Unavoidable security & setup warnings with NC 21 update

1. I don’t have either enabled, and I think Social is broken right now. However, I am wondering if webfinger/nodeinfo is only enabled and active IF either Social or Federation is also enabled. Social definitely uses them, but not sure about Federation.
2. That’s more than me – I get 403, but the URL changes to https://my.nextcloud.com/index.php/.well-known/i-am-the-wurst . According to above, that’s what it’s supposed to do, right?

The test is from Add well known handlers API by ChristophWurst · Pull Request #24702 · nextcloud/server · GitHub, where it should return 404 (I haven’t tried from curl yet).

And a successful check either returns 404 or 200: server/admin.js at f37e150d1caa0918e3258011f3c9b04ce469bb7c · nextcloud/server · GitHub

I’m sorry, who came up with that design?

Why do I want Nextcloud to verify any phone numbers? Just let people turn of verification and the problem is solved. Now I set a region so that nc is happy, but the verification will still fail for users, who do not live in that region, which is very much possible, if you have a worldwide user base. So what’s the point?

P.S.: I have 3 SIM cards for 3 different countries. There’s a very good reason why I don’t add a country code to some of my phone numbers. (I know, not a profile thing, but still - an explanation why it can make sense not to use a country code.)

I couldn’t agree more. Have three SIM for different countries. Users live in different countries.

It is become a disturbing trend that NC invents wheels and features just to implement something, which break design, alter established (very good) UX/UI and all this for what?! Sometimes I wish there would be a release/update channel, which would be based on 17 or 18 version only with security updates… And sometimes I even afraid to update NC installation to avoid such “features” like the problems on this thread

Yep, all the new “features” that came out in the last 3 versions, I deactivated right away. I’m not sure who’s steering the boat, but it’s getting ridiculous.

It would be a lot better, if they were to finally fix pressing issues in the server core. Oh, and btw, the sync client still can’t do http2. In 2021. But at least they have a VFS that messes up normal sync operations. Just brilliant.

Pixolin,

Thanks for posting this! You just helped me out of the same problem.

Ken

I removed the translations for webfinger that were previously required. I left only translations for caldav and cardav. that fixed my issue

I am running NextCloud 21.0.0. These are the warnings on the Overview section (Security & setup warnings) on my server settings:

[Warning 1] * Your web server is not properly set up to resolve “/.well-known/webfinger”. Further information can be found in the [documentation]
[Warning 2] * Your web server is not properly set up to resolve “/.well-known/nodeinfo”. Further information can be found in the [documentation]
[Warning 3] * Your web server is not properly set up to resolve “/.well-known/caldav”. Further information can be found in the [documentation]
[Warning 4] * Your web server is not properly set up to resolve “/.well-known/carddav”. Further information can be found in the [documentation]

Let me label these warnings from Warning 1 to Warning 4.

Nextcloud resides in the subfolder /nextcloud on my Apache server and the DocumentRoot is set to “var/www/html/nextcloud” in default-ssl.conf. I can confirm that these lines that allow .htaccess to override configurations in the Apache server help to get ride of Warning 1 and Warning 2. I did not have to add any RewriteRule line in .htaccess.

<Directory /var/www/html/nextcloud>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>

Reference: Apache .htaccess file - Examples and Common Uses | DigitalOcean

I am not yet able to get rid of Warning 3 and Warning 4

[Updated 3/29/2021: I follow the instructions here and it took care of Warning 3 and Warning 4 → Caldav and carddav error resolving - #8 by mable]

Thank Picxolin , worked for me and have S3 native file storage config.

Am faceing the same isseus. Not of the above work
running nextcloud 21.0.2
Ubuntu server 18 tls
php 7.4

I managed to fix al of them except:

• Your web server is not properly set up to resolve “/.well-known/webfinger”. Further information can be found in the documentation.
• Your web server is not properly set up to resolve “/.well-known/nodeinfo”. Further information can be found in the documentation.

server {
listen 80;
listen [::]:80;
server_name example.com;

# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;

#I found this header is needed on Ubuntu, but not on Arch Linux. 
add_header X-Frame-Options "SAMEORIGIN";

# Path to the root of your installation
root /usr/share/nginx/nextcloud/;

access_log /var/log/nginx/nextcloud.access;
error_log /var/log/nginx/nextcloud.error;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
   return 301 $scheme://$host/remote.php/dav;
}

location ~ /.well-known/acme-challenge {
  allow all;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
   rewrite ^ /index.php;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
   deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
   deny all;
 }

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
   include fastcgi_params;
   fastcgi_split_path_info ^(.+\.php)(/.*)$;
   try_files $fastcgi_script_name =404;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_param PATH_INFO $fastcgi_path_info;
   #Avoid sending the security headers twice
   fastcgi_param modHeadersAvailable true;
   fastcgi_param front_controller_active true;
   fastcgi_pass unix:/run/php/php7.4-fpm.sock;
   fastcgi_intercept_errors on;
   fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
   try_files $uri/ =404;
   index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    # Optional: Don't log access to assets
    access_log off;

}

location ~* .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don’t log access to other assets
access_log off;
}
}

I’m very much obliged to you! My “/.well-known/webfinger” error lasted for several months. After seeing your message, I fixed my error and now I passed all the security scans. Thank you very much!

Just AllowOverride All in /etc/apache/apache.conf and the caldav redirect errors should go away.

This works. Provided you remember to comment out (#) the already existing config for cardav and caldav. I’m a newbie and hadn’t done that initially. And it didn’t work. After commenting out, adding these lines worked for me.

Works fine. Thanks.

NGINX users: Please consider switching to the newest nginx config template. It’s heavily reworked and solves all above issues.

For the application server that is. And apart from (idependent!) proxy issues e.g. if you use a container or a even more complex setup.

i tried to enter this as an environment variable into my docker-compose.yml bat this seems to not work until now.

Hi there,
Thanks a lot guys.

Hello! i have the same error. What exactly did you do?

Thank you

Hello where did you add these lines in nginx or nextcloud.conf???

Hi,
did you append these entries in config.php?
Thanks!

This worked for me:

    location = /robots.txt {
        allow             all;
        log_not_found     off;
        access_log        off;
    }

    location ^~ /.well-known/webfinger {
        return 301 $scheme://$host:$server_port/index.php/.well-known/webfinger;
    }

    location ^~ /.well-known/nodeinfo {
        return 301 $scheme://$host:$server_port/index.php/.well-known/nodeinfo;
    }

    location = /.well-known/carddav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location = /.well-known/caldav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
        allow                  all;
    }