NextCloud Error 403 After Login With NGINX - Fresh Install

WhiteKnuckles · September 19, 2023, 8:04pm

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 20.0.5): 27.1.07
Operating system and version (eg, Ubuntu 20.04): Ubuntu 22.04
Apache or nginx version (eg, Apache 2.4.25): nginx 1.18.0
PHP version (eg, 7.4): 8.2

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N):Y

Steps to replicate it:

Install NextCloud
Create nginx configuration
Login in - receive error 403

The output of your Nextcloud log in Admin > Logging:

PASTE HERE

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

PASTE HERE

The output of your Apache/nginx/system log in /var/log/____:

2023/09/19 15:44:44 [error] 508475#508475: *3 directory index of "/var/www/nextcloud/apps/dashboard/" is forbidden, client: REDACTED, server: REDACTED, request: "GET /apps/dashboard/ HTTP/2.0

PASTE HERE


Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

PASTE HERE

My nginx configuration

upstream php-handler {
server unix:/run/php/php8.2-fpm.sock;
}

server {
if ($host = REDACTED) {
return 301 https://$host$request_uri;
}

listen 80;
listen [::]:80;
server_name REDACTED;
return 301 https://$host$request_uri;

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name REDACTED;
ssl_certificate /etc/letsencrypt/live/REDACTED/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/REDACTED/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

root /var/www/nextcloud;

client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Security headers
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

fastcgi_hide_header X-Powered-By;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

location ^~ /.well-known {
    location = /.well-known/carddav { return 301 /remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
    return 301 /index.php$request_uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    return 404;
}

location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

location ~ \.(?:css|js|svg|gif)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";
}

location ~ \.woff2?$ {
    try_files $uri /index.php$request_uri;
    expires 7d;
    access_log off;
}

location / {
    try_files $uri $uri/ /index.php$request_uri;
}

}

WhiteKnuckles · September 19, 2023, 10:19pm

Managed to get a working configuration. That is all set except for a minor error I’m working on.

Now I am still experiencing an issue I had with a Snap install as well as this manual install. The upload of any PDF file results in a “Unknown Error,” which produces a 403 forbidden. In order to get PDF’s onto my server I first have to put them into a Zip file then extract them on the nextcloud instance.

reylon · September 21, 2023, 6:55pm

How you solved the first issue? same problem - after web install I’m redirect to https://ip/nextcloud/apps/dashboard/) → result page - “403 forbidden - nginx”
I added trusted proxies in nextcloud config - not sure why I accessed only once time to nextcloud
login page but same problem on the next page… and never could again to access to login page

WhiteKnuckles · September 22, 2023, 1:31am

This should get you going:

upstream php-handler {
server unix:/run/php/php8.2-fpm.sock; #Modify according to your setup
}

server {
if ($host = your_domain.com) { #change to your domain
return 301 https://$host$request_uri;
}

listen 80;
listen [::]:80;
server_name your_domain.com; #change to your domain
return 301 https://$host$request_uri;

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your_domain.com; #change to your domain

#Modify SSL Certificate for your use case
ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

# Security Headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy "no-referrer" always;

# Path to Nextcloud installation
root /var/www/nextcloud/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# Resolving well-known URIs
location = /.well-known/carddav {
  return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}
# Modified ocm-provider block
location ^~ /ocm-provider/ {
    alias /var/www/nextcloud/ocm-provider/;
    try_files $uri $uri/ =404;
}
location = /.well-known/webfinger {
    return 301 $scheme://$host/index.php$uri;
}
location = /.well-known/nodeinfo {
    return 301 $scheme://$host/index.php$uri;
}

# Set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip
gzip off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
    rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    include fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
    fastcgi_param X-Robots-Tag "noindex, nofollow";
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files $uri/ =404;
    index index.php;
}

location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
}

location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
    try_files $uri /index.php$uri$is_args$args;
    access_log off;
}

}