Can't resolve /.well-known/webfinger using nginx, nginx-proxy and self-signed certificate on docker

Hello, I have been trying to setup Nextcloud on docker for the last two weeks and can’t really get it to work. I am using OMV6 as my OS and deployed Nextcloud using docker compose. I am only using Nextcloud locally behind a fire wall. I only want http2 and ssl to work. The official Docker example compose file was the only way I found so far to get both working. Even though I think the proxy is overkill and I have never used nginx before. My compose file looks like this and is based on the official example found here: [Example] docker/.examples/docker-compose/with-nginx-proxy/mariadb/fpm at master · nextcloud/docker · GitHub)

version: '2'

services:
  db:
    image: mariadb:10.6
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - /appdata/nextcloud/db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=redacted
      - MYSQL_PASSWORD=redacted
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MARIADB_AUTO_UPGRADE=1
      - MARIADB_DISABLE_UPGRADE_BACKUP=1

  redis:
    image: redis:alpine
    restart: always

  app:
    image: nextcloud:26-fpm
    restart: always
    links:
      - db
    volumes:
      - /appdata/nextcloud/app:/var/www/html:z
      - /appdata/nextcloud/tmp-app:/tmp
      - /srv/dev-disk-by-uuid-cc6e214c-17e7-40d9-9e23-f7fdc7dc5450/NextcloudData:/var/www/html/data
    environment:
      - MYSQL_PASSWORD=redacted
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db
      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.tobi
      - PHP_MEMORY_LIMIT=1G
      - PHP_UPLOAD_LIMIT=10G
      - REDIS_HOST=redis
    depends_on:
      - db
      - redis

  web:
    image: nginx
    restart: always
    links:
      - app
    volumes:
      - /appdata/nextcloud/web/nginx.conf:/etc/nginx/nginx.conf:ro
    volumes_from:
      - app
    environment:
      - VIRTUAL_HOST=cloud.tobi
    depends_on:
      - app
    networks:
      - proxy-tier
      - default

  proxy:
    image: nginxproxy/nginx-proxy:alpine
    restart: always
    ports:
      - 8080:80
      - 8081:443
    volumes:
      - /appdata/nextcloud/proxy:/etc/nginx/conf.d
      - /appdata/nextcloud/ssl:/etc/nginx/certs:ro
#      - vhost.d:/etc/nginx/vhost.d:z
#      - html:/usr/share/nginx/html:z
      - /var/run/docker.sock:/tmp/docker.sock:z,ro
    networks:
      - proxy-tier

networks:
  proxy-tier:

DNS is handled by my pihole.
For the webserver I used the config from the [Example] docker/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf at master · nextcloud/docker · GitHub)

In the config.php of Nextcloud I added these lines:

'overwriteprotocol' => 'https',
'trusted_proxies' => ['proxy', 'nextcloud-proxy-1'],
'overwritehost' => 'cloud.tobi:8081',

//and changed:
'overwrite.cli.url' => 'http://cloud.tobi:8081',
//into
'overwrite.cli.url' => 'https://cloud.tobi:8081',

In the nextcloud overview I am getting the folowing warnings:

Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation ↗.
Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation ↗.
Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation ↗.
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation ↗.

As far as I can tell WebDAV on Windows is also not working.

The webserver config should be correct, I think. I don’t know if I have to change something at the proxy and where.

Also, if it would be easier to just ditch the proxy, I would be ok with that. I would also be ok with using apache instead of nginx.

Have you considered using the All-in-One Docker installation?

I’m only suggesting it as a possibility because it doesn’t sound like you’re getting any benefit from setting it all up in an à la carte way like this.

If you’d still prefer the path you’re on we can certainly troubleshoot that however.

Whether you need a reverse proxy depends on whether you’re sharing a public IP address with other (non-NC web services) or other personal preferences for using a proxy.

2 Likes

Ok, so I was not aware that only the aio image is directly maintained by Nextcloud.

If anyone finds this in the future, I was able to get rid of the errors by doing the following:

  1. I mapped this path out of my container /etc/nginx/conf.d
  2. I added a file called mydomainname.conf to the directory
  3. In this file I added the following to the file:
server {
  server_name YourDomainHere;
  location / {
  proxy_set_header  Host $http_host;
  proxy_set_header  X-Real-IP $remote_addr;
  proxy_set_header  X-Forwarded-Proto https;
  proxy_set_header  X-Forwarded-Host $remote_addr;
  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_pass http://nextcloud-web-1:80;
  proxy_buffers 16 4k;
  proxy_buffer_size 2k;
  }

  #Fix webfinger etc,
  location /.well-known/carddav {
    return 301 $scheme://$http_host/remote.php/dav;
  }

  location /.well-known/caldav {
    return 301 $scheme://$http_host/remote.php/dav;
  }

  location /.well-known/webfinger {
    return 301 $scheme://$http_host/index.php/.well-known/webfinger;
  }

  location /.well-known/nodeinfo {
    return 301 $scheme://$http_host/index.php/.well-known/nodeinfo;
  }

  fastcgi_intercept_errors off;

  # Versuch Error 504 zu lösen, Body Size und Timeout erhöht
  proxy_buffering off;
  client_max_body_size 10G;
  fastcgi_read_timeout 600s;
  fastcgi_request_buffering off;
  proxy_read_timeout 3600;

  # Versuch zu beschleunigen
  http2_body_preread_size 1048576;
  client_body_buffer_size 512k;

  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  ssl_certificate /etc/nginx/certs/YourDomainHere.crt;
  ssl_certificate_key /etc/nginx/certs/YourDomainHere.key;
}

server {
  if ($http_host = cloud.tobi) {
      return 301 https://$http_host$request_uri;
  }

  #Fix webfinger etc,
  fastcgi_intercept_errors off;

  location /.well-known/carddav {
    return 301 $scheme://$http_host/remote.php/dav;
  }

  location /.well-known/caldav {
    return 301 $scheme://$http_host/remote.php/dav;
  }

  location /.well-known/webfinger {
    return 301 $scheme://$http_host/index.php/.well-known/webfinger;
  }

  location /.well-known/nodeinfo {
    return 301 $scheme://$http_host/index.php/.well-known/nodeinfo;
  }

  # Versuch Error 504 zu lösen, Body Size und Timeout erhöht
  client_max_body_size 10G;
  proxy_buffering off;
  fastcgi_read_timeout 600s;
  fastcgi_request_buffering off;
  proxy_read_timeout 3600;

  # Versuch zu beschleunigen
  http2_body_preread_size 1048576;
  client_body_buffer_size 512k;

  server_name YourDomainHere;
  listen [::]:80;
  listen 80;
  return 404;
}

This config contains some other fixes for problems I encountered.
The problem with the ./wellknown stuff was solved by the following lines :

#Fix webfinger etc,
  fastcgi_intercept_errors off;

  location /.well-known/carddav {
    return 301 $scheme://$http_host/remote.php/dav;
  }

  location /.well-known/caldav {
    return 301 $scheme://$http_host/remote.php/dav;
  }

  location /.well-known/webfinger {
    return 301 $scheme://$http_host/index.php/.well-known/webfinger;
  }

  location /.well-known/nodeinfo {
    return 301 $scheme://$http_host/index.php/.well-known/nodeinfo;
  }

I found them somewhere in the Nextcloud documentation. But I think the documentation was wrong. It contained $host instead of $http_host. I think thats an error in the documentation because $host doesn’t work.

Anyways. The experience (even without the proxy) was… frustrating to say the least…
I would like to a have a final attempt with the aio image. (This is going to be my 3. time starting over again).

All I want is:

  1. Memories to work which requires:
  • ffmpeg
  • Preview pre generator
  • https
  • http/2 or http/3
  • (optional) recognize
  1. Calander and contact sync to phone

  2. Windows Client to:

  • Work
  • Be reliable (no Bad Gateway or Forbidden errors)
  • Fast (near linespeed for uploads and downloads)

The problem I have with the aio is that it requires a valid cert for no apparent reason. I already have a cert for my Nextcloud but that is signed by a CA that I created. That CA has been added to my phone, PC and laptop. Thus they trust it. I don’t want to buy a valid cert or use Let’s Encrypt since my Nextcloud is only going to run local anyways.

Is there a way to use my custom cert signed by my CA? The documentation says no but I don’t get why and wonder how a company would deal with this because I think they would also rather use their local CA instead of setting up a proxy to use Let’s Encrypt like the documentation recommends.

Ok, so I have decided to screw the windows client of Nextcloud because it was always a very bad experience. So it’s just the upper two things remaining.

I have been trying to get the aio to work. But unsurprisingly it doesn’t…

I have opened another post here:

I will now close this post because they are not really the same topic.