HAproxy -> nginx -> Nextcloud not detect /well-know/*

Sicherheits- & Einrichtungswarnungen

Für die Sicherheit und Performance deiner Instanz ist es wichtig, dass alles richtig konfiguriert ist. Um dir dabei zu helfen, führen wir einige automatische Prüfungen durch. Weitere Informationen kannst du der verlinkten Dokumentation entnehmen.
Es gibt einige Warnungen bei deiner Systemkonfiguration.

    Dein Webserver ist nicht richtig konfiguriert, um "/.well-known/webfinger" aufzulösen. Weitere Informationen hierzu findest du in unserer Dokumentation ↗.
    Dein Webserver ist nicht richtig konfiguriert, um "/.well-known/nodeinfo" aufzulösen. Weitere Informationen hierzu findest du in unserer Dokumentation ↗.
    Dein Webserver ist nicht richtig konfiguriert, um "/.well-known/caldav" aufzulösen. Weitere Informationen hierzu findest du in unserer Dokumentation ↗.
    Dein Webserver ist nicht richtig konfiguriert, um "/.well-known/carddav" aufzulösen. Weitere Informationen hierzu findest du in unserer Dokumentation ↗.
    Die Datenbank wird zum Sperren von Transaktionsdateien verwendet. Um die Leistung zu verbessern, richte bitte, sofern verfügbar, Memcache ein. Weitere Informationen findest du in der Dokumentation ↗.
    Für deine Installation ist keine Standard-Telefonregion festgelegt. Dies ist erforderlich, um Telefonnummern in den Profileinstellungen ohne Ländercode überprüfen zu können. Um Nummern ohne Ländercode zuzulassen, füge bitte "default_phone_region" mit dem entsprechenden ISO 3166-1-Code ↗ der gewünschten Region hinzu.
    Das PHP-Modul "imagick" ist nicht aktiviert, die Theming-App hingegen schon. Damit die Favicon-Generierung korrekt funktioniert, musst du dieses Modul installieren und aktivieren.

  1. I have installed the modul imagick. Why comes this error?
  2. Where I have to put the telefon regio code?
  3. My main question: Why comes this well-know error on my config?
#cloud.conf of nginx
upstream php-handler {
 
server unix:/run/nextcloud/nextcloud.sock;
}
server {
    listen 80;
    listen [::]:80;
    root /usr/share/webapps/nextcloud;
    index  index.php index.html index.htm;
    server_name  cloud.joelmueller.ch;

   location ^~ / {

        client_max_body_size 100G;
	fastcgi_buffers 8 4K;
	fastcgi_request_buffering off;
        fastcgi_ignore_headers X-Accel-Buffering;
	client_body_temp_path /home/tmp;

        gzip off;

        error_page 403 /nextcloud/core/templates/403.php;
        error_page 404 /nextcloud/core/templates/404.php;

        location / {
            rewrite ^ /index.php$uri;
        }

  	location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    	}

	location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|changelog|data)/ {
            return 404;
        }

	location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console|core/skeleton/) {
            return 404;
        }

	location ~ ^/nextcloud/core/signature\.json {
            return 404;
        }

        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[sm]-provider/.+|core/templates/40[34])\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param SCRIPT_NAME $fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param modHeadersAvailable true;
            fastcgi_read_timeout 180;
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
       	
	    add_header Referrer-Policy "no-referrer"   always;
	    add_header X-Content-Type-Options "nosniff"       always;
	    add_header X-Download-Options "noopen"        always;
	    add_header X-Frame-Options "SAMEORIGIN"    always;
	    add_header X-Permitted-Cross-Domain-Policies "none"          always;
            add_header X-Robots-Tag "noindex, nofollow" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header Cache-Control "max-age=15778463" always;
       	}

	

        location ~ ^/(?:updater|oc[sm]-provider)(?:$|/) {
            try_files $uri $uri/ =404;
            index index.php;
        }

        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ /.*\.(?:css|js) {
            try_files $uri /nextcloud/index.php$uri$is_args$args;
	    add_header Referrer-Policy "no-referrer"   always;
	    #add_header X-Content-Type-Options "nosniff"       always;
	    #add_header X-Download-Options "noopen"        always;
	    #add_header X-Frame-Options "SAMEORIGIN"    always;
	    #add_header X-Permitted-Cross-Domain-Policies "none"          always;
            #add_header X-Robots-Tag "none"          always;
            #add_header X-XSS-Protection "1; mode=block" always;
            #add_header Cache-Control "max-age=15778463" always;
            add_header X-Content-Type-Options "nosniff" always;
	    add_header X-Robots-Tag "noindex, nofollow" always;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-XSS-Protection "1; mode=block" always;
           # add_header X-Download-Options "noopen" always;
           # add_header X-Permitted-Cross-Domain-Policies "none" always;
            access_log off;
        }

        location ~ /.*\.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map|json) {
            try_files $uri /nextcloud/index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=7200" always;
            access_log off;
        }
    }
}

Your Nginx configuration appears to be a mix and match of things, but your installation appears to be in a subdirectory /nextcloud/. You need to make sure it reflects the subdirectory version of the suggested configuration, as shown here:

https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-the-nginx-webroot

In addition, since you’re using a reverse proxy (haproxy), you’ll need to include redirects for the /.well-known URLs as described here:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=reverse#haproxy

Imagick: How, precisely, did you install it? And what OS/distribution are you using? You need to make sure the PHP imagick module is installed and activated. For example, on Ubuntu installing the package called php-imagick does this for you. You can also do so manually, but I’d avoid this unless absolutely necessary:

https://www.php.net/manual/en/imagick.installation.php

default_phone_region: This goes in your NC config.php` file. Also see
https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=region#default-phone-region

Thx for reply.

  1. No nextcloud is not on a subdir it’s in /usr/share/webapps/nextcloud out of webroot
  2. imagick is installed an activate it’s was fine before but also reinstalled no effect
  3. I adjusted the config it’s now ok with the regio code
  4. I added in haporxy config no effect

Okay, but some of your lines are not consistent with that:

error_page 403 /nextcloud/core/templates/403.php;
error_page 404 /nextcloud/core/templates/404.php;
location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|changelog|data)/ {
location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console|core/skeleton/) {
location ~ ^/nextcloud/core/signature\.json {

What happens when you visit http[s]://cloud.joelmueller.ch/.well-known/carddav in your web browser?

There are only two places that it can be prevented from being redirected:

  • HAProxy
  • NGINX

Check the logs for both of the above to see where those transactions are ending up.

Obviously not. :slight_smile: You didn’t answer my questions:

  • How, precisely, did you install Imagick (the ImageMagick PHP extension)?
  • What OS/distribution are you using?

In Nextcloud, go to Adminstration settings->System (aka: http[s]://cloud.joelmueller.ch/settings/admin/serverinfo). Look under the PHP heading: is imagick listed as an active extension in Nextcloud? If not, then php-imagick is either not installed or at least not activated in your PHP configuration.

Erweiterungen: Core, date, libxml, openssl, pcre, zlib, ctype, dom, fileinfo, filter, hash, json, mbstring, pcntl, SPL, session, PDO, bz2, posix, random, readline, Reflection, standard, SimpleXML, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, cgi-fcgi, bcmath, Phar, curl, exif, gd, gettext, gmp, iconv, intl, mysqli, pdo_mysql, zip, sysvsem, apcu, memcache, memcached, Zend OPcache

I installled on ArchLinux Kenrel 6.4.7 with pacman -S php-imagick and commend out in /etc/php/php.ini

I get

This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Nextcloud desktop sync client.

    server unix:/run/nextcloud/nextcloud.sock;
}
server {
    listen 80;
    listen [::]:80;
    root /usr/share/webapps/nextcloud;
    index  index.php index.html index.htm;
    server_name  cloud.joelmueller.ch;

   location ^~ / {

        client_max_body_size 100G;
	fastcgi_buffers 8 4K;
	fastcgi_request_buffering off;
        fastcgi_ignore_headers X-Accel-Buffering;
	client_body_temp_path /home/tmp;

        gzip off;

        error_page 403 /core/templates/403.php;
        error_page 404 /core/templates/404.php;

        location / {
            rewrite ^ /index.php$uri;
        }

  	location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    	}

	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|changelog|data)/ {
            return 404;
        }

	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console|core/skeleton/) {
            return 404;
        }

	location ~ ^/core/signature\.json {
            return 404;
        }

        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[sm]-provider/.+|core/templates/40[34])\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param SCRIPT_NAME $fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param modHeadersAvailable true;
            fastcgi_read_timeout 180;
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
       	
	    add_header Referrer-Policy "no-referrer"   always;
	    add_header X-Content-Type-Options "nosniff"       always;
	    add_header X-Download-Options "noopen"        always;
	    add_header X-Frame-Options "SAMEORIGIN"    always;
	    add_header X-Permitted-Cross-Domain-Policies "none"          always;
            add_header X-Robots-Tag "noindex, nofollow" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header Cache-Control "max-age=15778463" always;
       	}

	

        location ~ ^/(?:updater|oc[sm]-provider)(?:$|/) {
            try_files $uri $uri/ =404;
            index index.php;
        }

        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ /.*\.(?:css|js) {
            try_files $uri /index.php$uri$is_args$args;
	    add_header Referrer-Policy "no-referrer"   always;
	    #add_header X-Content-Type-Options "nosniff"       always;
	    #add_header X-Download-Options "noopen"        always;
	    #add_header X-Frame-Options "SAMEORIGIN"    always;
	    #add_header X-Permitted-Cross-Domain-Policies "none"          always;
            #add_header X-Robots-Tag "none"          always;
            #add_header X-XSS-Protection "1; mode=block" always;
            #add_header Cache-Control "max-age=15778463" always;
            add_header X-Content-Type-Options "nosniff" always;
	    add_header X-Robots-Tag "noindex, nofollow" always;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-XSS-Protection "1; mode=block" always;
           # add_header X-Download-Options "noopen" always;
           # add_header X-Permitted-Cross-Domain-Policies "none" always;
            access_log off;
        }

        location ~ /.*\.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map|json) {
            try_files $uri /index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=7200" always;
            access_log off;
        }
    }
}

Now looks like this

Imagick

You’re using PHP FPM so you likely need to make the change elsewhere.

Something like /etc/php/fpm/php.ini

Possibly /etc/php-legacy/php-fpm.ini.

It depends on what/where you installed PHP/etc.

https://wiki.archlinux.org/title/Nextcloud

Ok I got the error I must comment out extensions=imagick in /etc/php/conf.d/imagick.ini

I don’t know why it’s there. In php.ini it was comment out and working still until.

disabled by default
# activedefrag no

# Minimum amount of fragmentation waste to start active defrag
# active-defrag-ignore-bytes 100mb

# Minimum percentage of fragmentation to start active defrag
# active-defrag-threshold-lower 10

# Maximum percentage of fragmentation at which we use maximum effort
# active-defrag-threshold-upper 100

# Minimal effort for defrag in CPU percentage, to be used when the lower
# threshold is reached
# active-defrag-cycle-min 1

# Maximal effort for defrag in CPU percentage, to be used when the upper
# threshold is reached
# active-defrag-cycle-max 25

# Maximum number of set/hash/zset/list fields that will be processed from
# the main dictionary scan
# active-defrag-max-scan-fields 1000

# Jemalloc background thread for purging will be enabled by default
jemalloc-bg-thread yes

# It is possible to pin different threads and processes of Redis to specific
# CPUs in your system, in order to maximize the performances of the server.
# This is useful both in order to pin different Redis threads in different
# CPUs, but also in order to make sure that multiple Redis instances running
# in the same host will be pinned to different CPUs.
#
# Normally you can do this using the "taskset" command, however it is also
# possible to this via Redis configuration directly, both in Linux and FreeBSD.
#
# You can pin the server/IO threads, bio threads, aof rewrite child process, and
# the bgsave child process. The syntax to specify the cpu list is the same as
# the taskset command:
#
# Set redis server/io threads to cpu affinity 0,2,4,6:
# server_cpulist 0-7:2
#
# Set bio threads to cpu affinity 1,3:
# bio_cpulist 1,3
#
# Set aof rewrite child process to cpu affinity 8,9,10,11:
# aof_rewrite_cpulist 8-11
#
# Set bgsave child process to cpu affinity 1,10,11
# bgsave_cpulist 1,10-11

# In some cases redis will emit warnings and even refuse to start if it detects
# that the system is in bad state, it is possible to suppress these warnings
# by setting the following config which takes a space delimited list of warnings
# to suppress
#
# ignore-warnings ARM64-COW-BUG
$CONFIG = array (
  'datadirectory' => '/home/data/nextcloud/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => true,
  'memcache.locking' => '\OC\Memcache\Redis',
  'redis' => array(
     'host' => '127.0.0.1',
     'port' => 6379,
     'timeout' => 0.0,
     ),
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/usr/share/webapps/nextcloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/lib/nextcloud/apps',
      'url' => '/wapps',
      'writable' => true,
    ),
  ),
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'cloud.joelmueller.ch',
  ),
  0 =>
  array (
    'trusted_proxies' =>
    array (
      0 => '192.168.1.1',
    ),
    'overwritehost' => 'joelmueller.ch',
    'overwriteprotocol' => 'http',
  ),
  'overwrite.cli.url' => 'https://cloud.joelmueller.ch/',
  'htaccess.RewriteBase' => '/',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'dbtype' => 'mysql',
  'version' => '27.0.2.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/run/mysqld/mysqld.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'XXX',
  'installed' => true,
  'instanceid' => 'XXX',
  'overwriteprotocol' => 'https',
  'theme' => '',
  'loglevel' => 2,
  'default_phone_region' => 'CH',
  'auth.bruteforce.protection.enabled' => false,
  'maintenance' => false,
  'integrity.check.disabled' => true,
  'mail_smtpmode' => 'sendmail',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'pipe',
  'mail_from_address' => 'cloud',
  'mail_domain' => 'joelmueller.ch',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '456',
  'mail_smtpname' => 'Nextcloud',
  'mail_smtppassword' => 'XXX',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'app_install_overwrite' =>
  array (
    0 => 'files_antivirus',
    1 => 'keeporsweep',
    2 => 'flowupload',
    3 => 'hancomoffice',
    4 => 'video_converter',
    5 => 'ransomware_protection',
    6 => 'documentserver_community',
  ),
  'onlyoffice' =>
  array (
    'verify_peer_off' => true,
  ),
);

Cloud someone say why redis don’t run?

Can you try

sudo netstat -tap|grep 6379

to confirm that redis is listening on that port ?

If not, I suggest using the sock. My redis is listening via redis sock; in nextcloud/config/config.php

  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),

Check your settings in /etc/redis/redis.conf & add/amend the line;

unixsocket /var/run/redis/redis-server.sock

Restart redis;

sudo service redis-server stop
sudo service redis-server start

or

sudo redis-cli flushall

and see whether redis is working now.

sudo netstat -tulpn | grep redis

tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      1223533/redis-serve
tcp6       0      0 ::1:6379                :::*                    LISTEN      1223533/redis-serve
sudo netstat -tap|grep 6379

Gives me no result

redis-cli
127.0.0.1:6379> CLIENT LIST
id=5 addr=127.0.0.1:37532 laddr=127.0.0.1:6379 fd=8 name= age=15 idle=0 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=26 qbuf-free=20448 argv-mem=10 multi-mem=0 rbs=1024 rbp=0 obl=0 oll=0 omem=0 tot-mem=22298 events=r cmd=client|list user=default redir=-1 resp

I changed to socket now it’s run like before with the port but this line

  'memcache.distributed' => '\\OC\\Memcache\\Redis'

kills nextcloud

Internal Server Error

The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the server log.

Now you have changed to socket, your redis-cli output should be different. e.g.

Could not connect to Redis at 127.0.0.1:6379: Connection refused

Is redis listening to the socket ?

[morta@nas ~]$ redis-cli
Could not connect to Redis at 127.0.0.1:6379: Connection refused

Yes.

[morta@nas ~]$ socat -u OPEN:/dev/null UNIX-CONNECT:/run/redis/redis.sock
2023/08/20 17:28:38 socat[159806] E connect(, AF=1 "/run/redis/redis.sock", 23): Permission denied
[morta@nas ~]$ sudo socat -u OPEN:/dev/null UNIX-CONNECT:/run/redis/redis.sock
[morta@nas ~]$

Check the permissions on /var/run/redis/redis-server.sock that they’re both accessible by the redis user
ls -lh /var/run/redis

Does this work ?
redis-cli -s /var/run/redis/redis-server.sock
or
redis-cli -s /var/run/redis/redis.sock

[morta@nas ~]$ redis-cli -s /var/run/redis/redis.sock
Could not connect to Redis at /var/run/redis/redis.sock: Permission denied
not connected> exit
[morta@nas ~]$ ls -lh /var/run/redis
total 0
srwxrwx--- 1 redis redis 0 Aug 18 23:19 redis.sock

Cloud fix it with chmod 777 -R /var/run/redis.sock but nothing changed

  'memcache.distributed' => '\\OC\\Memcache\\Redis'

kills nextcloud

Hello @Morta
Take a look at the second point on our website, maybe this can help you. Note, however, that this is Apache2 and not Nginx.
Best regards,
schBenedikt

technik.schächner.de