Nextcloud version (eg, 20.0.5): 28.0.4
Operating system and version (eg, Ubuntu 20.04): Docker on Debian
Apache or nginx version (eg, Apache 2.4.25): NGINX (NPM) v2.10.4 (?)
PHP version (eg, 7.4): Docker Image
xxxxxxxxxxx
Hello,
I am running Nextcloud on Docker with NPM (Nginx Proxy Manager) and recently also Authelia. Only Nextcloud is causing me problems.
Until now I had the following in NPM in the “Advanced Tab”:
…and it has worked great so far… but now I had to replace the code with the “Authelia Code”:
Authelia NGINX Custom Config
location /authelia {
internal;
set $upstream_authelia http://authelia:9091/api/verify; #change the IP and Port to match the IP and Port of your Authelia container
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_nextcloud $forward_scheme://$server:$port;
proxy_pass $upstream_nextcloud;
auth_request /authelia;
auth_request_set $target_url https://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $email $upstream_http_remote_email;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://mydomain.tld/?rd=$target_url; #change this to match your authentication domain/subdomain
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
set_real_ip_from 192.168.1.0/16; #make sure this matches your network setup
real_ip_header CF-Connecting-IP;
real_ip_recursive on;
}
Now I get the following two errors in Nextcloud:
The configuration of the reverse proxy header is incorrect. This is a security problem and can allow an attacker to spoof their IP address so that it is visible to Nextcloud. For more information, see the documentation.
Your webserver does not serve .mjs files using the JavaScript MIME type. This will break some apps by preventing browsers from executing the JavaScript files. You should configure your webserver to serve .mjs files with either the text/javascript or application/javascript MIME type.
Both errors are gone when I replace the “Authelia Code” with my two previous rewrites.
Where do the two rewrite entries have to go?
What about the “.mjs files” and the “javascript MIME Type”?
your request is somewhat unclear. Both task are unrelated AFAIK. the .well-known redirect is related to Nextcloud and should remain in place whether you use Authelia or not. Maybe you should explain details what are trying to achieve and what is the exact problem.
@wwe
Sorry, I’ll explain it again in simple terms:
if i only have the rewrites in the nginx config everything is great, nextcloud doesn’t show me any errors.
However, if I add the authelia config, let’s say under the rewrites, then I get the two errors mentioned in Nextcloud.
You are right, the rewrites have nothing to do with the errors in nextcloud and still work, I can see that now.
so the rewrites work. but the authelia code triggers the two errors, and my goal is to get rid of these errors.
I still don’t fully understand. does it mean you host both Authelia and Nextcloud behind one reverse proxy using one domain? and if you change location / which worked before there are problems?
I’m not a pro with Nginx but for me the config looks somewhat you try implement reverse proxy pass-through authentication is it the case?
as I said, if I set the rewrites in nginx and authelia is therefore irrelevant, everything works. if I put the authelia config into nginx as shown above, I get the errors just mentioned
i have rebuilt my setup according to the exact authelia instructions. i get exactly the same error.
include /snippets/authelia-location.conf;
location / {
include /snippets/proxy.conf;
include /snippets/authelia-authrequest.conf;
proxy_pass $forward_scheme://$server:$port;
}
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;
## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL.
# error_page 401 =302 https://auth.example.com/?rd=$target_url;
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;
## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL.
# error_page 401 =302 https://auth.example.com/?rd=$target_url;
–
I have the following error messages in Nextcloud:
Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.
Your webserver does not serve .mjs files using the JavaScript MIME type. This will break some apps by preventing browsers from executing the JavaScript files. You should configure your webserver to serve .mjs files with either the text/javascript or application/javascript MIME type.
The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. For more details see the documentation .
Your web server is not properly set up to resolve .well-known URLs, failed on: /.well-known/webfinger For more details see the documentation .
Some headers are not set correctly on your instance - The X-Robots-Tag HTTP header is not set to noindex,nofollow. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-Frame-Options HTTP header is not set to sameorigin. Some features might not work correctly, as it is recommended to adjust this setting accordingly. - The X-Permitted-Cross-Domain-Policies HTTP header is not set to none. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection HTTP header does not contain 1; mode=block. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. For more details see the documentation .
If I delete the nginx config above so that the field is empty, I don’t have a single error in nextcloud.
What do I have to change to be able to use Authelia with Nextcloud via Nginx? Why do these errors occur in Nextcloud?
Thanks for any answer!
I think I have found at least part of the problem:
After some “test-and-try” I have found the problem, at least in part. It is due to the “authelia-authrequest.conf”.
I removed the “include” link to the “authelia-authrequest.conf” in the NGINX entry (see previous message), and yess, the error messages in Nextcloud are reduced to one:
The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. For more details see the documentation .
Unfortunately, removing this code ensures that I can see Nextcloud even without authentication in Authelia = Authelia becomes useless.
But the error seems to be in this file… but where?
.