Problem with nextcloud in subfolder on private server and tokens

ℹ️ Support
1

Nextcloud version 17.0.1.
Operating system gentoo amd64:
Apache 2.4.41.
PHP version 7.3.

Many errors in apache logs, when connecting by client with using token.
Regardless of erros in apache logs - sync work.
If i right understand apache logs, client make request, somehow request changing - url from “/nextcloud/remote.php/dav/files/Nemos/” transform to “/dav/files/Nemos/”, and apache configs denied access by this url (location) for nextcloud user with nextcloud token.
I have similar problem with nextcloud talk: url tranform from “nextcloud/ocs/v2.php/apps/spreed/api/v1/room” to “/apps/spreed/api/v1/room”.

Steps to replicate it:

  1. Install nextcloud on server, where only nextcloud subfolder do not use apache autorization.
  2. Connect by client to server with using token.

No errors log in nextcloud.

apache config (for nextcloud)

<Directory "/var/www/nemosweb/htdocs/nextcloud/">
        Require         all granted
        Options         FollowSymlinks MultiViews
        AllowOverride   All

        SetEnv          HOME            /var/www/nemosweb/htdocs/nextcloud/
        SetEnv          HTTP_HOME       /var/www/nemosweb/htdocs/nextcloud/

        <IfModule mod_dav.c>
                Dav     off
        </IfModule>
</Directory>

Redirect            301 /.well-known/carddav /nextcloud/remote.php/dav
Redirect            301 /.well-known/caldav  /nextcloud/remote.php/dav

<IfModule mod_headers.c>
    Header          always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

config.php

<?php
$CONFIG = array (
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'nemosweb.*.*',
  ),
  'datadirectory' => '/var/www/nemosweb/htdocs/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '17.0.1.1',
  'overwrite.cli.url' => 'https://localhost/nextcloud',
  'overwritewebroot' => '/nextcloud',
  'htaccess.RewriteBase' => '/nextcloud',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud_server',
  'dbpassword' => '',
  'installed' => true,
  'integrity.check.disabled' => true,
  'maintenance' => false,
  'updater.release.channel' => 'stable',
  'theme' => '',
  'loglevel' => 2,
);

from apache ssl_error_log

[Fri Nov 22 13:59:43.073575 2019] [auth_basic:error] [pid 7291:tid 140503941113600] [client *.*.*.*:56396] AH01618: user Nemos not found: /dav/files/Nemos/

from apache ssl_access_log

*.*.*.* - Nemos [22/Nov/2019:13:59:43 +0300] "PROPFIND /nextcloud/remote.php/dav/files/Nemos/ HTTP/1.1" 207 382
2

I haven’t experienced the described behavior yet on my server, but I had a look on your configuration file and the setting of the “overwrite.cli.url” parameter attracted my attention. I would recommend to use the fqdn of your server instead of “localhost” to prevent any possible access problems.

Additionally you’ve set 'htaccess.RewriteBase' => '/nextcloud', in your configuration. From what I understood this parameter should allow to get rid of the index.php part of the url only.

If you’ve installed Nextcloud in a subdirectory called “/nextcloud” you would normally access it using an url like “https://<fqdn>/nextcloud/index.php/apps/...”. By setting the value of this parameter to “/” the url would change to “https://<fqdn>/nextcloud/apps/...”.

You’ve set the value to “/nextcloud” which could lead to an url like “https://<fqdn>/nextcloud/nextcloud/apps/...” and could cause anexpected problems. I have to admit that I haven’t cross-checked it, but this is how I understand the function of the parameter.

3

As you suggest i change overwrite.cli.url.
I don’t understand to what i must set htaccess.RewriteBase.
If i comment this line in config, regen .htaccess (by occ), this error stay.
If i right understand somehow external request

/nextcloud/remote.php/dav/files/Nemos/

transforms to

/dav/files/Nemos/

Apache config (by location directive) allowed only valid-user except location /nextcloud.
Logins on server are different from nextcloud and because of it request is decline.

p.s.
As temporal solution i run additional apache server on another port, leave there only nextcloud (in subfolder) and disable restriction on access.

4

By default there is no requirement to set the parameter, except you want to get rid of the index.php in the url. In this case the recommended setting in the administrator guide is “/”.
Make sure that you’ve run occ maintenance:update:htaccess afterwards as described in the parameter description.

I don’t know what you’re exactly doing with the redirect rules in your apache configuration but I would expect that the existing rewrite rules in the .htaccess file should do the job on their own.
All of these rules in the .htaccess files are not having any “/nextcloud” in front of the path. They’re looking like this in my configuration:

  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]

BTW, I cannot find any log entries with “/dav/files/...” in it. All of them are similar to this: “PROPFIND /remote.php/dav/files/...”. I assume that you’re doing to much rewriting somehow.

5

Yes i run occ maintenance:update:htaccess after i comment htaccess.RewriteBase in config.
Here new .htaccess

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Download-Options "noopen"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Robots-Tag "none"
    Header always set X-XSS-Protection "1; mode=block"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /nextcloud/
ErrorDocument 404 /nextcloud/

and config.php

<?php
$CONFIG = array (
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'nemosweb.*.*',
  ),
  'datadirectory' => '/var/www/nemosweb/htdocs/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '17.0.1.1',
  'overwrite.cli.url' => 'https://nemosweb.*.*:81/nextcloud',
  'overwritewebroot' => '/nextcloud',
//  'htaccess.RewriteBase' => '/nextcloud',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud_server',
  'dbpassword' => '',
  'installed' => true,
  'integrity.check.disabled' => true,
  'maintenance' => false,
  'updater.release.channel' => 'stable',
  'theme' => '',
  'loglevel' => 2,
);

Currently only nextcloud client is running, and all files sync. I don’t do anything with local files.
But according to apache logs request coming every 5 seconds.