Can not connect to NC26 WebDav behind Nginx reverse proxy

LanDaze · May 7, 2023, 3:13pm

The issue :
I can not connect to WebDAV by domain with nginx reverse proxy.
But I successfully connect WebDAV with IP directly to NextCloud/apache2.

My NextCloud on browser with reverse proxy works well. Only meet WebDAV problem.

I think this might be a problem with Nginx reverse proxy config. But I dont know how to fix it.
Appreciate for any help.

===================================================================

Nextcloud version : 26.0.1.1
Operating system and version : Server&Proxy: Debian11; Client: Windows10
reverse proxy nginx version : 1.18.0 | 1.24.0 (tried both)
PHP version : 8.1

Steps to replicate it:

Install NextCloud-Apache2-php8.1 on a server.
Setup Nginx reverse proxy on another machine.
Check on browser, NextCloud with reverse proxy works well.
On Win10, try connect WebDAV NextCloud server with IP, works fine. But when trying to connect WebDAV Domain with reverse proxy, it failed.

My config.php file :

<?php
$CONFIG = array (
  'overwritehost' => 'MY_DOMAIN:9999',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/nextcloud',
  'instanceid' => 'instanceid',
  'passwordsalt' => 'passwordsalt',
  'secret' => 'secret',
  'trusted_domains' => 
  array (
    0 => '192.168.0.206',
    1 => 'MY_DOMAIN',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.0.202',
  ),
  'datadirectory' => '/data/data/nextcloud',
  'dbtype' => 'mysql',
  'version' => '26.0.1.1',
  'overwrite.cli.url' => 'https://MY_DOMAIN:9999/nextcloud/',
  'htaccess.RewriteBase' => '/nextcloud/',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.0.203:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'password',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'memories.exiftool' => '/data/software/nextcloud/apps/memories/exiftool-bin/e>
  'memories.vod.path' => '/data/software/nextcloud/apps/memories/exiftool-bin/g>
  'default_phone_region' => 'CN',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis', 
  'redis' => 
  array (
    'host' => '127.0.0.1',
    'port' => 6379,
  ),
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\Movie',
    1 => 'OC\\Preview\\PNG',
    2 => 'OC\\Preview\\JPEG',
    3 => 'OC\\Preview\\GIF',
    4 => 'OC\\Preview\\BMP',
    5 => 'OC\\Preview\\XBitmap',
    6 => 'OC\\Preview\\MP3',
    7 => 'OC\\Preview\\MP4',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
    10 => 'OC\\Preview\\PDF',
    11 => 'OC\\Preview\\MKV',
    12 => 'OC\\Preview\\AVI',
  ),
  'preview_max_memory' => 4096,
  'preview_max_filesize_image' => 256,

  'maintenance' => false,
  'memories.vod.ffmpeg' => '/usr/bin/ffmpeg',
  'memories.vod.ffprobe' => '/usr/bin/ffprobe',
  'memories.gis_type' => 1,
  'memories.exiftool_no_local' => true,
);

My Nginx config:

server {
    listen 9999 ssl default_server http2;
    listen [::]:9999 ssl default_server http2;

    server_name MY_DOMAIN;

    # redirect all http request to https.
    error_page 497 https://$http_host$uri$is_args$args;

    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

    server_tokens off;

    # deny all un-wanted request
    location / {
        return 444;
    }

    location = /.well-known/carddav { return 301 $scheme://$http_host/nextcloud/remote.php/dav; }
    location = /.well-known/caldav { return 301 $scheme://$http_host/nextcloud/remote.php/dav; }
    location = /.well-known/webfinger { return 301 $scheme://$http_host/nextcloud/index.php/.well-known/webfinger; }
    location = /.well-known/nodeinfo { return 301 $scheme://$http_host/nextcloud/index.php/.well-known/nodeinfo; }

    location ^~ /nextcloud {
        client_max_body_size 128G;
        client_body_timeout 3600s;
        fastcgi_buffers 64 4k;
        
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        client_body_buffer_size 512k;

        proxy_set_header REMOTE_ADDR $remote_addr;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header  REMOTE-HOST $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto 'https';
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header  Upgrade $http_upgrade;
        proxy_set_header  Connection "upgrade";

        proxy_pass http://192.168.0.206/nextcloud;
    }
}

a3linux · May 8, 2023, 3:03am

I can NOT tell what’s exactly wrong here, but I also use Nginx reverse proxy there, this is my file, homecloud-docker/00-default.conf at main · a3linux/homecloud-docker · GitHub

LanDaze · May 8, 2023, 5:07am

Thanks for your config! Do you use Nginx reverse proxy for webdav?
I tried almost same config but still dont work only for webdav.
Maybe I missed something on nginx or nextcloud config.

a3linux · May 8, 2023, 5:48am

yes. All my traffic go through the Nginx reverse proxy.

LanDaze · May 8, 2023, 6:49am

Weird, I could get webdav connected with client like WinSCP. But I can not mount webdav by windows explore as a network location.
So the problem could be a mistake between windows and nginx. I have already setup windows webclient also the connection is by https. I dont know if I missed something.
Can you mount your webdav on windows?

Im using a self-signed cert, not sure if this could be the point.

dugite-code · May 8, 2023, 6:58am

Windows webdav has issues with tls validation, I do know self-signed cert’s definitely don’t work. I’ve never managed to get it working correctly on windows 10 but windows 11 works fine.

a3linux · May 8, 2023, 7:09am

oh. I never tested with self-signed certificate over WebDAV. I used zerossl one in my production environment.

LanDaze · May 8, 2023, 7:14am

Thank you so much for all your help!
I think self-signed certificate would be the problem. I will try more on my tests.

LanDaze · May 11, 2023, 8:52am

For someone who meet the same problem in the future.

Finally I verified that my config is basically correct, and the problem is, Im using a self-signed certificate which is not allowed to pass windows safe check. After I change my self-signed certificate to Let’sEncrypt one, all problems gone.

a3linux · May 12, 2023, 12:30am

Glad to know that. Thanks.