local/etc/varnish.d/default.vcl

vcl 4.0;

import proxy;

backend default {
    .host = "127.0.0.1";
    .port = "8080";
    .proxy_header = 2;
}

sub vcl_recv {
        if (!proxy.is_ssl() && req.http.Host == "cloud.XXXXREDACTEDXXXXX.net") {
            return (synth(750));
        }
}

sub vcl_synth {
    if (resp.status == 750) {
        set resp.status = 301;
        set resp.http.location = "https://" + req.http.Host + req.url;
        set resp.reason = "Moved";
        return (deliver);
    }
}

The configuration for Hitch is nothing special. I won’t post the whole thing. Here are the relevant parts:

frontend = "[*]:443"
backend = "[127.0.0.1]:8000"
write-proxy-v2 = on
proxy-proxy = off
pem-dir="/usr/local/etc/cert.d/"
alpn-protos = "h2,http/1.1"

My config.php

<?php
$CONFIG = array (
  'instanceid' => 'XXXXXREDACTEDXXXXXX',
  'passwordsalt' => 'XXXXXREDACTEDXXXXXX',
  'datadirectory' => '/media/cloud/data',
  'dbtype' => 'mysql',
  'version' => '28.0.4.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'mysql.XXXXXREDACTEDXXXXXX.com',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XXXXXREDACTEDXXXXXX',
  'dbpassword' => 'XXXXXREDACTEDXXXXXX',
  'installed' => true,
  'forcessl' => true,
  'theme' => '',
  'maintenance' => false,
  'trusted_domains' => 
  array (
    0 => 'cloud.XXXXXREDACTEDXXXXXX.net',
  ),
  'secret' => 'XXXXXREDACTEDXXXXXX',
  'forceSSLforSubdomains' => false,
  'loglevel' => 0,
  'trashbin_retention_obligation' => 'auto',
  'overwrite.cli.url' => 'https://cloud.XXXXXREDACTEDXXXXXX.net/',
  'overwriteprotocol' => 'https',
  'htaccess.RewriteBase' => '/',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/media/cloud/data/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' => 
  array (
    0 => 
    array (
      0 => 'memcache.XXXXXREDACTEDXXXXXX.com',
      1 => 11211,
    ),
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'redis.XXXXXREDACTEDXXXXXX.com',
    'port' => 6379,
  ),
  'app_install_overwrite' => 
  array (
    0 => 'user_pwauth',
  ),
  'mail_from_address' => 'cloud',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'XXXXXREDACTEDXXXXXX.net',
  'mail_smtphost' => 'mail.XXXXXREDACTEDXXXXXX.com',
  'mail_smtpport' => '25',
);

As far as Android app setup, beyond scanning the QR code, is there anything I could have done wrong?