Can't get rid of "/.well-known/caldav" problem

SimonWolf · June 3, 2021, 9:08pm

Nextcloud version: 21.0.2 (Docker Apache insecure)
Operating system and version: ‘Debian 10 Buster’
Apache or nginx version: Apache/2.4.38
PHP version (eg, 7.4): PHP 7.3.27-1~deb10u1 (cli)

The issue you are facing:
My Problem is that this warning doesn’t dissapear although I tried everything I red around here.
Before my server was running on a Raspberry Pi not in docker. There I could resolve this issue easily. Now with docker I am not able to fix it… But I think everything works just fine, thats the weird part. Maybe someone can look over my configs and tell me what the problem might be?

Docker-Compose File:

services:
  db:
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    volumes:
      - ./Container-Daten/db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=****************
    env_file:
      - db.env

  redis:
    image: redis:alpine
    restart: always

  app:
    image: nextcloud:apache
    restart: always
    ports:
      - ****:80
    volumes:
      - ./Container-Daten/html:/var/www/html
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - VIRTUAL_HOST=nextcloud.secureserver.de
    env_file:
      - db.env
    depends_on:
      - db
      - redis

  cron:
    image: nextcloud:apache
    restart: always
    volumes:
      - ./Container-Daten/html:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

  collab:
    image: collabora/code
    ports:
      - ****:9980
    environment:
      - domain=nextcloud.secureserver.de
    restart: always

Apache2 Reverse Proxy Config:
(Tried RewriteRule here but didn’t work)

<VirtualHost *:80>
    ServerName nextcloud.secureserver.de
    DocumentRoot /var/www/html
    Redirect permanent / https://nextcloud.secureserver.de/
RewriteEngine on
RewriteCond %{SERVER_NAME} =nextcloud.secureserver.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerName nextcloud.secureserver.de
    DocumentRoot /var/www/html
    ProxyPreserveHost On
    ProxyPass / http://192.168.178.**:****/
    ProxyPassReverse / http://192.168.178.**:****/ 
SSLCertificateFile /etc/letsencrypt/live/nextcloud.secureserver.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.secureserver.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
  </VirtualHost>
  <Directory /var/www/html/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>
#<IfModule mod_rewrite.c>
#  RewriteEngine on
#  RewriteRule ^\.well-known/carddav remote.php/dav [R=301,L]
#  RewriteRule ^\.well-known/caldav remote.php/dav [R=301,L]
#</IfModule>

Nextcloud .htaccess file in the root folder "html"

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>



  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Download-Options
    Header always set X-Download-Options "noopen"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4|mp3|ogg|wav)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/robots.txt
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/proxy.php$
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

Nextcloud config.php in html/config/:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'redis',
    'password' => '',
    'port' => ******,
  ),
  'instanceid' => '**************',
  'passwordsalt' => '**************************************',
  'secret' => '******************************************',
  'trusted_domains' =>
  array (
    0 => 'nextcloud.secureserver.de',
  ),
  'trusted_proxies' =>
  array (
    0 => 'nextcloud.secureserver.de',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '21.0.2.1',
  'overwrite.cli.url' => 'https://nextcloud.secureserver.de',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '**************',
  'installed' => true,
  'overwritehost' => 'nextcloud.secureserver.de',
  'overwriteprotocol' => 'https',
  'app_install_overwrite' =>
  array (
    0 => 'occweb',
  ),
  array (
    0 => 'OC\\Preview\\TXT',
    1 => 'OC\\Preview\\MarkDown',
    2 => 'OC\\Preview\\OpenDocument',
    3 => 'OC\\Preview\\PDF',
    4 => 'OC\\Preview\\MSOffice2003',
    5 => 'OC\\Preview\\MSOfficeDoc',
    6 => 'OC\\Preview\\Image',
    7 => 'OC\\Preview\\Photoshop',
    8 => 'OC\\Preview\\TIFF',
    9 => 'OC\\Preview\\SVG',
   10 => 'OC\\Preview\\Font',
   11 => 'OC\\Preview\\MP3',
   12 => 'OC\\Preview\\Movie',
   13 => 'OC\\Preview\\MKV',
   14 => 'OC\\Preview\\MP4',
   15 => 'OC\\Preview\\AVI',
  ),
  'mail_from_address' => '*********',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '****.com',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => '*********',
  'mail_smtpport' => '****',
  'mail_smtpname' => '**************@*****.com',
  'mail_smtppassword' => '**********',
  'mail_smtpsecure' => 'ssl',
  'htaccess.RewriteBase' => '/',
  'default_phone_region' => 'DE',
);

nursoda · June 3, 2021, 11:04pm

It’s a reverse proxy issue that you may verify issuing

curl -kI https://YOURSERVERNAME/.well-known/carddav

on a client. You expect location: https://… but you get location: http://…, right?

If your reverse proxy was NGINX I assume all you need to add is proxy_redirect http:// https://; so that responses get rewritten back to https. Here’s the config I use on NGINX: A standard HTTPS terminating server { } block with just this location:

location / {
    client_max_body_size 0;
    proxy_pass http://INTERNAL_IP;
    proxy_redirect http:// https://;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto "https";
}

SimonWolf · June 4, 2021, 1:02am

Yes, that is exactely what is happening!

HTTP/1.1 301 Moved Permanently
Date: Fri, 04 Jun 2021 00:20:06 GMT
Server: Apache/2.4.38 (Debian)
Strict-Transport-Security: max-age=15768000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Location: http://nextcloud.secureserver.de/remote.php/dav/
Content-Type: text/html; charset=iso-8859-1

I don’t really know how to solve this problem and sadly I don’t understand it as well…

I thought this would do the redirect in the Apache Proxy?

RewriteEngine on
RewriteCond %{SERVER_NAME} =nextcloud.secureserver.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Thank you very much for your help!

nursoda · June 4, 2021, 1:16am

Sorry, didn’t realize you’re using Apache Proxy, was assuming NGINX, edited my post above accordingly. I switched to NGINX a couple of years ago, never had to configure reverse proxies using Apache so I can’t help here. Yet from your rules I don’t deduct any of it does convert resposes back to https, so you need to figure out how that works using Apache.

wwe · June 4, 2021, 7:52am

I’m not a pro for Apache config - my Apache based Nexcloud docker works like charm behind traefik2 proxy without any changes on apache config.

According to reverse proxy Apache2 guide the relevant directives are

RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

your config has similar directives commented out - is there a reason for it?

SimonWolf:

#<IfModule mod_rewrite.c>
#  RewriteEngine on
#  RewriteRule ^\.well-known/carddav remote.php/dav [R=301,L]
#  RewriteRule ^\.well-known/caldav remote.php/dav [R=301,L]
#</IfModule>

SimonWolf · June 4, 2021, 9:48am

Yeah, the reason is that I tried with and without it and nothing helps
Also didn’t forget to reload apache.
I also thought maybe it’s something with the image because it’s the apache image of nextcloud?
But in theory .htaccess should take care of it…

wwe · June 4, 2021, 11:25am

if you tested the config exactly as shown maybe this was a reason why it didn’t succeed - your directives differ from what admin guide recommends: https://%{SERVER_NAME}/ is missing.

SimonWolf · June 4, 2021, 12:00pm

Maybe this information is helpful in some way?

@wwe I have tried exactly what you sent me in the reverse Proxy Config. Actually tried many different versions of that rewrite rule and also disabled it in .htaccess, only enabled it in the apache config. Other way around aswell. Sadly couldn’t make it work until now

wwe · June 4, 2021, 8:26pm

@SimonWolf as I already told - I’m not an expert for apache config. my docker/apache+traefik installation reports 207 this for /webdav+/caldav/carddav in network tab of firefox F12 tools

the most important difference to your screenshot is your browser access http:// cloud - maybe this is the problem and I see in my case the client access /remote.php/webdav in your case it’s /remote.php/dav and I don’t see

I trust you tested lot of variants, but I only may judge from what I see, and I don’t see https://%{SERVER_NAME} and /remote.php/webdav now

SimonWolf · July 7, 2021, 5:51pm

Was finally able to get rid of this issue and it’s a really obvious answer…
“Redirect permanent” was the problem.

Just adding

  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:**PORT**/
  ProxyPassReverse / http://127.0.0.1:**PORT**/
  RewriteEngine On
  RewriteRule ^/\.well-known/carddav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
  RewriteRule ^/\.well-known/caldav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

instead of

Redirect permanent / https://cloud.secureserver.de/
RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.secureserver.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

This is what the working config now looks like:

<VirtualHost *:80>
  ServerName cloud.secureserver.de
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:**PORT**/
  ProxyPassReverse / http://127.0.0.1:**PORT**/
  RewriteEngine On
  RewriteRule ^/\.well-known/carddav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
  RewriteRule ^/\.well-known/caldav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerName cloud.secureserver.de
    DocumentRoot /var/www/html
    ProxyPreserveHost On
    ProxyPass / http://192.168.178.94:**PORT**/
    ProxyPassReverse / http://192.168.178.94:**PORT**/
    RewriteEngine On
    RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
    RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/cloud.secureserver.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cloud.secureserver.de/privkey.pem

    <Directory /var/www/html/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
      LimitRequestBody 0
      SSLRenegBufferSize 10486000
  </Directory>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>
  </VirtualHost>
</IfModule>

jnmrcdr · May 31, 2022, 6:36pm

Thank! this solve a pretty annoying issue on which iPhones shows an “SSL error” in calendar app.