Nexcloud App does not work with Traefik

carlos · August 7, 2021, 11:36am

Hello, I have this problem with the Nexcloud App:
I use Nextloud by Traefik.
The App is synchronizing the photos with my server at the address:

http: // my_ip_local: my_port

and it works fine.
But my server also works with Traefik at the address:

https: // my_domain_traefik

When I want to synchronize the App with Traefik, by means “add account”, I can advance until it asks me for my username and password, then ¡, when I give them the App stays “thinking”, it does not get to synchronize, but it does not give me an error.
Is it not possible to sync with the two addresses? Maybe I have to delete the first account, the one that is linked to http?

Thanks a lot!

Omega1902 · August 14, 2021, 7:18pm

Same problem here using nginx proxy. I cannot use the Android or Linux client with DNS address

Adding more details: same problem with Nextcloud docker 21-apache and 22-apache. The app IS added under settings/security/devices. I can connect the DAVx5 app. In the browser console I can see an error regarding “form-action”.

tflidd · August 15, 2021, 9:42am

Did you check the documentation?
https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html

With the overwrite conditions set properly, it should work on the local network as well.

If you follow up the logs of your server and the proxy, it can help to find where the communitcation fails.

carlos · August 15, 2021, 2:11pm

Hi Omega1902, You may be right, but I’m using docker, and all Traefik parameters are specified in the docker-compose.yml. In fact, traefik works without problem on the PC, by Firefox, it just doesn’t work for me with the App.
I think it may be a solution to modify in config.php, but I see a risk in duplicating the information because in the future I may forget to change on both sides, of course it is not a practice to configure the same thing twice.
Is it possible that it could work for me just setting the docker-compose.yml.?

    environment:
      - MYSQL_DATABASE=${MYSQL_DATABASE}
      - MYSQL_USER=${MYSQL_USER}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_HOST=${MYSQL_HOST}
      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
      - NEXTCLOUD_ADMIN_PASSWORD${NEXTCLOUD_ADMIN_PASSWORD}
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.${MI_DOMINIO_4}:${NEXTCLOUD_HTTP_PORT}
      - REDIS_HOST=redis
    volumes:
      - ${MI_DOCKER}/nextcloud:/var/www/html
      - ${MI_DOCKER}/nextcloud/apps:/var/www/html/custom_apps
      - ${MI_DOCKER}/nextcloud/config:/var/www/html/config
      - ${DISCO_DATOSNUBE}/nextcloud:/var/www/html/data
    labels:
      - traefik.enable=true
      - traefik.docker.network=web
      - traefik.http.routers.nextcloud.rule=Host(`nextcloud.${MI_DOMINIO_4}`)
      - traefik.http.routers.nextcloud.entrypoints=websecure
      - traefik.http.routers.nextcloud.tls=true
      - traefik.http.routers.nextcloud.tls.certresolver=lets-encrypt
      - traefik.http.routers.nextcloud.middlewares=nc-rep,nc-header
      - traefik.http.middlewares.nc-rep.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav
      - traefik.http.middlewares.nc-rep.redirectregex.replacement=https://$$1/remote.php/dav/
      - traefik.http.middlewares.nc-rep.redirectregex.permanent=true
      - traefik.http.middlewares.nc-header.headers.frameDeny=true
      - traefik.http.middlewares.nc-header.headers.sslRedirect=true
      - traefik.http.middlewares.nc-header.headers.contentTypeNosniff=true
      - traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.nc-header.headers.stsPreload=true
      - traefik.http.middlewares.nc-header.headers.stsSeconds=31536000
      - traefik.http.middlewares.nc-header.headers.referrerPolicy=same-origin
      - traefik.http.middlewares.nc-header.headers.browserXssFilter=true
      - traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https
      - traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=websecure
      - traefik.http.middlewares.nc-header.headers.customResponseHeaders.X-Robots-Tag=none
      - traefik.http.middlewares.nc-header.headers.customFrameOptionsValue=SAMEORIGIN
    networks:
      - internal
      - web

Thanks!!!

Omega1902 · August 15, 2021, 4:52pm

Same for me, the only difference is that I use nginx proxy with docker. How ever, reading through the documentation linked by tflidd I added the local IP address to both the config file and the proxy configuration. Now I can use the IP address to link the app in my local network. Via DNS it does still not work. How ever, both ways actually use my proxy! Locally not encrypted on port 80 and via DNS encrypted on port 443, but I can say for sure that both ways are with the proxy (the Nextcloud container port is only available to the proxy).
If I find a solution for my setup I will post it and you might be able to adapt for traefik, but currently I think about leaving it as it is…

Omega1902 · August 16, 2021, 9:18am

I’ve looked into the browser console and found the following error code everytime I press the grant access button:

Content Security Policy: The page’s settings blocked the loading of a resource at http://my.dyndns.com/login/v2/grant (“form-action”).

I’ve noticed that it says http, while having an https connection. I’ve manually changed it on the PC, which solved the problem! How ever, this workaround is probably only suitable on PC, since I cannot edit the HTML on Android as on PC. I’ll test the overwriteprotocol parameter

Omega1902 · August 16, 2021, 10:39am

I’ve set the overwritehost to my dyndns and ‘overwriteprotocol’ to https in config/config.php. Now the app can connect to Nextcloud via URL, but I have to remove the connection with IP address (which I do not see as a downside)
Opening the browser in the IP address results in being forwarded to the URL, which is also appreciated.

So the proxy configured itself was ok, but I failed to configure Nextcloud properly behind the proxy.

Thanks for the help!

carlos · August 17, 2021, 8:01am

I think the problem with not being able to use the IP is that if there is no internet (for example, a service drop), then it will not work even with your local network. You will also not be able to close the external ports on the router (if necessary for security).

bb77 · August 17, 2021, 11:51am

That’s why you want a proper DNS setup in your local network. Because even if you can connect to your Nextcloud local IP address and everything works, you would have to change that every time the client device leaves the local network. While this doesn’t matter much on a stationary computer, it’s a pain on a mobile device.

There are several ways to use the same DNS name on the internal network as on the external one.

local host overrides directly in the hosts file of the respective device. Of course this is only useful for stationary devices.
NAT Loopback. (Must be supported by the router and explicitly enabled in certain models)
host overrides in your router (must be supported by your router obviously, most consumer / ISP routers do not support it)
a separate DNS server on e.g. a Raspberry Pi. The easiest way to set this up is with Pi-hole. As a nice side effect you also get a network wide ad blocker with it.