NC 27 behind reverse nginx proxy - .well-known/webfinger

Is there anybody who runs NC 27 behind reverse nginx proxy without any setup warnings regarding /.well-known/webfinger?

My NC 27.1.3 runs on nginx behind a nginx reverse proxy
https//my_nginx_proxy:4431 → http://my_next_cloud_on_nginx:8080/
Switched from apache configuration to nginx since apache was unfortunately unstable.
As long as it run with apache I got the green dot for Security & setup warnings.

After switching from apache to to nginx I get permanently the message

  • Your web server is not properly set up to resolve “/.well-known/webfinger”.
  • Your web server is not properly set up to resolve “/.well-known/nodeinfo”.

Tried out some configs but no solution so far. I am slowly getting desperate now.
Any suggestions?
Thank you in advance!

My nginx proxy config:

server {
    listen 4431      ssl http2;
    listen [::]:4431 ssl http2;
    server_name removed for the nextcloud forum;
    proxy_http_version 1.1;

    access_log                 /var/log/nginx/access.log;
    error_log                  /var/log/nginx/error.log;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    ssl_certificate            removed for the nextcloud forum
    ssl_certificate_key        removed for the nextcloud forum
    ssl_session_timeout        5m;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers  on;
    ssl_session_cache          shared:SSL:10m;

    # set max upload size
    client_max_body_size 10G;
    client_body_buffer_size 512M;

    # for SafeInCloud Password Manager
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;

    # secure headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header Permissions-Policy                   "interest-cohort=()";
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    location ^~ /.well-known {
        location = /.well-known/carddav         { return 301 /remote.php/dav/; }
        location = /.well-known/caldav          { return 301 /remote.php/dav/; }
        location = /.well-known/webfinger       { return 301 /index.php/.well-known/webfinger; }
        location = /.well-known/nodeinfo        { return 301 /index.php/.well-known/nodeinfo; }
        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
        return 301 /index.php$request_uri;

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header Front-End-Https on;
1 Like

Edit to your needs and you should be good to go

Thank you but this doc is well known (what a play on words) and - if you compare - I’m using this settings already … unfortunately I got the .well-nown messages

1 Like