Nextcloud with Nginx Proxy Manager - Client denied by server configuration and 503

ℹ️ Support
,
1

Nextcloud version (eg, 29.0.5): 29.0.0
Operating system and version (eg, Ubuntu 29.04): Debian 6.1
Apache or nginx version (eg, Apache 2.4.25): Apache (nextcloud docker image)
PHP version (eg, 8.3): 8.2.19

The issue you are facing:
I can use Nextcloud in the browser in general but have a few issues. I can’t create an app password because of a 503 error.
[31/May/2024:11:44:37 +0000] "POST /settings/personal/authtokens HTTP/1.1" 503 784 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0"

Then I have a lot of errors like this:

[Fri May 31 01:04:03.840325 2024] [access_compat:error] [pid 567] [client 213.232.87.234:0] AH01797: client denied by server configuration: /var/www/html/config/production.json
[Fri May 31 01:04:03.853117 2024] [access_compat:error] [pid 80] [client 213.232.87.234:0] AH01797: client denied by server configuration: /var/www/html/config/database.php
[Fri May 31 01:04:06.538128 2024] [authz_core:error] [pid 573] [client 213.232.87.234:0] AH01630: client denied by server configuration: /var/www/html/server-status
[Fri May 31 11:51:13.302964 2024] [access_compat:error] [pid 581] [client 172.18.0.1:0] AH01797: client denied by server configuration: /var/www/html/data/.ocdata
[Fri May 31 11:51:14.220067 2024] [access_compat:error] [pid 75] [client 172.18.0.1:0] AH01797: client denied by server configuration: /var/www/html/data/.ocdata
[Fri May 31 11:51:15.106011 2024] [access_compat:error] [pid 566] [client 172.18.0.1:0] AH01797: client denied by server configuration: /var/www/html/data/.ocdata

Is this the first time you’ve seen this error? (Y/N): Yes, it’s a fresh Docker Container behind Nginx Proxy Manager.

The output of your Nextcloud log in Admin > Logging:

{"reqId":"avoRr1Srg4sVCf0pCr2V","level":3,"time":"2024-05-29T21:50:35+00:00","remoteAddr":"xx.xxx.xx.xxx","user":"--","app":"PHP","method":"GET","url":"/","message":"fopen(/var/www/html/config/config.php): Failed to open stream: No such file or directory at /var/www/html/lib/private/Config.php#225","userAgent":"Go-http-client/1.1","version":"","data":{"app":"PHP"}}
{"reqId":"F6569FGYVtngtOSGhxbL","level":3,"time":"2024-05-29T21:51:17+00:00","remoteAddr":"Axx.xxx.xx.xxx","user":"user","app":"index","method":"GET","url":"/apps/theming/favicon?v=d5859b82","message":"Could not get appdata folder for theming","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"29.0.0.19","exception":{"Exception":"RuntimeException","Message":"Could not get appdata folder for theming","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Files/AppData/AppData.php","line":147,"function":"getAppDataFolder","class":"OC\\Files\\AppData\\AppData","type":"->","args":[]},{"file":"/var/www/html/apps/theming/lib/ImageManager.php","line":367,"function":"newFolder","class":"OC\\Files\\AppData\\AppData","type":"->","args":["global"]},{"file":"/var/www/html/apps/theming/lib/ImageManager.php","line":101,"function":"getRootFolder","class":"OCA\\Theming\\ImageManager","type":"->","args":[]},{"file":"/var/www/html/apps/theming/lib/Controller/IconController.php","line":131,"function":"getImage","class":"OCA\\Theming\\ImageManager","type":"->","args":["favicon",false]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":232,"function":"getFavicon","class":"OCA\\Theming\\Controller\\IconController","type":"->","args":["core"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":138,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Theming\\Controller\\IconController"],"getFavicon"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Theming\\Controller\\IconController"],"getFavicon"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":338,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Theming\\Controller\\IconController","getFavicon",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["core","theming.icon.getfavicon"]]},{"file":"/var/www/html/lib/base.php","line":1050,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/theming/favicon"]},{"file":"/var/www/html/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Files/AppData/AppData.php","Line":108,"message":"Could not get appdata folder for theming","exception":{},"CustomMessage":"Could not get appdata folder for theming"}}
{"reqId":"K4mdJRXTZOX9m8SH7nsy","level":3,"time":"2024-05-29T21:51:39+00:00","remoteAddr":"xx.xxx.xx.xxx","user":"user","app":"index","method":"GET","url":"/core/preview?fileId=40&x=250&y=250","message":"Could not get appdata folder for preview","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"29.0.0.19","exception":{"Exception":"RuntimeException","Message":"Could not get appdata folder for preview","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Files/AppData/AppData.php","line":147,"function":"getAppDataFolder","class":"OC\\Files\\AppData\\AppData","type":"->","args":[]},{"file":"/var/www/html/lib/private/Preview/Storage/Root.php","line":74,"function":"newFolder","class":"OC\\Files\\AppData\\AppData","type":"->","args":["d/6/4/5/9/2/0/40"]},{"file":"/var/www/html/lib/private/Preview/Generator.php","line":607,"function":"newFolder","class":"OC\\Preview\\Storage\\Root","type":"->","args":["40"]},{"file":"/var/www/html/lib/private/Preview/Generator.php","line":133,"function":"getPreviewFolder","class":"OC\\Preview\\Generator","type":"->","args":[["OC\\Files\\Node\\File"]]},{"file":"/var/www/html/lib/private/Preview/Generator.php","line":110,"function":"generatePreviews","class":"OC\\Preview\\Generator","type":"->","args":[["OC\\Files\\Node\\File"],[[250,250,true,"fill"]],"application/vnd.oasis.opendocument.spreadsheet"]},{"file":"/var/www/html/lib/private/PreviewManager.php","line":187,"function":"getPreview","class":"OC\\Preview\\Generator","type":"->","args":[["OC\\Files\\Node\\File"],250,250,true,"fill",null]},{"file":"/var/www/html/core/Controller/PreviewController.php","line":174,"function":"getPreview","class":"OC\\PreviewManager","type":"->","args":[["OC\\Files\\Node\\File"],250,250,true,"fill"]},{"file":"/var/www/html/core/Controller/PreviewController.php","line":142,"function":"fetchPreview","class":"OC\\Core\\Controller\\PreviewController","type":"->","args":[["OC\\Files\\Node\\File"],250,250,false,true,"fill",false]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":232,"function":"getPreviewByFileId","class":"OC\\Core\\Controller\\PreviewController","type":"->","args":[40,250,250,false,true,"fill",false]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":138,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OC\\Core\\Controller\\PreviewController"],"getPreviewByFileId"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OC\\Core\\Controller\\PreviewController"],"getPreviewByFileId"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":338,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\PreviewController","getPreviewByFileId",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["core.preview.getpreviewbyfileid"]]},{"file":"/var/www/html/lib/base.php","line":1050,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/core/preview"]},{"file":"/var/www/html/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Files/AppData/AppData.php","Line":108,"message":"Could not get appdata folder for preview","exception":{},"CustomMessage":"Could not get appdata folder for preview"}}
{"reqId":"NKCr4gpomM5hRUYlvsmN","level":3,"time":"2024-05-29T22:30:12+00:00","remoteAddr":"xx.xxx.xx.xxx","user":"user","app":"no app in context","method":"GET","url":"/index.php/apps/files/preview-service-worker.js","message":"App encryption threw an error during app.php load: \"encryption-generateSharedKey\"(\"Encryption: shared key generation\") is locked","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"29.0.0.19","exception":{"Exception":"OCP\\Lock\\LockedException","Message":"\"encryption-generateSharedKey\"(\"Encryption: shared key generation\") is locked","Code":0,"Trace":[{"file":"/var/www/html/apps/encryption/lib/KeyManager.php","line":98,"function":"acquireLock","class":"OC\\Lock\\DBLockingProvider","type":"->","args":["encryption-generateSharedKey",2,"Encryption: shared key generation"]},{"file":"/var/www/html/apps/encryption/lib/Users/Setup.php","line":62,"function":"validateShareKey","class":"OCA\\Encryption\\KeyManager","type":"->","args":[]},{"file":"/var/www/html/apps/encryption/lib/AppInfo/Application.php","line":56,"function":"setupSystem","class":"OCA\\Encryption\\Users\\Setup","type":"->","args":[]},{"file":"/var/www/html/apps/encryption/appinfo/app.php","line":37,"function":"setUp","class":"OCA\\Encryption\\AppInfo\\Application","type":"->","args":[["OC\\Encryption\\Manager"]]},{"file":"/var/www/html/lib/private/App/AppManager.php","line":525,"args":["/var/www/html/apps/encryption/appinfo/app.php"],"function":"require_once"},{"file":"/var/www/html/lib/private/App/AppManager.php","line":416,"function":"requireAppFile","class":"OC\\App\\AppManager","type":"::","args":[["OCA\\Encryption\\AppInfo\\Application"]]},{"file":"/var/www/html/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->","args":["encryption"]},{"file":"/var/www/html/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->","args":[[]]},{"file":"/var/www/html/lib/base.php","line":1030,"function":"loadApps","class":"OC_App","type":"::","args":[]},{"file":"/var/www/html/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Lock/DBLockingProvider.php","Line":160,"message":"App encryption threw an error during app.php load: \"encryption-generateSharedKey\"(\"Encryption: shared key generation\") is locked","exception":{},"CustomMessage":"App encryption threw an error during app.php load: \"encryption-generateSharedKey\"(\"Encryption: shared key generation\") is locked"}}
{"reqId":"C5KVI5YySVYfhxHaHYI6","level":3,"time":"2024-05-29T22:37:33+00:00","remoteAddr":"xx.xxx.xx.xxx","user":"user","app":"jsresourceloader","method":"GET","url":"/settings/user/sync-clients","message":"Could not find resource firstrunwizard/js/personalsettings.js to load","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"29.0.0.19","data":{"app":"jsresourceloader"}}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'upgrade.disable-web' => true,
  'instanceid' => 'oc4n1kn0zfmo',
  'passwordsalt' => 'secret',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'nc.mydomain.dev',
  ),
  'trusted_proxies' =>
  array (
    0 => '213.232.87.234',
    1 => '172.18.0.1',
  ),
  'overwritehost' => 'nc.mydomain.dev',
  'overwritecondaddr' => '^172\.18\.0\.1$',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '29.0.0.19',
  'overwrite.cli.url' => 'https://nc.mydomain.dev',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextcloud-db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'secret',
  'installed' => true,
  'maintenance_window_start' => 1,
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

ak@myserver:~/docker/nextcloud/app/config$ docker logs nextcloud-app | grep "error"
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.23.0.3. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.23.0.3. Set the 'ServerName' directive globally to suppress this message
[Fri May 31 12:06:24.302573 2024] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.59 (Debian) PHP/8.2.19 configured -- resuming normal operations
[Fri May 31 12:06:24.302619 2024] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
[Fri May 31 12:06:34.620369 2024] [access_compat:error] [pid 41] [client 172.18.0.1:0] AH01797: client denied by server configuration: /var/www/html/data/.ocdata
[Fri May 31 12:06:35.562656 2024] [access_compat:error] [pid 39] [client 172.18.0.1:0] AH01797: client denied by server configuration: /var/www/html/data/.ocdata
[Fri May 31 12:06:36.459282 2024] [access_compat:error] [pid 44] [client 172.18.0.1:0] AH01797: client denied by server configuration: /var/www/html/data/.ocdata

grafik
grafik746×817 33.6 KB

In the “Advanced” tab in Nginx Proxy Manager I have:

location /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;
}

Screenshot of the warnings in Nextcloud Admin:

grafik
grafik1760×550 74.5 KB

    Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead. Without it some important web functionality like "copy to clipboard" or "service workers" will not work! Weitere Informationen findest du in der Dokumentation ↗.

    Your web server is not properly set up to resolve `.well-known` URLs, failed on: `/.well-known/caldav` Weitere Informationen findest du in der Dokumentation ↗.

EDIT:

Here’s my docker-compose.yml:

services:
  db:
    image: mariadb:11.3
    container_name: nextcloud-db
    restart: unless-stopped
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - ./db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=rjngrexample
      - MYSQL_PASSWORD=example94gh243978hgf2438ggg
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    networks:
      - nextcloud

  app:
    image: nextcloud
    container_name: nextcloud-app
    restart: unless-stopped
    volumes:
      - ./app:/var/www/html
    environment:
      - MYSQL_PASSWORD=89324r482exampleggg
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=nextcloud-db
      - PHP_MEMORY_LIMIT=1G
      - PHP_UPLOAD_LIMIT=1G
      - NEXTCLOUD_TRUSTED_DOMAINS=nc.mydomain.dev
      #- TRUSTED_PROXIES=172.19.0.1
      #- APACHE_DISABLE_REWRITE_IP=1
    depends_on:
      - db
    networks:
      - nextcloud
      - nginx-proxy-manager_default

networks:
  nextcloud:
  nginx-proxy-manager_default:
    external: true
2

On your underlying host do you have a config file located at ./apps/config/config.php? And, if so, what do the file ownership and permissions look like?

Essentially you have all the indications of a permissions/ownership problem for your /var/www/html folder in the container. Since you’re using bind mounts, you’re responsible for handling all the permissions/ownership matters within your host’s ./app folder. You should review that folder and it’s sub-directories and files.

3

Thank you. I really had permission errors. I changed my docker-compose.yml file to use docker volumes. I can create an app password now but I still have the same warnings in the admin console.

4

What is 213.232.87.234? If you connect via it, your current config says to ignore all your overwrite* values. Is that really what you want?

5

I don’t know what I want except Nextcloud should work. :smiley: This IP is the public external IP of the server.

6

Check your browser console and under the Network tab see which transactions are going via HTTP rather than HTTPS.

7

I only see some images loaded over HTTP.

Example:
/apps/firstrunwizard/img/apps/recognize.svg

There are some more but all of them are in the same directory.

8

It looks like you may have originally installed with APACHE_DISABLE_REWRITE_IP set so you’ll be entirely reliant on getting your trusted proxies and overwrite rules correct (which is fine).

  • Remove 0 => '213.232.87.234', from trusted_proxies
  • Remove this line too: 'overwritecondaddr' => '^172\.18\.0\.1$',
  • In your container, manually run the command a2enconf remoteip to restore the Apache rewrite stuff.

Then either wait 60 seconds or restart your container and retest.

9

Thank you very much! I have no warnings anymore.

1 Like
10

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.