Supporting multiple domains (problems with webfinger et al)

Bernd_Wechner · April 7, 2024, 1:32pm

Support intro

I have a Nextcloud installation (Nextcloud 28.0.4) and it’s configured with several domains. But I see different behavour on the webfinger, nodeinfo, caldav, carddav, ocm-provider, ocs-provider services. Can’t figure out why.

Nextcloud version (eg, 20.0.5): 28.0.4
Operating system and version (eg, Ubuntu 20.04): Ubuntu 22.04.4 LTS (Jammy Jellyfish)
Apache or nginx version (eg, Apache 2.4.25): lighttpd/1.4.63
PHP version (eg, 7.4): PHP 8.1.2

The issue you are facing:

I have in my config.php multiple trusted_domains. The issue I observe most are aliases, but two have distinct audiences, and these I am checking because of issues with one audience.

So for our purposes I have something like:

  'trusted_domains' =>
  array (
    0 => 'org1.net',
    1 => 'org2.net',
  ),

Now org1 works fine, no issues. But on org2, when I got to Administration settings I see my old friends:

    Your web server is not properly set up to resolve "/ocm-provider/". This is most likely related to a web server configuration that was not updated to deliver this folder directly. Please compare your configuration against the shipped rewrite rules in ".htaccess" for Apache or the provided one in the documentation for Nginx at it's documentation page ↗. On Nginx those are typically the lines starting with "location ~" that need an update.
    Your web server is not properly set up to resolve "/ocs-provider/". This is most likely related to a web server configuration that was not updated to deliver this folder directly. Please compare your configuration against the shipped rewrite rules in ".htaccess" for Apache or the provided one in the documentation for Nginx at it's documentation page ↗. On Nginx those are typically the lines starting with "location ~" that need an update.
    70 errors in the logs since 31 March 2024

    Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation ↗.

Now these are all configured fine in the webserver and I can demonstrate this with curl:

$ curl -I https://org1.net/.well-known/webfinger
HTTP/2 301 
location: https://org1.net/index.php/.well-known/webfinger
date: Sun, 07 Apr 2024 13:05:48 GMT
server: lighttpd/1.4.63

$ curl -I https://org2.net/.well-known/webfinger
HTTP/2 301 
location: http://org2.net/index.php/.well-known/webfinger
date: Sun, 07 Apr 2024 13:06:16 GMT
server: lighttpd/1.4.63

I can follow the redirects, which does reveal something odd I shoudl diagnose and fix, but unlikely related:

$ curl -IL https://org1.net/.well-known/webfinger
HTTP/2 301 
location: https://org1.net/index.php/.well-known/webfinger
date: Sun, 07 Apr 2024 13:23:04 GMT
server: lighttpd/1.4.63

HTTP/2 404 
set-cookie: oc_sessionPassphrase=#########; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: ##################; path=/; secure; HttpOnly; SameSite=Lax
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-request-id: #################
cache-control: no-cache, no-store, must-revalidate
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
x-robots-tag: noindex, nofollow
content-type: application/json; charset=utf-8
x-nextcloud-well-known: 1
content-length: 37
strict-transport-security: max-age=15552000
date: Sun, 07 Apr 2024 13:23:04 GMT
server: lighttpd/1.4.63

$ curl -IL https://org2.net/.well-known/webfinger
HTTP/2 301 
location: http://org2.net/index.php/.well-known/webfinger
date: Sun, 07 Apr 2024 13:23:14 GMT
server: lighttpd/1.4.63

HTTP/1.1 301 Moved Permanently
Location: https://org2.net/index.php/.well-known/webfinger
Date: Sun, 07 Apr 2024 13:23:14 GMT
Server: lighttpd/1.4.63

HTTP/2 404 
set-cookie: oc_sessionPassphrase=########; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: #############; path=/; secure; HttpOnly; SameSite=Lax
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-request-id: ##################
cache-control: no-cache, no-store, must-revalidate
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
x-robots-tag: noindex, nofollow
content-type: application/json; charset=utf-8
x-nextcloud-well-known: 1
content-length: 37
strict-transport-security: max-age=15552000
date: Sun, 07 Apr 2024 13:23:14 GMT
server: lighttpd/1.4.63

They both redirect as intended. But the oddities are:

curl gets a 404 on the target
org2 is redirected twiuce. I can’t offhand see in the webserver configs how that might be, but it does on the second redirect curl reports land on the right target so unlikely a cause of the symptom, just a distracting side issue.

Is this the first time you’ve seen this error? (Y/N): Yes

The output of your Nextcloud log in Admin > Logging:

Loads of errors (to resolve) but not related to this, as they are same on both URLs, none mention the URL and they relate to apps I think. But I’ll share some samples.

{"reqId":"ySMsV9vyobeDcssF2K8o","level":3,"time":"2024-04-07T16:14:03+10:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Exception thrown: Error","userAgent":"--","version":"28.0.4.1","exception":{"Exception":"Error","Message":"Typed property OCP\\BackgroundJob\\Job::$time must not be accessed before initialization","Code":0,"Trace":[{"file":"/var/www/html/nextcloud/lib/public/BackgroundJob/TimedJob.php","line":92,"function":"start","class":"OCP\\BackgroundJob\\TimedJob","type":"->"},{"file":"/var/www/html/nextcloud/cron.php","line":152,"function":"execute","class":"OCP\\BackgroundJob\\TimedJob","type":"->"}],"File":"/var/www/html/nextcloud/lib/public/BackgroundJob/TimedJob.php","Line":101,"CustomMessage":"Exception thrown: Error"},"id":"66129bbddd8ac"}
{"reqId":"BKKZhKkxr7eYy6AuF3pE","level":3,"time":"2024-04-02T11:32:48+11:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"include(): Failed opening '/var/www/html/nextcloud/lib/composer/composer/../../../lib/private/Preview/BackgroundCleanupJob.php' for inclusion (include_path='/var/www/html/nextcloud/3rdparty/pear/archive_tar:/var/www/html/nextcloud/3rdparty/pear/console_getopt:/var/www/html/nextcloud/3rdparty/pear/pear-core-minimal/src:/var/www/html/nextcloud/3rdparty/pear/pear_exception:/var/www/html/nextcloud/apps') at /var/www/html/nextcloud/lib/composer/composer/ClassLoader.php#576","userAgent":"--","version":"28.0.3.2","data":{"app":"PHP"},"id":"66129bbde6307"}
{"reqId":"BKKZhKkxr7eYy6AuF3pE","level":3,"time":"2024-04-02T11:32:48+11:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"include(): Failed opening '/var/www/html/nextcloud/lib/composer/composer/../../../lib/private/Preview/BackgroundCleanupJob.php' for inclusion (include_path='/var/www/html/nextcloud/3rdparty/pear/archive_tar:/var/www/html/nextcloud/3rdparty/pear/console_getopt:/var/www/html/nextcloud/3rdparty/pear/pear-core-minimal/src:/var/www/html/nextcloud/3rdparty/pear/pear_exception:/var/www/html/nextcloud/apps') at /var/www/html/nextcloud/lib/composer/composer/ClassLoader.php#576","userAgent":"--","version":"28.0.3.2","data":{"app":"PHP"},"id":"66129bbde6382"}
{"reqId":"skBVAQhHmohmFW5O9Iu0","level":3,"time":"2024-04-02T11:03:12+11:00","remoteAddr":"","user":"--","app":"core","method":"","url":"--","message":"Error while running background job (class: OCA\\Recognize\\BackgroundJobs\\ClassifyFacesJob, arguments: Array\n(\n    [storageId] => 3\n    [rootId] => 106\n)\n)","userAgent":"--","version":"28.0.3.2","exception":{"Exception":"ErrorException","Message":"Classifier process error","Code":0,"Trace":[{"file":"/var/www/html/nextcloud/apps/recognize/lib/Classifiers/Images/ClusteringFaceClassifier.php","line":84,"function":"classifyFiles","class":"OCA\\Recognize\\Classifiers\\Classifier","type":"->"},{"file":"/var/www/html/nextcloud/apps/recognize/lib/BackgroundJobs/ClassifyFacesJob.php","line":41,"function":"classify","class":"OCA\\Recognize\\Classifiers\\Images\\ClusteringFaceClassifier","type":"->"},{"file":"/var/www/html/nextcloud/apps/recognize/lib/BackgroundJobs/ClassifierJob.php","line":73,"function":"classify","class":"OCA\\Recognize\\BackgroundJobs\\ClassifyFacesJob","type":"->"},{"file":"/var/www/html/nextcloud/apps/recognize/lib/BackgroundJobs/ClassifyFacesJob.php","line":33,"function":"runClassifier","class":"OCA\\Recognize\\BackgroundJobs\\ClassifierJob","type":"->"},{"file":"/var/www/html/nextcloud/lib/public/BackgroundJob/Job.php","line":81,"function":"run","class":"OCA\\Recognize\\BackgroundJobs\\ClassifyFacesJob","type":"->"},{"file":"/var/www/html/nextcloud/lib/public/BackgroundJob/TimedJob.php","line":102,"function":"start","class":"OCP\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/html/nextcloud/lib/public/BackgroundJob/TimedJob.php","line":92,"function":"start","class":"OCP\\BackgroundJob\\TimedJob","type":"->"},{"file":"/var/www/html/nextcloud/cron.php","line":152,"function":"execute","class":"OCP\\BackgroundJob\\TimedJob","type":"->"}],"File":"/var/www/html/nextcloud/apps/recognize/lib/Classifiers/Classifier.php","Line":239,"message":"Error while running background job (class: OCA\\Recognize\\BackgroundJobs\\ClassifyFacesJob, arguments: Array\n(\n    [storageId] => 3\n    [rootId] => 106\n)\n)","exception":{"xdebug_message":"\nErrorException: Classifier process error in /var/www/html/nextcloud/apps/recognize/lib/Classifiers/Classifier.php on line 239\n\nCall Stack:\n    0.0005     355152   1. {main}() /var/www/html/nextcloud/cron.php:0\n   15.4866   12513624   2. OCP\\BackgroundJob\\TimedJob->execute($jobList = class OC\\BackgroundJob\\JobList { protected OCP\\IDBConnection $connection = class OC\\DB\\ConnectionAdapter { private $inner = class OC\\DB\\Connection { ... } }; protected OCP\\IConfig $config = class OC\\AllConfig { private OC\\SystemConfig $systemConfig = class OC\\SystemConfig { ... }; private ?OCP\\IDBConnection $connection = class OC\\DB\\ConnectionAdapter { ... }; private OCP\\Cache\\CappedMemoryCache $userCache = class OCP\\Cache\\CappedMemoryCache { ... } }; protected OCP\\AppFramework\\Utility\\ITimeFactory $timeFactory = class OC\\AppFramework\\Utility\\TimeFactory { protected DateTimeZone $timezone = class DateTimeZone { ... } }; protected Psr\\Log\\LoggerInterface $logger = class OC\\Log\\PsrLoggerAdapter { private OC\\Log $logger = class OC\\Log { ... } } }, $logger = class OC\\Log { private OCP\\Log\\IWriter $logger = class OC\\Log\\File { private OC\\SystemConfig ${OC\\Log\\LogDetails}config = class OC\\SystemConfig { ... }; protected string $logFile = '/data/ncdata/nextcloud.log'; protected int $logFileMode = 416; private OC\\SystemConfig $config = class OC\\SystemConfig { ... } }; private ?OC\\SystemConfig $config = class OC\\SystemConfig { protected $sensitiveValues = [...]; private $config = class OC\\Config { ... } }; private ?bool $logConditionSatisfied = FALSE; private ?Nextcloud\\LogNormalizer\\Normalizer $normalizer = class Nextcloud\\LogNormalizer\\Normalizer { private $maxRecursionDepth = 4; private $maxArrayItems = 20; private $dateFormat = 'Y-m-d H:i:s' }; private ?OCP\\Support\\CrashReport\\IRegistry $crashReporters = class OC\\Support\\CrashReport\\Registry { private $lazyReporters = [...]; private $reporters = [...]; private $serverContainer = class OC\\Server { ... } }; private ?OCP\\EventDispatcher\\IEventDispatcher $eventDispatcher = class OC\\EventDispatcher\\EventDispatcher { private $dispatcher = class Symfony\\Component\\EventDispatcher\\EventDispatcher { ... }; private $container = class OC\\Server { ... }; private $logger = class OC\\Log\\PsrLoggerAdapter { ... } } }) /var/www/html/nextcloud/cron.php:152\n   15.4867   12513624   3. OCP\\BackgroundJob\\TimedJob->start($jobList = class OC\\BackgroundJob\\JobList { protected OCP\\IDBConnection $connection = class OC\\DB\\ConnectionAdapter { private $inner = class OC\\DB\\Connection { ... } }; protected OCP\\IConfig $config = class OC\\AllConfig { private OC\\SystemConfig $systemConfig = class OC\\SystemConfig { ... }; private ?OCP\\IDBConnection $connection = class OC\\DB\\ConnectionAdapter { ... }; private OCP\\Cache\\CappedMemoryCache $userCache = class OCP\\Cache\\CappedMemoryCache { ... } }; protected OCP\\AppFramework\\Utility\\ITimeFactory $timeFactory = class OC\\AppFramework\\Utility\\TimeFactory { protected DateTimeZone $timezone = class DateTimeZone { ... } }; protected Psr\\Log\\LoggerInterface $logger = class OC\\Log\\PsrLoggerAdapter { private OC\\Log $logger = class OC\\Log { ... } } }) /var/www/html/nextcloud/lib/public/BackgroundJob/TimedJob.php:92\n   15.4867   12513624   4. OCP\\BackgroundJob\\Job->start($jobList = class OC\\BackgroundJob\\JobList { protected OCP\\IDBConnection $connection = class OC\\DB\\ConnectionAdapter { private $inner = class OC\\DB\\Connection { ... } }; protected OCP\\IConfig $config = class OC\\AllConfig { private OC\\SystemConfig $systemConfig = class OC\\SystemConfig { ... }; private ?OCP\\IDBConnection $connection = class OC\\DB\\ConnectionAdapter { ... }; private OCP\\Cache\\CappedMemoryCache $userCache = class OCP\\Cache\\CappedMemoryCache { ... } }; protected OCP\\AppFramework\\Utility\\ITimeFactory $timeFactory = class OC\\AppFramework\\Utility\\TimeFactory { protected DateTimeZone $timezone = class DateTimeZone { ... } }; protected Psr\\Log\\LoggerInterface $logger = class OC\\Log\\PsrLoggerAdapter { private OC\\Log $logger = class OC\\Log { ... } } }) /var/www/html/nextcloud/lib/public/BackgroundJob/TimedJob.php:102\n   15.4994   12513624   5. OCA\\Recognize\\BackgroundJobs\\ClassifyFacesJob->run($argument = ['storageId' => 3, 'rootId' => 106]) /var/www/html/nextcloud/lib/public/BackgroundJob/Job.php:81\n   15.4994   12513624   6. OCA\\Recognize\\BackgroundJobs\\ClassifierJob->runClassifier($model = 'faces', $argument = ['storageId' => 3, 'rootId' => 106]) /var/www/html/nextcloud/apps/recognize/lib/BackgroundJobs/ClassifyFacesJob.php:33\n"},"CustomMessage":"Error while running background job (class: OCA\\Recognize\\BackgroundJobs\\ClassifyFacesJob, arguments: Array\n(\n    [storageId] => 3\n    [rootId] => 106\n)\n)"},"id":"66129bc884e56"}

They likely relate to the recently installed Memories and Regognize apps. And need resolving but are not important here.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'ocxvaxvl276w',
  'passwordsalt' => 'hsFdVmRWivBYtNEq4RQ7FrB6BFLAs1',
  'secret' => 'Zo8ohClHjUJJeUJrmSlmL/xYwcAeI7C777HT2r16pTk11zTy',
  'trusted_domains' =>
  array (
    0 => 'org1.net',
    1 => 'org2.net',
  ),
  'trusted_proxies' =>
  array (
    0 => '192.168.0.1',
  ),
  'forwarded-for-headers' =>
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
  ),
  'overwriteprotocol' => 'https',
  #'overwrite.cli.url' => 'https://org1.net',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\APCu',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data/ncdata',
  'dbtype' => 'pgsql',
  'version' => '28.0.4.1',
  'dbname' => 'nextclouddb',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => '#############',
  'installed' => true,
  'maintenance' => false,
  'loglevel' => 2,
  'logtimezone' => 'Australia/Hobart',
  'default_phone_region' => 'AU',
  'mail_smtpdebug' => true,
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'cloud',
  'mail_domain' => '##########',
  'mail_smtphost' => '############',
  'mail_smtpport' => '465',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '############',
  'mail_smtppassword' => '############',
  'mail_smtpsecure' => 'ssl',
  'mail_smtptimeout' => 60,
  'theme' => '',
  'maintenance_window_start' => 16,
  'memories.exiftool' => '/var/www/html/nextcloud/apps/memories/bin-ext/exiftool-amd64-glibc',
  'memories.vod.path' => '/var/www/html/nextcloud/apps/memories/bin-ext/go-vod-amd64',
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\Image',
    1 => 'OC\\Preview\\HEIC',
    2 => 'OC\\Preview\\TIFF',
    3 => 'OC\\Preview\\Movie',
  ),
  'memories.vod.disable' => false,
  'app_install_overwrite' =>
  array (
    0 => 'facerecognition',
  ),
  'memories.vod.ffmpeg' => '/usr/bin/ffmpeg',
  'memories.vod.ffprobe' => '/usr/bin/ffprobe',
  'memories.exiftool_no_local' => true,
  'memories.db.triggers.fcu' => true,
  'memories.gis_type' => 2,
);

The output of your Apache/nginx/system log in /var/log/____:

The lighttpd logs aren’t relevant and there’s nothing in them to help. Also there are four logs an access and error log on both the server and gateway (reverse proxy) that both run lighttpd. Checked them wile loading pages, nothing of interest.

Bernd_Wechner · April 15, 2024, 9:11am

Bump. I’d really love to solve this.