WebDav not working behind reverse proxy

conradp24 · March 11, 2020, 6:43am

I am running docker containers for Nextcloud and rocket.chat on Unraid. I access both containers through an nginx reverse proxy. I cannot get the rocket.chat to connect to Nextcloud using webdav via the reverse proxy. It works fine behind the nginx reverse proxy via http using the non-FQDN ie. http://192.168.1.4/remote.php/dav/files/USER/

If I use this in a browser https://nextcloud.mydomain.com/remote.php/dav/files/USER/ , it tells me that “This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Nextcloud desktop sync client.” So it looks like it is recognised.

My nginx reverse proxy:

server {
listen 80;
server_name nextcloud.mydomain.com;
return 301 https://$host$request_uri;
}

server {
server_name nextcloud.mydomain.com;

listen [::]:443 ssl http2; #managed by Lets Encrypt

 listen 443 ssl http2; # managed by Lets Encrypt
 ssl_certificate /tmp/mnt/sda1/.acme.sh/aussieporters.com/aussieporters.com.cer;
 ssl_certificate_key /tmp/mnt/sda1/.acme.sh/aussieporters.com/aussieporters.com.key;


    location / {
     ##### Access ##################
    include  /opt/etc/nginx/nginx_whitelistip.conf;#
    include /opt/etc/nginx/nginx_blacklistip.conf;#
     ###############################


    proxy_pass http://192.168.1.4:4480/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
   client_max_body_size 10G;
   client_body_buffer_size 400M;
  # proxy_max_temp_file_size 2048m;
    access_log /opt/var/log/nginx/nextcloud.access.log;
    error_log /opt/var/log/nginx/nextcloud.error.log;
}

location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}

}

My docker nginx, note I’ve edited the original from the docker and marked out the DAVs for caldav, etc and placed them in the reverse proxy above instead.

upstream php-handler {
server 127.0.0.1:9000;
}
server {
listen 80;
listen [::]:80;
server_name _;

return 301 https://$host$request_uri;

#server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name _;

ssl_certificate /config/keys/cert.crt;

ssl_certificate_key /config/keys/cert.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
fastcgi_hide_header X-Powered-By;
root /config/www/nextcloud/;
# display real ip in nginx logs when connected through reverse proxy via docker network
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.1.0/24;
real_ip_header X-Forwarded-For;
location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
} #  location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;

}

location = /.well-known/caldav {

return 301 $scheme://$host:$server_port/remote.php/dav;

}
client_max_body_size 10G;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fo>
location / {
    rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
    deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
    try_files $uri/ =404;
    index index.php;
}
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
add_header Cache-Control “public, max-age=15778463”;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;” always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Frame-Options “SAMEORIGIN”;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
access_log off;
}
location ~ .(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$request_uri;
access_log off;
}
}

My config.php file:

<?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'oclkd65w5yoy', 'passwordsalt' => 'JUQFzDXXXXXXXXzggnOov3S', 'secret' => 'lKHKGkJXXXXXXXXXXXXX+eYXvbqPlwLf9XVpecJ', 'trusted_domains' => array ( 0 => '192.168.1.4:4480', 1 => 'nextcloud.mydomain.com', 2 => 'chat.mydomain.com', ), 'trusted_proxies' => array ( 0 => '192.168.1.4', ), 'dbtype' => 'mysql', 'version' => '18.0.1.3', 'overwritehost' => 'nextcloud.mydomain.com', 'overwrite.cli.url' => 'https://nextcloud.mydomain.com', 'overwritewebroot' => '/', 'dbname' => 'nextcloud', 'dbhost' => '192.168.1.4:3305', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'nextycloud', 'dbpassword' => '7M5XXXXR^YX@W', 'installed' => true, 'twofactor_enforced' => 'true', 'twofactor_enforced_groups' => array ( 0 => ' Family', ), 'htaccess.RewriteBase' => '/', 'twofactor_enforced_excluded_groups' => array ( ), 'maintenance' => false, 'theme' => '', 'onlyoffice' => array ( 'verify_peer_off' => true, ), 'app_install_overwrite' => array ( 0 => 'sharerenamer', ), 'loglevel' => 2, );

Im unsure why my config file seems so squashed in this post.
I’ve really tried on this one, but I cannot get it right. Any help would be appreciated. CalDav and CardDav is currently sitting in my nginx reverseproxy, I"m unsure if this is correct? Although this makes no difference to accessing files through webdav.

turkicnomad · December 16, 2020, 12:14am

I have the same problem, roughly the same config files, and would appreciate any assistance.

Steel_PC · December 16, 2020, 9:39am

Try adding the following to your config.php

'csrf.optout' => 
  array (
    0 => '/^WebDAVFS/',
    1 => '/^Microsoft-WebDAV-MiniRedir/',
  ),

LanDaze · May 7, 2023, 9:22pm

Hi, I meet the same problem. Did you find any solution or anyone could help with this issue?
Appreciate for any help!