DAV configuration on nextcloud docker

My setup is docker-compose with nextcloud, cron for nextcloud and mariadb containers. Also I’m using Traefik as my reverse-proxy on host machine.

      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`<some hostname>`)"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.routers.nextcloud.middlewares=compress@file,nextcloud-redirect@file"
      - "traefik.http.routers.nextcloud.middlewares=servicests"
      - "traefik.http.middlewares.servicests.headers.stsseconds=15552000"

# traefik middlewares
nextcloud-redirect:
      redirectRegex:
        permanent: true
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://${1}/remote.php/dav/"

Nextcloud version: Nextcloud Hub 5 (27.0.2)
Operating system and version: Debian GNU/Linux 12 (in nextcloud docker container)
Apache version: Apache/2.4.57 (in nextcloud docker container)
PHP version: 8.2.10 (in nextcloud docker container)

I can login with a browser and two of my Android 11 phones through the nextcloud app. But when I try to login through the nextcloud app on an android 12 tablet, the login screen doesn’t work for me - none of the buttons work. Pressing the login button does nothing.

Setting the log level to debug gives me an error:

[webdav] Debug: Sabre\DAV\Exception\NotAuthenticated: No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured at <<closure>>

0. /var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
   Sabre\DAV\Auth\Plugin->beforeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
1. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 456
   Sabre\DAV\Server->emit("beforeMethod:HEAD", [["Sabre\\HTTP\\ ... ]])
2. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 253
   Sabre\DAV\Server->invokeMethod(["Sabre\\HTTP\\Request"], ["Sabre\\HTTP\\Response"])
3. /var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php line 321
   Sabre\DAV\Server->start()
4. /var/www/html/apps/dav/lib/Server.php line 364
   Sabre\DAV\Server->exec()
5. /var/www/html/apps/dav/appinfo/v2/remote.php line 35
   OCA\DAV\Server->exec()
6. /var/www/html/remote.php line 172
   require_once("/var/www/html/a ... p")

HEAD /remote.php/dav
from 31.173.81.250 at 2023-09-03T19:50:11+00:00

Also I have warning in the Administration overview about CardDav and CalDav. But my Traefik redirecting from /.well-known/caldav to /remote.php/dav/so by url I’m getting

This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Nextcloud desktop sync client.

I tried to change overwrite.cli.url (issue) but it doesn’t help.

Can you please tell me what am I doing wrong?

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'passwordsalt' => 'some salt',
  'secret' => 'some secret',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'my.host.name',
  ),
  'trusted_proxies' => 
  array (
    0 => '172.26.0.2',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '27.0.2.1',
  'overwrite.cli.url' => 'http://my.host.name',
  'dbname' => 'nextcloud',
  'dbhost' => 'mariadb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'some user',
  'dbpassword' => 'some password',
  'installed' => true,
  'instanceid' => 'some id',
  'overwriteprotocol' => 'https',
  'mail_from_address' => 'drive',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'host.name',
  'theme' => '',
  'loglevel' => 0,
  'maintenance' => false,
  'default_phone_region' => 'some region',
);

This check runs from your browser. Check your browser console under the Network tab and see what is going on with the /.well-known/* checks that run when you load the Admin settings page.

What happens if you test without the proxy in the middle?

This check runs from your browser. Check your browser console under the Network tab and see what is going on with the /.well-known/* checks that run when you load the Admin settings page.

Oh I see, thanks for explanation. I checked the browser console and got a few errors. Get requests to https://some.host/.well-known/webfinger and https://some.host/.well-known/nodeinfo returns 404 and propfind requests to https://some.host/.well-known/caldav and https://some.host/.well-known/carddav was blocked by NS_ERROR_DOM_BAD_URI. Later there were two propfind requests to http://some.host/remote.php/dav/ which were also blocked by NS_ERROR_UNEXPECTED.

Seems that schema of last two requests is not right, but as you can see in config.php the 'overwriteprotocol' setting is 'https'

What happens if you test without the proxy in the middle?

I’ll give it a try but I’m having trouble understanding the nextcloud protocol settings. I stopped my traefik service and exposed port of nextcloud, changed 'overwriteprotocol' setting to 'http', but curl -v some.host returns

* Connected to some.host (some.ip) port 80 (#0)
> GET / HTTP/1.1
> Host: some.host
> User-Agent: curl/8.0.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Tue, 05 Sep 2023 18:23:49 GMT
< Server: Apache/2.4.57 (Debian)

... some headers ...

< Location: https://some.host/login
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host some.host left intact

Hmm. Something is definitely not right. I would expect those PROPFIND requests to return 301. The NS_ERROR_DOM_BAD_URI error comes from your browser so you’re not even hitting your proxy. Can you try triggering the checks from some variations of the following to see if the behavior changes?

• it private browsing mode
• it in a different browser
• with browser extensions disabled

you’re not even hitting your proxy

In Chrome, I get CSP errors. All because of the http in the location header of caldav and carddav requests.

My traefik server contained a dav redirect middleware, yes. But it turned out that I also needed to change .htaccess inside the nextcloud container. I have corrected them as indicated on reverse proxy configuration page. The problem with dav is now resolved.

But I still can’t login on my tablet. The situation is the same - pressing the login button does not lead to anything. Now there are no erroneous logs when trying to login.

Might be worth starting a new ticket as there has been a lot of focus on the dav issue. But I’m stuck with this problem.

I assume clicking “Alternative log in using app token” underneath the Login button behaves similarly?

Right. Nothing happens.

Logs after entering hostname to app from nextcloud server. Seems right to me

"GET /status.php HTTP/1.1" 200 1892 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.25.0"
"HEAD /remote.php/dav HTTP/1.1" 401 1452 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.25.0"
"GET /ocs/v2.php/cloud/capabilities?format=json HTTP/1.1" 200 2122 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.>
"GET /index.php/login/flow HTTP/1.1" 200 7793 "-" "Vison X20PRO (Android)"
"GET /core/js/oc.js?v=fe808fe5 HTTP/1.1" 200 2376 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/default.css?plain=1&v=b6589fc6 HTTP/1.1" 200 1843 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/dark.css?plain=1&v=b6589fc6 HTTP/1.1" 200 1836 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/light.css?plain=1&v=b6589fc6 HTTP/1.1" 200 1843 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/dark-highcontrast.css?plain=1&v=b6589fc6 HTTP/1.1" 200 1927 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/light.css?plain=0&v=b6589fc6 HTTP/1.1" 200 1863 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/opendyslexic.css?plain=0&v=b6589fc6 HTTP/1.1" 200 1164 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/light-highcontrast.css?plain=0&v=b6589fc6 HTTP/1.1" 200 1925 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/dark.css?plain=0&v=b6589fc6 HTTP/1.1" 200 1856 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/dark-highcontrast.css?plain=0&v=b6589fc6 HTTP/1.1" 200 1949 "-" "Vison X20PRO (Android)"
"GET /apps/theming/theme/light-highcontrast.css?plain=1&v=b6589fc6 HTTP/1.1" 200 1904 "-" "Vison X20PRO (Android)"
"GET /dist/core-common.js?v=fe808fe5-0 HTTP/1.1" 200 3635056 "-" "Vison X20PRO (Android)"

Logged out of the account on the phone and logged in again. All logs are the same, except that these lines do not appear in the tablet login logs

"GET /login/flow/grant?clientIdentifier=&user=&direct=0&stateToken=KpyQolquNXhS8bog2zJrToP7MyQolquNXhS8boWP5H5AASDQWN HTTP/1.1" 303 918 "-" "Samsung (Android)"
"GET /login?redirect_url=/login/flow/grant?clientIdentifier%3D%26user%3D%26direct%3D0%26stateToken%3DKpyQolquNXhS8bog2zJrToPyQolquNXhS8bogtoDp3coRNqSPUPN HTTP/1.1" 200 6443 "-" "Samsung (Android)"

The same issue((
Any new ideas?

Unfortunately no, the problem is still relevant

I was able to log into nextcloud on the tablet. Not the way I expected, but I did it.

I went to the security settings, created an application password, clicked on “show qr code…”. Then, on the address entry screen in the nextcloud application, I clicked on the QR code and scanned the one I received.

@LBatal hope it helps you.