NC 20: web server not set up properly to support "./well-known/caldav"

I am using NexCloud for some years now and just today got rid of these 2 messages by adding 4 lines to the nextcloud.conf:

<IfModule mod_rewrite.c>
Redirect 301 /.well-known/carddav https://qqq.qqq.qqq/nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav https://qqq.qqq.qqq/nextcloud/remote.php/dav
</IfModule>

After that I restarted apache and the notifications were gone

My nexcloud is located under /var/www/html so the root is /var/www/html/nextcloud

My /etc/apache2/sites-available/nextcloud.conf now looks like :

<VirtualHost *:443>
ServerName nnn.nnn.nnn.nnn <- this is my local lan address
ServerAlias localhost
ServerAlias qqq.qqq.qqq <- this is a public dynamic dns name from no-ip
ServerAlias yyy.yyy.yyy <- just another public dns name from another provider

<IfModule mod_rewrite.c>
Redirect 301 /.well-known/carddav https://qqq.qqq.qqq/nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav https://qqq.qqq.qqq/nextcloud/remote.php/dav
</IfModule>

Alias /nextcloud "/var/www/html/nextcloud/"

<Directory /var/www/html/nextcloud/>
  Require all granted
  AllowOverride All
  Options FollowSymLinks MultiViews

  <IfModule mod_dav.c>
    Dav off
  </IfModule>

</Directory>

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

I have edited the above a couple of times but I can not get the last line ‘</VirtualHost>’ to show up.

Hi KarlF12,

your answer didn’t help me at all. Before I raised the issue I read carefully through the NC documentation and also checked all relevant contributions which had been raised before.

I followed the “advice” to use a .htaccess file though (for productive deployment) I don’t like .htaccess because its contents are loaded every time whenever there is a request to NC over the internet.

As i mentioned before, instead of telling that the web server is not set up properly it would be better to also supply some pertinent information. It would minimize time to get down to the real cause of the error and warning respectively.

Reading through all users’ comments I gained the impression that my issue was also the issue of other users. It seems to me that they also struggled, invested at lot of time, some had been successful, some not. Some hints / solutions offered by them did not work for me.

I’d appreciate if there was some debugging module which clearly tells what is wrong.

As I have written in my first contribution, I can sync contacts and calendars between my NC server and my Android phone by specifying the “full” URL.
I just would like to get rid of the warnings when checking my NC installation.

Best regards
Dieter

Hi JackV,

thank you very much for your suggestion. I applied it (only very minor changes to my current NC VirtualHost file). Unfortunately the two warnings still remain.

I checked to variants:

1. Without the .htaccess file (but its contents being part in the NC VirtualHost file))
2. With the .htaccess (as shipped with NC v20)
   In both variants no success so far.

By the way, as far as I understand, your two “Redirect 301 …” lines have the same effect as the similar statements in the .htaccess file.

I think that the cause of the two warnings is probably a minor one, but as long as NC develeopers refer to the documentation (sometimes referring to older versions of NC) instead of supplying a tool, users waste a lot of their precious time.

Perhaps (I don’t know) the problem could be related to

1. specifying statements for hardening Apache2 in general
2. specifying statements in NC VirtualHost file for security
3. deploying the “standard” suggestion for NC VirtualHost file (NC documentation).

Is there somebody who has successfully tightened his/her apache2 (in a general sense), implementing all NC security, preferably also implemented ModSecurity (v3.x) and who is willing to share their configuration stuff (sensitive data replaced) for interested users like me?

Thank you very much.
Bets regards
Dieter

the answer that Karl gave is not wrong. Basically a .htacces file is a apache config file that only affects the folder where it is placed in. If you do not want to use .htaccess, then you have to include the relevant lines for webdav in your main apache config file respectively in the config file of your virtual host instead.

Hi bb77,

Karl’s answer is OK, and yours, too. As described above I checked the.htaccess variant but also a variant putting this file aside but incorporating its contents into the NC virtual host file.
No success so far.

Best regards
Dieter

ah ok. sorry, didn’t read the first post carefull enough

Not sure if I can help you with this… but i’ll post my working apache virtual host config , .htaccess file and config.php of my test server…

I’am not a 100% sure but I think this is the part that does the trick. But i’am no expert.

 <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{HTTP_USER_AGENT} DavClnt
      RewriteRule ^$ /remote.php/webdav/ [L,R=302]
      RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
      RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
      RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
      RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
      RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
      RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
      RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
      RewriteRule ^remote/(.*) remote.php [QSA,L]
      RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
      RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
      RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
    </IfModule>

my apache config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cloud.mydomain.tld
DocumentRoot /var/www/html/nextcloud

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_commonErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLOptions +StrictRequire

SSLCertificateFile /etc/letsencrypt/live/cloud.mydomain.tld/fullchain.pem
SSLCACertificateFile /etc/letsencrypt/live/cloud.mydomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.mydomain.tld/privkey.pem

<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
AllowOverride All

<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
</Directory>

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; preload"
</IfModule>
</VirtualHost>

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
SSLOpenSSLConfCmd Curves X448:secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
</IfModule>

my .htaccess:

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Download-Options
    Header always set X-Download-Options "noopen"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4|mp3|ogg|wav)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/robots.txt
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/proxy.php$
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

my config.php:

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => 'cloud.mydomain.tld',
  ),
  'datadirectory' => '/var/nc_data',
  'dbtype' => 'mysql',
  'version' => '20.0.4.0',
  'overwrite.cli.url' => 'https://cloud.mydomain.tld',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'installed' => true,
  'activity_expire_days' => 14,
  'auth.bruteforce.protection.enabled' => true,
  'blacklisted_files' => 
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
    2 => 'thumbs.db',
  ),
  'cron_log' => true,
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\Movie',
    6 => 'OC\\Preview\\PDF',
    7 => 'OC\\Preview\\MP3',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
  ),
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'htaccess.RewriteBase' => '/',
  'integrity.check.disabled' => false,
  'knowledgebaseenabled' => false,
  'logfile' => '/var/nc_data/nextcloud.log',
  'loglevel' => 2,
  'logtimezone' => 'Europe/Zurich',
  'log_rotate_size' => 104857600,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'overwriteprotocol' => 'https',
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
  'redis' => 
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
  'quota_include_external_storage' => false,
  'share_folder' => '/Shares',
  'skeletondirectory' => '',
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
  'app_install_overwrite' => 
  array (
    0 => 'cookbook',
    1 => 'drawio',
  ),
);

The warning is saying specifically the carddav and caldav lines are missing (or not correctly applied) to your web server configuration. I understand you feel that they should write a tool to reconfigure your web server for you, but alas this is just not how things are done because everyone sets their systems up a little differently. Case in point you aren’t using the default .htaccess configuration supplied with Nextcloud, so a “tool” they provided to make the changes for you would likely break your setup instead.

In my case, adding those two lines to the site config resolved it. Your exact solution may vary depending on how you set up your web server, but the info in the documentation is correct.

Hi DieterH

sorry to be back with this, the notifications are back again. I have seen a green checkmark today but now it has gone

Kind regards,

Jack

Hi Dieter,

here I am again, today I noticed that the appearing of the messages depend on the way I connect,

Note the lines in my nextcloud.conf are :

Redirect 301 /.well-known/carddav https://qqq.qqq.qqq/nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav https://qqq.qqq.qqq/nextcloud/remote.php/dav

When I connect via https://qqq.qqq.qqq/nextcloud the messages are not there and I see the green checkmark.
When I connect via the ServerName or another alias I have the messages.

So I am green some way. ( I am not an apache expert by the way )

Maybe this helps

Kind regards,

Jack

Hello, solved it for all my domain names…

As you can see above in my /etc/apache2/sites-available/nextcloud.conf it already contained :

<IfModule mod_rewrite.c>
Redirect 301 /.well-known/carddav https://qqq.qqq.qqq/nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav https://qqq.qqq.qqq/nextcloud/remote.php/dav
</IfModule>

and I did not have the issue anymore when I logged in to the website with the domain name qqq.qqq.qqq ( which is a placeholder of course )

I took that part of 4 lines out and replaced it by the next 3 :

RewriteEngine On
RewriteRule ^(.*/\.well-known/carddav)$ https://%{HTTP_HOST}/nextcloud/remote.php/dav [R=301,L]
RewriteRule ^(.*/\.well-known/caldav)$ https://%{HTTP_HOST}/nextcloud/remote.php/dav [R=301,L]

The patterns between ‘()’ mean starting ‘^’ with any character ‘.’, followed by anything ‘*’ and ending ‘$’ with /.well-known/carddav or /.well-known/caldav where an extra ‘\’ is needed so that the ‘.’ before ‘well-known’ is not seen as a wildcard character.
HTTP_HOST is a variable containing the name used to access your website.

So my nextcloud.conf now looks like :

 <VirtualHost *:443>
 ServerName nnn.nnn.nnn.nnn
 ServerAlias localhost
 ServerAlias qqq.qqq.qqq
 ServerAlias yyy.yyy.yyy

RewriteEngine On
RewriteRule ^(.*/\.well-known/carddav)$ https://%{HTTP_HOST}/nextcloud/remote.php/dav [R=301,L]
RewriteRule ^(.*/\.well-known/caldav)$ https://%{HTTP_HOST}/nextcloud/remote.php/dav [R=301,L]

Alias /nextcloud "/var/www/html/nextcloud/"

<Directory /var/www/html/nextcloud/>
  Require all granted
  AllowOverride All
  Options FollowSymLinks MultiViews

  <IfModule mod_dav.c>
    Dav off
  </IfModule>

</Directory>

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

</VirtualHost>

So happy to have the green check mark when I access the web page via ServerName or any ServerAlias.

Kind regards,

Jack

Hi Jack,

thank you very much for your post. Currently my Raspberry is under major re-construction. As soon as I will have accomplished the work, I’ll follow your hints hoping to achieve green check mark, too.

Kind regards
Dieter

Hi Dieter,

It is always nice to be in contact with people interested and busy with the same things.

My Pi is also under reconstruction and I wanted to get rid of all messages in Nextcloud so I did a clean install of Buster last week.

All my notes on my latest nextcloud installation of 20.0.4 a couple of days ago and all kind of issues I ran into and solved in the last years are in 1 txt file on my Nextcloud :

https://veraart.thehomeserver.net/nextcloud/index.php/s/ySpsFfZTgNSp2pt

Good luck and I hope it helps

Kind regards,

Jack

Whoooooooops

The next link may work better :

https://veraart.thehomeserver.net/nextcloud/index.php/s/QmYiMzsTZfcEZbn

Jack

Hi Dieter,

Any success with NC configuration ? I am about to remove my share. Please dowload things before Monday if you need any.

Kind regards,

Jack

BlueMail voor Android downloaden
Op 16 jan. 2021, om 11:33, “Dieter Heußner via Nextcloud community” <noreply@nextcloud.com> schreef:

Hi JackV,

thank you for your e-mail and also for your assistance. I copied the
information to local disk, hence you may close your share.

Due to my limited leisure time I did not yet succeed with NextCloud
installation which does not contain any warnings.

I installed everything from scratch, my NC is working, but I would like to get
rid of the warnings. I’m confident that I’ll succeed.
Furthermore I plan to install ModSecurity v3 to further secure my web server
(not only NC).

Any success with NC configuration ? I am about to remove my share. Please
dowload things before Monday if you need any.

Kind regards,
Jack

Kind regards
Dieter

I just upgraded to NC version 20.0.7. Upgrade process OK.

When running as NC administrator the sequence “Settings” (top right corner) followed by “overview” (left hand side, I get two warnings about my original topic (see above).
When trying to read the log file (clicking on “protocol”), NC enters a permanent loop.
The reason is quite simple, but NOT understood.

The permission of the NC log file is set by NC to
–w------T 1 www-data www-data 596973 Feb 3 19:56 /var/www/html/data/nextcloud.log

Changing the permission of the log file by
chmod 644 /var/www/html/data/nextcloud.log
chmod o+t /var/www/html/data/nextcloud.log

yields:
-rw-r–r-T 1 www-data www-data 596973 Feb 3 19:56 /var/www/html/data/nextcloud.log

But when clicking the “protocol” button again, the permissions are reset by NC to –w------T.

How should one be able to view the protocol entries?
Any idea to solve this issue?

Kind reards
Dieter

Hi Dieter,

I also just upgraded to 20.0.7 and have no issues. Still green.
The “protocol” you mention is the logging button in the far left bottom corner just above the System button I think. I have some logging there.

My data is located in a NextFloud folder on an USB disk mounted in /mnt/Share0 and the file looks like :

root@pi41:~# ls -l /mnt/Share0/NextCloud/nextcloud.log
-rw-r----- 1 www-data www-data 439 Feb 8 08:59 /mnt/Share0/NextCloud/nextcloud.log

Maybe it has something to do with the security of the parent directory ?

root@pi41:~# ls -ld /mnt/Share0/NextCloud/
drwxr-x— 9 www-data www-data 4096 Feb 8 08:59 /mnt/Share0/NextCloud/

As I remember, the sticky bit is not set on files anymore but only has effect when set on the parent folder. It sets the directory security so only the creators of files not others with write access can delete them. I have a simple installation with no additional security settings so maybe this is why I do not have this issue.

I also checked by restarting apache2 and after that by rebooting my raspberry pi and the security does not change…

Hi JackV,

now I have some time again, I’ll check my configuration with respect to your contribution.

hanks a lot.

Kind regards
Dieter

Hi JackV,

could you tell me your e-mail address, please?
Mine is Dieter.Heussner@mailbox.org

Thanks a lot!
Kind regards
Dieter

Solved it ! it’s due to trailing / on proxypass. I kept having remote.phpp instead of remote.php thanks to this posts : Requested uri (/cloud/remote.phpp/dav/files/mburchard/) is out of base uri (/cloud/remote.php/dav/) · Issue #20707 · nextcloud/server · GitHub && Nextcloud behind Apache reverse proxy, remote.php becomes remote.phpp - #2 by skjaeve