How to resove well-know caldav and carddav Security & Set Up Warning

I would like to properly fix the Security & set up warnings:

  • Your web server is not properly set up to resolve “/.well-known/caldav”. Further information can be found in the documentation :arrow_upper_right:.
  • Your web server is not properly set up to resolve “/.well-known/carddav”. Further information can be found in the documentation :arrow_upper_right:.

What can be done to fix this?

Thanks!

Reverse Proxy Server
Nextcloud version: 25.0.0.1
Operating system and version : Ubuntu 22.04.1 LTS
Apache: Apache/2.4.52 (Ubuntu)
PHP version: PHP 8.1.13(cli)

Apache Backend Sever
Operating system and version : Ubuntu 22.04.1 LTS
Apache: Apache/2.4.52 (Ubuntu)
PHP version: PHP 8.1.13(cli)

The issue you are facing: PHP Opcache not properly configured

Is this the first time you’ve seen this error? : NO,

Steps to replicate it:

I have complete access to servers

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxx,
  'secret' => 'xxxxxxxxxxxxxxxx,
  'trusted_domains' => 
  array (
    0 => 'nextcloud.allenintech.com',
    1 => 'www.nextcloud.allenintech.com',
  ),
  'trusted_proxies' => 
  array (
    0 => '127.0.0.1',
    1 => '10.0.0.1',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '25.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xxxxxx',
  'dbpassword' => 'xxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcached_servers' => 
  array (
    0 => 
    array (
      0 => 'localhost',
      1 => 11211,
    ),
    1 => 
    array (
      0 => 'nextcloud.allenintech.com',
      1 => 11211,
    ),
  ),
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'overwriteprotocol' => 'https',
  'overwrite.cli.url' => 'https://nextcloud.allenintech.com',
  'overwritehost' => 'nextcloud.allenintech.com',
  'default_phone_region' => 'US',
  'mail_smtpmode' => 'sendmail',
  'mail_from_address' => 'eatobiasa',
  'mail_domain' => 'gmail.com',
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '465',
  'mail_smtptimeout' => 60,
  'updater.release.channel' => 'stable',
  'mail_sendmailmode' => 'smtp',
  'mysql.utf8mb4' => true,
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'eatobiasa@gmail.com',
  'mail_smtppassword' => 'xxxxxxxxxx',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpauthtype' => 'PLAIN',
  'app_install_overwrite' => 
  array (
    0 => 'drawio',
  ),
);

The error links to the solution in the documentation. If you have a question about the reverse proxy configuration, feel free to post your config.

Hi @KarlF12,

The wording of the solution is not understandable.

… correct working setup of the following URLs:

https://example.com/.well-known/carddav
https://example.com/.well-known/caldav
Those need to be redirecting your clients to the correct endpoints …

What is the meaning of redirection your clients to the correct endpoints?

The reverse proxy works well. So maybe there is a configuration “different configuration” for a revers proxy.

Also, there is a .htaccess file in the root directory of the back-end server. When I place gibberish at the end of the file Apache does not fail. So, maybe .htaccess is not being accessed. Anyway thanks for looking at this.

Here is the reverse proxy, backend server and htaccess file.

Reverse Proxy

<VirtualHost *:80>
ServerName “www.nextcloud.example.com
ServerAlias “nextcloud.example.com
UseCanonicalName On
#Redirect permanent / https://nextcloud.allenintech.com/

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =www.nextcloud.example.com [OR]
    RewriteCond %{SERVER_NAME} =nextcloud.examle.com
    RewriteRule ^https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

#--------------------------#
#Secure nextcloud #
#--------------------------#
<VirtualHost *:443>
ServerName “nextcloud.example.com
ServerAlias “www.nextcloud.example.com
LogLevel warn
LogFormat “%v %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"” vhost_combined
CustomLog “/var/log/apache2/access-nextcloud.log” vhost_combined
ErrorLog “/var/log/apache2/error-nextcloud.log”
UseCanonicalName on
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://10.0.0.xx/
ProxyPassReverse / http://nextcloud.example.com/
SSLEngine On
SSLProxyEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite …

    SSLCertificateFile ...
    SSLCertificateKeyFile ...
    SSLCertificateChainFile ...
Header always set Strict-Transport-Security: "max-age=15552000; includeSubDomains"

Back-end Server

<VirtualHost *:443>
ServerName nextcloud.example.com
ServerAlias www.nextcloud.example.com
UseCanonicalName on
DocumentRoot “/var/www/html/nextcloud”
LogLevel warn
LogFormat "%v %h %l %u %t "%r" %>s %b "%{Referer}i" "%User-Agent}i"vhost_combined
ErrorLog “/var/log/apache2/error-nextcloud-proxy.log”
CustomLog “/var/log/apache2/access-nextcloud-proxy.log” vhost_common

    <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    <Directory /var/www/html/nextcloud>
            # Require all granted
            # Options +FollowSymlinks
            Options Indexes FollowSymlinks Multiviews
            AllowOverride ALL
            Order allow,deny
            allow from all 
            # <IfModule mod_dav.c>
            #       Dav off
            # </IfModule>
   </Directory>
 </VirtualHost>


 **htaccess**

  <IfModule mod_rewrite.c>
 RewriteEngine on
RewriteCond %{HTTP_USER_AGENT}  DavClnt
RewriteRule ^$         /remote.php/webdav/          [L,R=302]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json 
 [QSA,L]
RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
 </IfModule>

You would add them as rewrite rules in the HTTPS vhost on the reverse proxy. Adjust as needed if your Nextcloud web root is in a subfolder.

I’ve heard of people doing this in .htaccess, but I have never personally done it that way.

RewriteEngine on
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
1 Like

Thank-you @KarlF12! The warnings have gone away. The new message is “All checks passed!”

For Apache reverse proxy the Service Discovery configuration should be done on the reverse proxy and not the back-end or using htaccess.

The Service Discovery section of the documentation should be clarified. Using your solution should be added to the Service Discovery section.

Thanks-again @KarlF12

There’s a separate section for reverse proxy configuration that has this in it.

https://docs.nextcloud.com/server/25/admin_manual/configuration_server/reverse_proxy_configuration.html#service-discovery

2 Likes

Very good. What I was asking for is in the documentation. I appreciate that. I missed that section. Thanks again @KarlF12 and the nextcloud team.’

1 Like