Can't connect to Nextcloud server from my iPad

My Nextcloud server version: 16.0.4 (latest)
Operating system and version: FreeNAS 11.2-U6 (FreeBSD 11.2) jail (latest)
Apache or nginx version: apache24-2.4.41 (latest)
PHP version: php72-7.2.22 (latest)

The issue I’m facing:
I’m trying to connect to my nextcloud server from my iPad (iOSv. 12.4.1 - latest).

My nextcloud server’s jail IP is 10.0.0.14, but I access it and all my other web services via an nginx (v. 1.16.1_2,2) reverse proxy installed in another FreeNAS jail. All my web services have hostnames that are subdomains of my domain, e.g. nextcloud.mydomain.com.
The reverse proxy takes care of the traffic encryption.
The only allowed encryption protocol is TLSv1.2.
Allowed ciphers:

  • DHE-RSA-AES256-GCM-SHA512
  • DHE-RSA-AES256-GCM-SHA512
  • ECDHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384

Both ssllabs.com and scan.nextcloud.com give me an A+ rating (highest).

All my clients (Windows, Linux, Android, both apps and browsers) can connect to nextcloud.mydomain.com with one exception: my iPad.
It could connect in the past, but now no more and I can’t figure out why.
What doesn’t work: connecting to nextcloud.mydomain.com, either via app (v. 2.2.4.1 - latest) or browser. Via app, I get a connection error. Via browser (Safari and Firefox), I get a blank page.
What works: connecting to 10.0.0.14 (nextcloud server’s internal IP), both via app and via browser.
I’ve removed and reinstalled the app from the App Store, but to no avail. And I’d be surprised if it were otherwise, because it can’t connect even from web browsers.

As soon as I discovered a lot of entries such as:

Bruteforce attempt from "10.0.0.116" detected for action "login".
Login failed: '(null)' (Remote IP: '10.0.0.116')

on my Settings > Logging page, I deleted all entries in the oc_bruteforce_attempts table on my nextcloud db and restarted the nextcloud jail, but the issue is still there.

I don’t know what else to try. Do you have any suggestions?

This is the output of /usr/local/www/apache24/data/nextcloud/config/config.php:

<?php
$CONFIG = array (
  'passwordsalt' => '***',
  'secret' => '***',
  'trusted_proxies' => array ('10.0.0.20'),
  'trusted_domains' => array ('nextcloud.mydomain.com'),
  'overwrite.cli.url' => 'https://nextcloud.mydomain.com',
  'overwritehost' => 'nextcloud.mydomain.com',
  'overwriteprotocol' => 'https',
  'datadirectory' => '/mnt/files',
  'version' => '16.0.4.1',
  'dbtype' => 'mysql',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => '***',
  'installed' => true,
  'instanceid' => 'ocrbwerjkt2c',
  'logtimezone' => 'Europe/Rome',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'loglevel' => '1',
  'logrotate_size' => '104847600',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/tmp/redis.sock',
    'port' => 0,
  ),
  'htaccess.RewriteBase' => '/',
  'maintenance' => false,
  'theme' => '',
  'mail_from_address' => 'admin',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_domain' => 'nextcloud.mydomain.com',
  'mail_smtpsecure' => 'tls',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.myisp.it',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'myname',
  'mail_smtppassword' => '***',
  'updater.release.channel' => 'stable',
  'mysql.utf8mb4' => true,
  'app_install_overwrite' =>
  array (
    0 => 'calendar',
  ),
  'mail_sendmailmode' => 'pipe',
);

By the way, is it okay if there is no php end tag? I don’t know a thing about php, but in general tags that are opened should be closed, shouldn’t they? Perhaps I deleted it by mistake. Yet, I get no errors.

Relevant line from my Apache log (/var/log/nextcloud.log):

{"reqId":"m8qm3wLp1v5bB5ZFG1lQ","level":1,"time":"2019-09-21T09:05:13+02:00","remoteAddr":"10.0.0.116","user":"--","app":"core","method":"PROPFIND","url":"\/remote.php\/webdav\/eBooks\/Richard%20Mansfield","message":"Bruteforce attempt from \"10.0.0.116\" detected for action \"login\".","userAgent":"Mozilla\/5.0 (iOS) Nextcloud-iOS\/2.23.8","version":"16.0.4.1"}

Thanks a lot for your time.

It sounds like you have the brute force protection app installed and it has flagged your iPad. You can go into the settings under security and whitelist your LAN.

Thank you for your reply.
I’ve added my iPad’s IP to the whitelist (it gets a fixed DHCP lease), but I still can’t connect.
And that makes sense because I can connect to my server if I enter its internal IP address (10.0.0.14) but not if I enter its FQDN, which by the way resolves correctly to my WAN IP.
Any more ideas??

The FQDN should resolve to the Nextcloud LAN IP while on your LAN. This is normally achieved with split DNS. Many routers have issues with (or disallow entirely) clients accessing an external port forward from the LAN interface. If you can access it by the LAN IP but not the WAN IP, then I would say you are in this situation.

As I wrote in my first post, all other web services are reached when called by FQDN. Split DNS is managed by pfSense.
Any more ideas?

Check your web server logs. Is the iPad actually reaching it? Is there an error?

Good idea! Last time I checked, nothing relevant came up, but I’m going to change the log level so that more info is logged and check again. Tomorrow though, as today I’ll be traveling all day!

Ok, I’ve been tailing -f /var/log/httpd-access.log in my Nextcloud jail and found that when Nextcloud app on iPad tries to connect (failure):

10.0.0.20 - - [25/Sep/2019:09:03:48 +0200] "GET /status.php HTTP/1.0" 200 159

when Safari on iPad tries to connect (failure):

10.0.0.20 - - [25/Sep/2019:09:11:17 +0200] "GET / HTTP/1.0" 302 -

when Win10 app connects (success):

10.0.0.20 - - [25/Sep/2019:09:04:48 +0200] "GET /status.php HTTP/1.0" 200 159
10.0.0.20 - - [25/Sep/2019:09:04:48 +0200] "PROPFIND /remote.php/webdav/ HTTP/1.0" 207 377
10.0.0.20 - - [25/Sep/2019:09:04:49 +0200] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.0" 200 2033

By the way, 10.0.0.20 is my nginx reverse proxy.
The log doesn’t give me much of a clue, does it to anybody else??

This guy solved it here!