Running behind Identity-aware proxy?

Hi friends. I’m looking to configure Nextcloud behind Pomerium, an identity aware proxy. Through the web interface, it’s all good: I authenticate using Google as the IdP, and the JWT is passed on to the nextcloud-social-login app to authenticate me as my user.

The problem I’m running in to is with the desktop (Linux) and Android clients. The desktop client fails immediately, I’m assuming because the server isn’t returning whatever it needs to assure the client that this is indeed a Nextcloud install.

Pomerium will let me provide unauthenticated passthrough to a path or path prefix, can I use this to provide access for the client to know it’s a Nextcloud server, without compromising the authenticate model?

So I’ve been doing some more digging, and I pulled these logs from the client app:

[OCC::OwncloudSetupWizard::slotSystemProxyLookupDone 	No system proxy set by OS
[OCC::AccessManager::createRequest 	2 "" "https://MYDOMAIN/status.php" has X-Request-ID "REDACTED"
[OCC::AbstractNetworkJob::start 	OCC::CheckServerJob created for "https://MYDOMAIN" + "status.php" "OCC::OwncloudSetupWizard"
[unknown 	connection error: SETTINGS invalid number of concurrent streams
[OCC::AbstractNetworkJob::slotFinished 	QNetworkReply::ProtocolFailure "SETTINGS invalid number of concurrent streams" QVariant(Invalid)
[OCC::CheckServerJob::finished 	error: status.php replied  0 ""
[OCC::AccessManager::createRequest 	2 "" "https://MY-DOMAIN" has X-Request-ID "REDACTED"
[OCC::AbstractNetworkJob::start 	OCC::SimpleNetworkJob created for "https://MYDOMAIN" + "" "OCC::Account"
[unknown 	stream 1 finished with error: "SETTINGS invalid number of concurrent streams"
[unknown 	connection error: SETTINGS invalid number of concurrent streams
[OCC::AbstractNetworkJob::slotFinished 	QNetworkReply::ProtocolFailure "SETTINGS invalid number of concurrent streams" QVariant(Invalid)"

I’m not sure if this helps? I’ve googled the QNetworkReply error message, which seems to be tied to HTTP2, which my server is not using.

So months later and I have a brand new setup. Nextcloud is running in Docker. I have my reverse proxy set up to allow unauthenticated access to the server. But I’m still getting invalid number of concurrent streams in my client debug log:

[OCC::AbstractNetworkJob::start 	OCC::CheckServerJob created for "https://MYDOMAIN" + "status.php" "OCC::OwncloudSetupWizard"
[unknown 	connection error: SETTINGS invalid number of concurrent streams
[unknown 	stream 1 finished with error: "SETTINGS invalid number of concurrent streams"
[OCC::AbstractNetworkJob::slotFinished 	QNetworkReply::ProtocolFailure "SETTINGS invalid number of concurrent streams" QVariant(Invalid)
[OCC::CheckServerJob::finished 	error: status.php replied  0 ""
[OCC::AccessManager::createRequest 	2 "" "https://MYDOMAIN" has X-Request-ID "AN_ID"
[OCC::AbstractNetworkJob::start 	OCC::SimpleNetworkJob created for "https://MYDOMAIN" + "" "OCC::Account"
[unknown 	connection error: SETTINGS invalid number of concurrent streams
[unknown 	stream 1 finished with error: "SETTINGS invalid number of concurrent streams"
[OCC::AbstractNetworkJob::slotFinished 	QNetworkReply::ProtocolFailure "SETTINGS invalid number of concurrent streams" QVariant(Invalid)
[OCC::AccessManager::createRequest 	2 "" "https://MYDOMAIN/status.php" has X-Request-ID "ANOTHER_ID"
[OCC::AbstractNetworkJob::start 	OCC::CheckServerJob created for "https://MYDOMAIN" + "status.php" "OCC::OwncloudSetupWizard"
[unknown 	connection error: SETTINGS invalid number of concurrent streams
[unknown 	stream 1 finished with error: "SETTINGS invalid number of concurrent streams"
[OCC::AbstractNetworkJob::slotFinished 	QNetworkReply::ProtocolFailure "SETTINGS invalid number of concurrent streams" QVariant(Invalid)
[OCC::CheckServerJob::finished 	error: status.php replied  0 ""

I can access status.php directly just fine:

❯ curl https://MYDOMAIN/status.php
{"installed":true,"maintenance":false,"needsDbUpgrade":false,"version":"22.2.0.2","versionstring":"22.2.0","edition":"","productname":"Nextcloud","extendedSupport":false}%
❯ curl -I https://MYDOMAIN/status.php
HTTP/2 200 
date: Fri, 12 Nov 2021 16:48:12 GMT
server: envoy
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-powered-by: PHP/8.0.12
set-cookie: COOKIE_ID=COOKIE; path=/; secure; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=A_PASSPHRASE

To be clear, I can access Nextcloud in the browser with SSL from the proxy just fine. It’s only the desktop app that’s not working.

Another fun tidbit: The android client works fine. I discovered that I was running an older version of the desktop client (2.6?), so I downloaded the latest app image from Nextcloud and ran that, but with no change to the issue.

Other potentially useful info: My proxy is allowing SPDY and websockets just to be save, and overewrite.cli.urlis set to match the public-facing domain.

At this point I’m pretty much talking to myself, but maybe this will help someone else in the future.

The appImage client provided by the Nextcloud site (https://github.com/nextcloud/desktop/releases/download/v3.3.6/Nextcloud-3.3.6-x86_64.AppImage) suffered from the same “invalid number of concurrent streams” problem, but the flatpak version does not, and works fine, at least when the proxy server is running without authentication. I’ll test the Windows and Mac clients, then try using the proxy with authentication.

And instead of further updates, I’ll just edit this post, and mark it as “Solved” once I’ve figured out what you can and can’t do with Nextcloud clients while using a reverse proxy.