Reverse Proxy and ocm-provider error

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version: 28.0.4
Operating system and version (eg, Ubuntu 20.04): Ubuntu 22.04 (Odroid XU4)
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.52
PHP version (eg, 7.4): 8.1

The issue you are facing:

After updating Nextcloud (a couple of versions ago) I got the OCM-provider error on the admin page.

Your web server is not properly set up to resolve "/nextcloud/ocm-provider/". This is most likely related to a web server configuration that was not updated to deliver this folder directly. Please compare your configuration against the shipped rewrite rules in ".htaccess" for Apache or the provided one in the documentation for Nginx at it's documentation page ↗. On Nginx those are typically the lines starting with "location ~" that need an update.

I’ve looked at multiple posts online about modifying the .htaccess file and rewrite rules for Apache but the only thing that removes the error is to create an ocm-provider folder in my nextcloud directory.

I don’t want to have to create this folder after each update to clear the error. I think the reason it is appearing is because I’m accessing nextcloud through an NGINX reverse proxy but I can’t find anything in the documentation that shows how to setup the reverse proxy so this error doesn’t appear.

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

  1. Update Nextcloud

Here’s my nextcloud config file:

?php
$CONFIG = array (
  'instanceid' => 'XXXXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXX',
  'trusted_domains' =>
  array (
    0 => '192.168.1.187',
    1 => 'XXXXXXXXX',
    2 => '192.168.1.239',
    3 => 'XXXXXXXXX',
  ),
  'debug' => false,
  'trusted_proxies' =>
  array (
    0 => '192.168.1.239',
    1 => 'XXXXXXXX',
  ),
  'allow_local_remote_servers' => true,
  'overwriteprotocol' => 'https',
  'datadirectory' => '/media/nextcloud/data2',
  'default_phone_region' => 'UK',
  'overwrite.cli.url' => 'https://192.168.1.187/nextcloud',
  'overwritewebroot' => '/nextcloud',
  'auth.bruteforce.protection.enabled' => false,
  'dbtype' => 'mysql',
  'version' => '28.0.4.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XXXXXXX',
  'dbpassword' => 'XXXXXXX',
  'installed' => true,
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_from_address' => 'XXXXXXX',
  'mail_domain' => 'XXXXXXX',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'XXXXXXXXX',
  'mail_smtppassword' => 'XXXXXXXXXX',
  'mail_smtphost' => 'XXXXXXX',
  'mail_smtpport' => '465',
  'theme' => '',
  'loglevel' => 2,
  'updater.release.channel' => 'stable',
  'mysql.utf8mb4' => true,
  'app_install_overwrite' =>
  array (
    0 => 'calendar',
    1 => 'files_external_gdrive',
    2 => 'files_external_onedrive',
  ),
  'onlyoffice' =>
  array (
    'jwt_secret' => 'XXXXXXXX',
    'jwt_header' => 'XXXXXXXX',
  ),
  'data-fingerprint' => 'XXXXXXX',
  'mail_sendmailmode' => 'smtp',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => 'true',
  'maintenance_window_start' => 1,
  'redis' =>
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
);

Here’s the Apache config from the nextcloud server:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory /var/www/html/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>


</VirtualHost>

Here’s the .htaccess file from the nextcloud server:

IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "noindex, nofollow"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite)$">
    <If "%{QUERY_STRING} =~ /(^|&)v=/">
      Header set Cache-Control "max-age=15778463, immutable"
    </If>
    <Else>
      Header set Cache-Control "max-age=15778463"
    </Else>
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddType application/wasm wasm
  AddEncoding gzip svgz
  # Serve ESM javascript files (.mjs) with correct mime type
  AddType text/javascript js mjs
</IfModule>

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>

<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^/ocm-provider/?$ index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

# Clients like xDavv5 on Android, or Cyberduck, use chunked requests.
# When FastCGI or FPM is used with apache, requests arrive to Nextcloud without any content.
# This leads to the creation of empty files.
# The following directive will force the problematic requests to be buffered before being forwarded to Nextcloud.
# This way, the "Transfer-Encoding" header is removed, the "Content-Length" header is set, and the request content i>
# Here are more information about the issue:
#  - https://docs.cyberduck.io/mountainduck/issues/fastcgi/
#  - https://docs.nextcloud.com/server/latest/admin_manual/issues/general_troubleshooting.html#troubleshooting-webdav
<IfModule setenvif.c>
  <Location "/remote.php">
    SetEnvIf Transfer-Encoding "chunked" proxy-sendcl=1
  </Location>
</IfModule>

AddDefaultCharset utf-8
Options -Indexes
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /nextcloud/index.php/error/403
ErrorDocument 404 /nextcloud/index.php/error/404

and here’s my reverse proxy config from NGINX (running on a seperate physical server):

limit_req_zone $binary_remote_addr zone=one:10m rate=50r/s;

server {
    root /var/www/html;
    client_max_body_size 2G;
    index index.html index.htm index.nginx-debian.html index.php;

    server_name XXXXXXXX;

    location /.well-known/ {
        allow all;
    }

    listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/XXXXXXXXX/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/XXXXXXXXXXX/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location /nextcloud/ {
        #index index.php index.html /index.php$request_uri;
        index index.php index.html /nextcloud/index.php$request_uri;
        auth_basic OFF;

        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
#        add_header Strict-Transport-Security "max-age=15552000; " always;

        add_header X-Download-Options "noopen" always;

        proxy_pass http://192.168.1.187/nextcloud/;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Content-Type-Options: nosniff;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 100000M;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        add_header Front-End-Https on;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        try_files $fastcgi_script_name =404;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
   }

    location ~ ^/(?:updater|ocm-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    location = /.well-known/carddav {
        auth_request /_oauth2_token_introspection;
        return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
    }
    location = /.well-known/caldav {
        auth_request /_oauth2_token_introspection;
        return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
    }


server {
        error_page 401 403 404 /404.html;
}


server {
    if ($host = XXXXXXXXX) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80;
        listen [::]:80;

        server_name XXXXXXXXX;
    return 404; # managed by Certbot
}

Hopefully someone can spot an error somewhere or point me in the right direction. As everything on the nextcloud server looks correct but I’m not sure about the reverse proxy side. I’ve tried replacing my NGINX config with the config provided in the documentation and adding in the proxy_pass section but no luck that just gives me a 404 error when trying to access nextcloud.