Nextcloud - no access on LAN. Installation / activation - 403 forbidden

Update2: Added logs to post below

Update:

Issue: unable to access Nextcloud unless using the machine where Nextcloudpi is installed.

What would need configuring to fix this?

Summary:
Nextcloudpi in Docker installed on Raspberry Pi.
Able to access Nextcloud (https: //< RPi_IP >) and see NCP Activation page (https: //< RPi_IP> / activate /) only when browsing on the RPi.
When using other machines on the same LAN as RPi results in 403 error when trying to access Nextcloud (https: //< RPi_IP >).
Able to SSH into the RPi using other machines on the same LAN as the RPi.
Only need Nextcloud accessible on LAN.

Original post:

Hi all,

I’m a beginner Linux user.

Issue: 403 forbidden when trying to activate/access https://< RPi_IP > after installation. Unable to access wizard on https://< RPi_IP >:4443/
Nextcloudpi installed on RPi3B+.
Trying to access Nextcloud from laptop.
Using Raspbian Buster Lite.

SSH into RPi from laptop.
Installed Docker and ran:
docker run -d -p 4443:4443 -p 443:443 -p 80:80 -v ncdata:/data --name nextcloudpi ownyourbits/nextcloudpi $DOMAIN

Waited for ‘Init done’.

But 403 on https://< RPi_IP >

On a fresh image I have tried installing NCP using cURL method and on another fresh SD used the NextCloudPi system image: https:// ownyourbits. com/downloads/NextCloudPi_RPi_03-28-20/

But both methods still cannot access Nextcloud from https://<RPi_IP> on laptop as it results in 403 forbidden error. Unable to access wizard https://< RPi_IP >:4443/

Would prefer getting NCP working on Docker. How would I diagnose this issue? (beginner-friendly advice please).

Maybe you can provide a screenshot, and info on browser used.
You have to add an exception to by-pass the warning when wisiting a site with a selfsigned certificate for the first time. Et Least until you get a valid Letsencrypt certificate…
Check docs for steps
In Warning screen. Click advanced and add exception to proceed.

Hi OliverV,

403 Forbidden error displays:

Forbidden

You don’t have permission to access this resource.

Added exception when prompted.

Same 403 error using Firefox on one machine and Chrome on another.

In short: unable to access Nextcloud unless using the machine where Nextcloudpi is installed.

Decided to do a completely fresh install.
This time using Raspbian Buster with desktop instead of Raspbian Buster Lite.

Went through the process of installing Nextcloudpi in Docker (using laptop to SSH into RPi).

On the laptop was still getting 403 error on the NCP page (https://< RPi_IP >).

But using the browser on the RPi (where NCP is installed), I was able to gain access to the NCP Activation page (https://< RPi_IP> / activate /).

So I’m unable to access Nextcloud unless I’m using the machine where Nextcloudpi is installed.

The laptop and RPi are connected on the same LAN.

Is there something that needs configuring?

Summary:
Nextcloudpi in Docker installed on Raspberry Pi.
Able to access Nextcloud (https://< RPi_IP >) and see NCP Activation page (https://< RPi_IP> / activate /) only when browsing on the RPi.
When using other machines on the same LAN as RPi results in 403 error when trying to access Nextcloud (https://< RPi_IP >).
Able to SSH into the RPi using other machines on the same LAN as the RPi.
Only need Nextcloud accessible on LAN.

Here’s some logs:

<–! Paste this in GitHub report -->

NextCloudPi diagnostics


NextCloudPi version  v1.24.0
NextCloudPi image    NextCloudPi_docker_04-06-20
distribution         Debian GNU/Linux 10 \n \l
automount            no
USB devices          none
datadir              /data/nextcloud/data
data in SD           yes
data filesystem      ext2/ext3
data disk usage      4.7G/15G
rootfs usage         4.7G/15G
swapfile             /var/swap
dbdir                /data/database
Nextcloud check      ok
Nextcloud version    18.0.3.0
HTTPD service        up
PHP service          up
MariaDB service      up
Redis service        up
Postfix service      up
internet check       ok
port check 80        closed
port check 443       open
IP                   ***REMOVED SENSITIVE VALUE***
gateway              ***REMOVED SENSITIVE VALUE***
interface            eth0
certificates         ***REMOVED SENSITIVE VALUE***
NAT loopback         no
uptime               17:11

Nextcloud configuration

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "11": "*My_IP*",
            "1": "172.17.0.2",
            "5": "nextcloudpi.local",
            "7": "nextcloudpi",
            "8": "nextcloudpi.lan",
            "6": "*RPi_IP*"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "18.0.3.0",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "tempdirectory": "\/var\/www\/nextcloud\/data\/tmp",
        "mail_smtpmode": "sendmail",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "preview_max_x": "2048",
        "preview_max_y": "2048",
        "jpeg_quality": "60",
        "overwriteprotocol": "https"
    }
}

HTTPd logs

[Sun May 03 22:34:12.069439 2020] [ssl:error] [pid 99:tid 1996197296] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=localhost / issuer: CN=localhost / serial: 230E6FEDC48A5981C4496B06D88B6B8B1A4D7F88 / notbefore: Apr  6 05:22:36 2020 GMT / notafter: Apr  4 05:22:36 2030 GMT]
[Sun May 03 22:34:12.069693 2020] [ssl:error] [pid 99:tid 1996197296] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Sun May 03 22:34:12.117509 2020] [ssl:error] [pid 100:tid 1996197296] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=localhost / issuer: CN=localhost / serial: 230E6FEDC48A5981C4496B06D88B6B8B1A4D7F88 / notbefore: Apr  6 05:22:36 2020 GMT / notafter: Apr  4 05:22:36 2030 GMT]
[Sun May 03 22:34:12.117661 2020] [ssl:error] [pid 100:tid 1996197296] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Sun May 03 22:34:12.128126 2020] [mpm_event:notice] [pid 100:tid 1996197296] AH00489: Apache/2.4.38 (Debian) OpenSSL/1.1.1d configured -- resuming normal operations
[Sun May 03 22:34:12.128303 2020] [core:notice] [pid 100:tid 1996197296] AH00094: Command line: '/usr/sbin/apache2'
[Sun May 03 22:38:13.968080 2020] [authz_core:error] [pid 103:tid 1692017696] [client *LAN_PC1_IP*:53741] AH01630: client denied by server configuration: /var/www/ncp-web/
[Sun May 03 22:38:14.617480 2020] [authz_core:error] [pid 103:tid 1692017696] [client *LAN_PC1_IP*:53741] AH01630: client denied by server configuration: /var/www/ncp-web/favicon.ico, referer: https://*RPi_IP*/
[Sun May 03 22:38:21.496745 2020] [authz_core:error] [pid 103:tid 1587524640] [client *LAN_PC1_IP*:53746] AH01630: client denied by server configuration: /var/www/ncp-web/
[Sun May 03 22:38:30.715538 2020] [authz_core:error] [pid 103:tid 1692017696] [client *LAN_PC1_IP*:53749] AH01630: client denied by server configuration: /var/www/ncp-web/index.php, referer: http://*RPi_IP*/
[Sun May 03 22:38:31.655082 2020] [authz_core:error] [pid 103:tid 1692017696] [client *LAN_PC1_IP*:53749] AH01630: client denied by server configuration: /var/www/ncp-web/favicon.ico, referer: https://*RPi_IP*/index.php
[Sun May 03 22:51:52.656396 2020] [authz_core:error] [pid 103:tid 1692017696] [client *LAN_PC1_IP*:49294] AH01630: client denied by server configuration: /var/www/ncp-web/
[Sun May 03 22:51:53.373471 2020] [authz_core:error] [pid 103:tid 1692017696] [client *LAN_PC1_IP*:49296] AH01630: client denied by server configuration: /var/www/ncp-web/favicon.ico, referer: https://*RPi_IP*/
[Sun May 03 22:52:03.630944 2020] [authz_core:error] [pid 103:tid 1692017696] [client *LAN_PC1_IP*:49298] AH01630: client denied by server configuration: /var/www/ncp-web/
[Sun May 03 22:52:03.857065 2020] [authz_core:error] [pid 103:tid 1692017696] [client *LAN_PC1_IP*:49298] AH01630: client denied by server configuration: /var/www/ncp-web/favicon.ico, referer: https://*RPi_IP*/

Database logs

2020-05-03 22:34:13 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2020-05-03 22:34:13 0 [Note] InnoDB: 10.3.22 started; log sequence number 1626133; transaction id 21
2020-05-03 22:34:13 0 [Note] InnoDB: Loading buffer pool(s) from /data/database/ib_buffer_pool
2020-05-03 22:34:13 0 [Note] Plugin 'FEEDBACK' is disabled.
2020-05-03 22:34:13 0 [Note] InnoDB: Buffer pool(s) load completed at 200503 22:34:13
2020-05-03 22:34:13 0 [Note] Server socket created on IP: '127.0.0.1'.
2020-05-03 22:34:13 0 [Note] Reading of all Master_info entries succeeded
2020-05-03 22:34:13 0 [Note] Added new Master_info '' to hash table
2020-05-03 22:34:13 0 [Note] mysqld: ready for connections.
Version: '10.3.22-MariaDB-0+deb10u1'  socket: '/run/mysqld/mysqld.sock'  port: 3306  Debian 10
2020-05-03 22:37:14 0 [Note] mysqld (initiated by: root[root] @ localhost []): Normal shutdown
2020-05-03 22:37:14 0 [Note] Event Scheduler: Purging the queue. 0 events
2020-05-03 22:37:14 0 [Note] InnoDB: FTS optimize thread exiting.
2020-05-03 22:37:14 0 [Note] InnoDB: Starting shutdown...
2020-05-03 22:37:14 0 [Note] InnoDB: Dumping buffer pool(s) to /data/database/ib_buffer_pool
2020-05-03 22:37:14 0 [Note] InnoDB: Buffer pool(s) dump completed at 200503 22:37:14
2020-05-03 22:37:16 0 [Note] InnoDB: Shutdown completed; log sequence number 4099482; transaction id 2733
2020-05-03 22:37:16 0 [Note] InnoDB: Removed temporary tablespace data file: "ibtmp1"
2020-05-03 22:37:16 0 [Note] mysqld: Shutdown complete


Nextcloud logs


Should be open, could be you have a webserver already running, before starting container?

Hi OliverV,

I want to thank you. I think I may have found what the issue could be.

After reading your post I did a little digging into that and came across this comment on Github by @nachoparker :

<RequireAny>
      Require local
      Require ip 192.168
      Require ip 172
      Require ip 10
</RequireAny>

How would you check nextcloud.conf? (NCP running in Docker)

Edit: ncp.sh - line 55

   <RequireAny>
      Require host localhost
      Require local
      Require ip 192.168
      Require ip 172
      Require ip 10
      Require ip fe80::/10
      Require ip fd00::/8
   </RequireAny>

Could this be a requirement to activate then access NCP locally through the browser? (Didn’t see any documentation mention requirements).

Anyone able to verify if using an address outside the above private addresses causes issues?