WebDAV setup issue? NGINX configuration

🚧 Installation
1

I’m getting these warning from my admin.

There are some warnings regarding your setup.

    You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read the documentation page about this ↗.

    Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation ↗.

Please double check the installation guides ↗, and check for any errors or warnings in the log.

Check the security of your Nextcloud over our security scan ↗.
Version

Nextcloud Hub 5 (27.0.2)

I’m running a separate NGINX reverse proxy.

I looked at the docs but am struggling to find out what is wrong. NC works fine but I cannot get the IOS app to work; the last step, grant access, gets stuck in an infinite loop.

The Windows desktop app also will no run for similar reasons. I suspect both may be using WebDAV to work (?)

PHP

PHP 7.4.33 (cli) (built: Jun  9 2023 16:51:37) ( NTS )

CPU:

Architecture:                    aarch64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
CPU(s):                          4
On-line CPU(s) list:             0-3
Thread(s) per core:              1
Core(s) per socket:              4
Socket(s):                       1
Vendor ID:                       ARM
Model:                           3
Model name:                      Cortex-A72
Stepping:                        r0p3
CPU max MHz:                     1800.0000
CPU min MHz:                     600.0000
BogoMIPS:                        108.00
L1d cache:                       128 KiB
L1i cache:                       192 KiB
L2 cache:                        1 MiB

OS:

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

OMV:

openmediavault                       6.6.0-2

Docker:

Client: Docker Engine - Community
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.6
 Git commit:        ced0996
 Built:             Fri Jul 21 20:35:38 2023
 OS/Arch:           linux/arm64
 Context:           default
2

Have you configured your trusted_proxies parameter in your Nextcloud config.php?

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html

Fix the above issue first before troubleshooting the /.well-known stuff.

Then please post the output of occ config:list system (or equivalent) since there may need to be some further refinement.

As for the /.well-known/ URLs, you need to map them on your NGINX reverse proxy:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#service-discovery

I know you mentioned you looked at the docs. If still stuck after reviewing the above, please post your NGINX proxy config. Also try visiting https://yourdomain.tld/.well-known/caldav and share what you see/experience.

3

config.php:
This is the start of the CONFIG array in my config.php, with some redaction for privacy.

      1 <?php
      2 $CONFIG = array (
      3   'memcache.local' => '\\OC\\Memcache\\APCu',
      4   'memcache.distributed' => '\\OC\\Memcache\\Redis',
      5   'redis' =>
      6   array (
      7     'host' => 'redis',
      8     'port' => 6379,
      9   ),
     10   'filelocking.enabled' => true,
     11   'memcache.locking' => '\\OC\\Memcache\\Redis',
     12   'datadirectory' => '/data',
     13   'trusted_proxies' => ['192.168.1.25'],
     14 #  'trusted_proxies' =>
     15 #  array (
     16 #    0 => 'nginx',
     17 #    1 => '192.168.1.25',
     18 #  ),
     19 //    'overwritewebroot' => '/nextcloud',
     20 //  'overwrite.cli.url' => 'https://mydomain.com/nextcloud',    // latest 1
     21   'overwrite.cli.url' => 'https://mydomain.com/',  // added 's' https. no change in admin warnings...
     22 //  'overwritehost' => 'https://mydomain.com',
     23 //  'overwritehost' => 'mydomain.com',
     24 //    'overwritehost' => 'ssl-proxy.com',
     25     'overwriteprotocol' >= 'https',.
     26   'trusted_domains' =>
     27   array (
     28     0 => '*.mydomain.com',
     29 //    0 => 'mydomain.com',
     30     1 => 'localhost',
     31     2 => '192.168.1.25',
     32     3 => '*mydomain.com',
     33   ),

This issue is similar to Nextcloud iOS app login fails
I got the IOS app to connect to my NC instance using the QR code approach. Still leaves WebDAV not working.

Output of requested OCC command:

rc@raspberrypi:/SSD $ sudo docker exec -it nextcloud sudo -u abc php /config/www/nextcloud/occ config:list system
{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/mydomain.com\/",
        "0": true,
        "trusted_domains": [
            "*xxxxxxxxx.com",
            "localhost",
            "192.168.1.25",
            "*.xxxxxx.com"
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.0.2.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memories.exiftool": "\/config\/www\/nextcloud\/apps\/memories\/exiftool-bin\/exiftool-aarch64-musl",
        "memories.vod.path": "\/config\/www\/nextcloud\/apps\/memories\/exiftool-bin\/go-vod-aarch64",
        "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "CA",
        "maintenance": false,
        "loglevel": 2,
        "theme": "",
        "app_install_overwrite": [
            "news",
            "cms_pico"
        ]
    }
}
rc@raspberrypi:/SSD $

Also going to the caldav url ( https://mydomain.com/.well-known/caldav) yielded this:

This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Nextcloud desktop sync client.

My domain is also getting an A+ rating from https://www.ssllabs.com

4

A few workarounds for my immediate issues/concerns:

NC IOS app: was able to sign-in to my NC instance using the QR-code approach as mentioned in other forum posts.
NC Windows app: was able to sign-in my NC instance by disabling SSL on my NGINX reverse proxy server and using http to access NC (with one temporary config.php change, – overwriteprotocol from https to http). I have since re-enabled SSL and reverted back NGINX to SSL, and reverted the config.php and everything still worked fine for while then syncing failed, probably after a reboot.
WebDAV: Works using guidance from Accessing Nextcloud files using WebDAV — Nextcloud latest User Manual latest documentation. The command net use Z: https://<drive_path>/remote.php/dav/files/USERNAME/ /user:youruser yourpassword successfully mapped NC ‘user’ folders to a Windows network drive (Z).

I’m still getting the previous warnings from my ‘Admin account’ settings page:

There are some warnings regarding your setup.

    You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read the documentation page about this ↗.

    Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation ↗.
    Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation ↗.

Please double check the installation guides ↗, and check for any errors or warnings in the log.

Check the security of your Nextcloud over our security scan ↗.
Version

Nextcloud Hub 5 (27.0.2)
Update
Your version is up to date.

Any help clearing-up these warnings would be appreciated.

5

I finally resolved this by setting the NGINX proxy host configuration for nextcloud as shown below. These setting used to be scheme=http, port 80. Not quite sure how this makes sense as bsed on my (limited, I’m not an IT professional) understanding, nginx is supposed to decrypt packets and send them to NC un-encrypted.
image

I’m now getting an ‘All Passed’ from Nextcloud checks, with a gorgeous green check mark. Also the Windows NC client now is also very happy.