Hi. I just installed nextcloud in my home server. (divorcing google this year…)
I am a little strict with connecting to my home server from outside of my local network, and I am using cloudflare zero trust tunneling for this matter.
Currently my security policy demands OPT via email delivery. but this does not seem to be supported by the iOS application. When I enter my public url it says:
Error
Web login not available, use the old login method
I guess it is expected that it does not successfully find the web login, because it first has to go through a cloudflare OTP login page.
I have tried searching around in the forum, but didn’t find any direct solution to the problem. Also tried asking perplexity, which suggest that a token based authentication would be better - but that this iOS app currently does not support that.
So I wanted to ask here, if anyone have solved this in any way - or… if not. how are you people connecting securely to your selfhosted nextcloud?
Cheers!
Is this OTP requirement only for login or for all endpoints of Nextcloud?
You can try to create a token and use the qr code to login from the iOS app, maybe that works ?
Hi, thanks for your message! 
The QR approach wont work, as the connection to the nextcloud app is not accessible in any way (except through the tunnel, but requires auth).
The OTP login page handles login once, then puts an auth relarted cookie in the browser, which helps maintaining a 24 hour authorized session.
But since I can’t load the OTP auth page in the app, I can’t receive the cookie. Also, I don’t expect the iOS app to work like a browser, so I understand why this wouldn’t work…
I tried also a different approach, by installing a Cloudflare root certicate on my iPhone, and changing security policy to allow access if request contains a valid certificate, but this also didn’t work, I assume because the iOS app aren’t passing the installed root certificates - it might not even be exposed to the app, I am not entirely sure.
But… there has to be a way to use the iOS app with a secure tunnel right? Personally I would be very worried about expsoing self hosted apps from my local network, so it is a little surprising to me if that is what most people do around here 
I’m in the same situation. I’ll follow for now and will reply with anything I learn.
Running NextCloud/Collabora behind CloudFlare ZeroTrust app and presently blocking everything except a few trusted IPs in a RuleSet that get a ByPass in policy
This allows my IOS app to work when the phone is VPN’d into a network with a trusted public IP.
Wait! You said you tried with a root certificate but you believed it wasn’t passed because in CF you have it an allow.
But that won’t work, you’d need to create a rule not a policy to allow on the certificate present, and then create a policy for that rule that gives a bypass.
Without the bypass, the app is still presented with the zero trust application page.
Aha, that’s interesting!
I also tried with WARP, and had the same experience, still getting the authentication page - despite my policy allowing WARP connected clients through, and my iPhone being within the WARP vpn network…
That might be for the same reason? That a bypass rule is required?
Certificate based authentication and login bypass would be preferred, as I don’t really favor having to turn on/off a VPN connection all the time. Where/how can I create this “rule” in the CF ZT dashboard?
CF->Zero Trust → Access → Rule Groups → Add a Group → Give it a Name :
Foo Rule → Selector : Valid Certificate {Save}
CF->Zero Trust → Access → Policies → Add a Policy → Give it a Name:
Foo Policy → Action: ByPass → Duration → Pick a time → Add Rules → Rule Group: Foo Rule
Then from CF->Zero Trust → Access → Applications
Edit your application and remove existing policies that were for the certificate and add in your new Foo Policy. {Save}
1 Like
Fantastic! bypass policy action is what is needed!
I am now able to connect via the iOS app, when using WARP and having the cloudflare VPN turned on on my iPhone. The iOS app picks up the Nextcloud login page, so it is seamlessly forwarded through the secure tunnel. I also tried turning off the VPN and then my access is denied. So this is as secure as I want to. 
I also tried with the Rule group approach, as you described. To try to get certificate based authentication to work. This would be a more attractive solution, as I won’t have to turn on VPN for being let through the tunnel… However, when I try to save the policy, with:
selector: Rule group
Value:
I get a error: Access api error invalid_request: invalid ‘include’ configuration
Access api error invalid_request: invalid ‘include’ configuration
Excellent. Can you describe for this thread (and me) what steps you took to make this application work for your phone(s)?
I haven’t looked at WARP, and know very little (next to nothing) about it nor its implementation.
My concern would be if I can push this out to my small handful of users.
Of course! Let me try… but I configured WARP about a week ago, so I might forget a small detail or two.
CF → Zero Trust → Access → Settings → WARP Client
Device settings
Here I have a Default profile enabled, with following settings;
- Captive portal detection: ON
- Device tunnel protocol: WireGuard
- Service mode: Gateway with WARP
- Split tunnel: Exclude IPs and domains
(the rest is OFF)
Device posture
Here, add 1 new “WARP client checks”
WARP - name: some-name
That’s it for the CF WARP setup I believe.
on iPhone
Download the Cloudflare One app.
Sign in your your team/organization.
Turn on CloudFlare Zero Trust (The big connect toggle)
In Cloudflare you should now see your iPhone under:
CF → Zero Trust → My team → Devices
(I’m not 100% sure if I see my iPhone here due to WARP or the certificate I installed on my iPhone, so please let me know if you see your device here after WARP connecting)
Acces policy
CF → Zero Trust → Access → Policies → Add a Policy → Give it a Name:
Foo Policy → Action: ByPass → Duration → Pick a time → Add Rules → Rule WARP: some-nam
Assign the policy to your Nextcloud application. When iPhone is WARP connected, you should be able to access it, both via browser and via the iOS app, when disconnecting the WARP VPN, connection should drop, showing the access denied CF page.