Hi all.
Have a latest NX server behind Nginx proxy.
To be clear I am able to connect to the server using WEB UI, WebDAV apps and some other NX applications like sms, contacts etc. Desktop client works fine.
So the main issue is with official NX Android client (both play apk and standalone apk). When I connect with android client and go to User\Pass direction Grant Access button can be pressed and it shows spinning circle. I can see some token exchange in both proxy and main sever logs but client never being able to create an account on android device.
If I select Login with token, the button Grant Access does nothing. It can’t be pressed.
I’ve seen several solutions,m but non woks for me.
my config.php
<?php
$CONFIG = array (
'instanceid' => 'ID',
'passwordsalt' => 'salt',
'secret' => 'secret',
'trusted_domains' =>
array (
0 => nextcloud.com',
1 => '10.0.0.1',
2 => '127.0.0.1',
),
'datadirectory' => '/nx-storage',
'dbtype' => 'mysql',
'version' => '18.0.7.1',
'overwritehost' => 'nextcloud.com',
'overwrite.cli.url' => 'https://nextcloud.com:443',
'overwriteprotocol' => 'https',
'dbname' => 'dbname',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'dbuser',
'dbpassword' => 'PA$$W0RD',
'installed' => true,
'maintenance' => false,
'app_install_overwrite' =>
array (
0 => 'files_external_gdrive',
),
'theme' => '',
'loglevel' => 2,
'logfile' => '/var/log/nextcloud.log',
'log_rotate_size' => 100 * 1024 * 1024,
'log.condition' =>
array (
'apps' =>
array (
0 => 'admin_audit',
),
),
'debug' => false,
'trusted_proxies' => '10.0.0.1',
'twofactor_enforced' => 'true',
'twofactor_enforced_groups' =>
array (
0 => 'admin',
),
'twofactor_enforced_excluded_groups' =>
array (
),
'app.mail.verify-tls-peer' => true,
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'tls',
'mail_sendmailmode' => 'smtp',
'mail_from_address' => 'admin',
'mail_domain' => 'nextcloud.com',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpauth' => 1,
'mail_smtphost' => 'smtp.mail.com',
'mail_smtpport' => '587',
'mail_smtpname' => 'admin@nextcloud.com',
'mail_smtppassword' => 'PA$$W0RD',
);
my proxy config
server {
listen :80;
listen []:80;
server_name nextcloud.com;
fastcgi_hide_header X-Powered-By;
return 301 https://$server_name$request_uri;
}
server {
listen 68.183.66.106:4443 ssl;
server_name nextcloud.com;
fastcgi_hide_header X-Powered-By;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 0;
underscores_in_headers on;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/letsencrypt/live/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8;
location / {
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
#proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Front-End-Https on;
# whatever the IP of your cloud server is
proxy_pass http://10.0.0.2;
}
}
my server config is
upstream php-handler {
server unix:/var/run/php/php-fpm.sock;
}
server {
listen 10.0.0.2:80;
server_name nextcloud.com;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy no-referrer;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /www/html/nextcloud;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 https://nextcloud.com:4443/remote.php/dav;
}
location = /.well-known/caldav {
return 301 https://nextcloud.com:4443/remote.php/dav;
}
location = /.well-known/nodeinfo {
return 301 https://nextcloud.com:4443/public.php?service=nodeinfo;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_http_version 1.0;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
Hope that there is a light at the end. The most annoying for me is that I can’t use Notes right now.