Webfinger nginx

Hi, I recently put NC29 back on a new clean nginx, but an error appeared.
“Your web server is not properly set up to resolve .well-known Url, failed on: /.well-known/webfinger
The entries in my nginx settings are registered, here is a section with location settings, @wwe can u help me?
There is nothing in the documentation for configuring NGINX about webfinger at this address - config nginx

location ^~ /.well-known {
    # The rules in this block are an adaptation of the rules
    # in `.htaccess` that concern `/.well-known`.
    location = /.well-known/carddav { return 301 /remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
    location = /.well-known/webfinger  { return 301 /index.php/.well-known/webfinger; }
    location = /.well-known/nodeinfo  { return 301 /index.php/.well-known/nodeinfo; }
    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
    location ^~ /.well-known{ return 301 /index.php/$uri; }
    try_files $uri $uri/ =404;

    # Let Nextcloud's API for `/.well-known` URIs handle all other
    # requests by passing them to the front-end controller.
    return 301 /index.php$request_uri;
}

@wwe Hi, can you tell me about this mistake? in the knowledge base, it is not described at all as a function in the nginx config for nextcloud

Which version of Nextcloud are you using?
Does nextcloud reside in a subdirectory of webroot?

In any case you should synchronize your nginx configuration with the one from the official documentation this is for Nextcloud 29.

There, in the configuration for Nextcloud in webroot, requests for /.well-kown/webfinger are served through this directive:

# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;

I am using Nextcloud Hub 8 (29.0.0), installed in the root web directory, the configuration is completely copied from the documentation for setting up nginx, the fact of the matter is that it does not work properly, I provided part of the code from my configuration where is the parameter that you indicated it already exists

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/run/php/php8.3-fpm-cloud.domen.ru.sock;
}

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default ", immutable";
}

server {
	listen      192.168.0.80:443 ssl;
	server_name cloud.domen.ru ;
	root        /home/websrv/web/cloud.domen.ru/public_html;
	index index.php index.html /index.php$request_uri;
	access_log  /var/log/nginx/domains/cloud.domen.ru.log combined;
	access_log  /var/log/nginx/domains/cloud.domen.ru.bytes bytes;
	error_log   /var/log/nginx/domains/cloud.domen.ru.error.log error;

	ssl_certificate     /home/websrv/conf/web/cloud.domen.ru/ssl/cloud.domen.ru.pem;
	ssl_certificate_key /home/websrv/conf/web/cloud.domen.ru/ssl/cloud.domen.ru.key;
	ssl_stapling        on;
	ssl_stapling_verify on;

	# TLS 1.3 0-RTT anti-replay
	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
	if ($anti_replay = 425) { return 425; }

	include /home/websrv/conf/web/cloud.domen.ru/nginx.hsts.conf*;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

    # set max upload size and increase upload timeout:
    client_max_body_size 512M;
    client_body_timeout 300s;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # The settings allows you to optimize the HTTP2 bandwidth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
    # for tuning hints
    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Set .mjs and .wasm MIME types
    # Either include it in the default mime.types list
    # and include that list explicitly or add the file extension
    # only for Nextcloud like below:
    include mime.types;
    types {
        text/javascript js mjs;
	application/wasm wasm;
    }


    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;

        fastcgi_max_temp_file_size 0;
    }

    # Serve static files
    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
        try_files $uri /index.php$request_uri;
        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
        add_header Referrer-Policy                   "no-referrer"       always;
        add_header X-Content-Type-Options            "nosniff"           always;
        add_header X-Frame-Options                   "SAMEORIGIN"        always;
        add_header X-Permitted-Cross-Domain-Policies "none"              always;
        add_header X-Robots-Tag                      "noindex, nofollow" always;
        add_header X-XSS-Protection                  "1; mode=block"     always;
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }

	include /etc/nginx/conf.d/phpmyadmin.inc*;
	include /etc/nginx/conf.d/phppgadmin.inc*;
	include /home/websrv/conf/web/cloud.domen.ru/nginx.ssl.conf_*;
}
1 Like

Can you post the output of:
curl -iL https://cloud.domen.ru/.well-known/webfinger
?

yep

HTTP/2 301
server: nginx
date: Sun, 19 May 2024 14:39:33 GMT
content-type: text/html
content-length: 162
location: https://cloud.imw-rpg.ru/index.php/.well-known/webfinger
strict-transport-security: max-age=31536000;
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

HTTP/2 404
server: nginx
date: Sun, 19 May 2024 14:39:35 GMT
content-type: text/html; charset=utf-8
content-length: 2966
vary: Accept-Encoding
etag: "663d568d-b96"
strict-transport-security: max-age=31536000;
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

<!DOCTYPE html>
<html lang="en">
        <head>
                <meta charset="utf-8" />
                <meta name="viewport" content="width=device-width, initial-scale=1" />
                <title>Page Not Found</title>
                <style>
                        body {
                                background-color: #f5f5f5;
                                margin-top: 8%;
                                color: #5d5d5d;
                                font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,
                                        "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol",
                                        "Noto Color Emoji";
                                text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);
                                text-align: center;
                        }

                        h1 {
                                font-size: 2.45em;
                                font-weight: 700;
                                color: #5d5d5d;
                                letter-spacing: -0.02em;
                                margin-bottom: 30px;
                                margin-top: 30px;
                        }

                        .container {
                                width: 100%;
                                margin-right: auto;
                                margin-left: auto;
                        }

                        .animate__animated {
                                animation-duration: 1s;
                                animation-fill-mode: both;
                        }

                        .animate__fadeIn {
                                animation-name: fadeIn;
                        }

                        .info {
                                color: #5594cf;
                                fill: #5594cf;
                        }

                        .error {
                                color: #c92127;
                                fill: #c92127;
                        }

                        .warning {
                                color: #ffcc33;
                                fill: #ffcc33;
                        }

                        .success {
                                color: #5aba47;
                                fill: #5aba47;
                        }

                        .icon-large {
                                height: 132px;
                                width: 132px;
                        }

                        .description-text {
                                color: #707070;
                                letter-spacing: -0.01em;
                                font-size: 1.25em;
                                line-height: 20px;
                        }

                        .footer {
                                margin-top: 40px;
                                font-size: 0.7em;
                        }

                        .animate__delay-1s {
                                animation-delay: 1s;
                        }

                        @keyframes fadeIn {
                                from {
                                        opacity: 0;
                                }
                                to {
                                        opacity: 1;
                                }
                        }
                </style>
        </head>
        <body>
                <div class="container">
                        <div class="row">
                                <div class="col">
                                        <div class="animate__animated animate__fadeIn">
                                                <svg
                                                        class="info icon-large fa-question-circle"
                                                        xmlns="http://www.w3.org/2000/svg"
                                                        viewBox="0 0 512 512"
                                                >
                                                        <path
                                                                d="M504 256c0 136.997-111.043 248-248 248S8 392.997 8 256C8 119.083 119.043 8 256 8s248 111.083 248 248zM262.655 90c-54.497 0-89.255 22.957-116.549 63.758-3.536 5.286-2.353 12.415 2.715 16.258l34.699 26.31c5.205 3.947 12.621 3.008 16.665-2.122 17.864-22.658 30.113-35.797 57.303-35.797 20.429 0 45.698 13.148 45.698 32.958 0 14.976-12.363 22.667-32.534 33.976C247.128 238.528 216 254.941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"
                                                        ></path>
                                                </svg>
                                        </div>
                                        <h1 class="animate__animated animate__fadeIn">Page Not Found</h1>
                                        <div class="description-text animate__animated animate__fadeIn animate__delay-1s">
                                                <p>Oops! We couldn't find the page that you're looking for.</p>
                                                <p>Please check the address and try again.</p>
                                                <section class="footer"><strong>Error Code:</strong> 404</section>
                                        </div>
                                </div>
                        </div>
                </div>
        </body>
</html>

The redirect is working, however then the webserver serves its 404 website, which is not how it should be (the 404 should come as a json from nextcloud).

You have several includes at the bottom of your configuration and I can only guess that there is a directive which is overriding the location from the nextcloud configuration.

Here is the result as it should be:

curl -iL https://nextcloud.example.com/.well-known/webfinger

HTTP/2 301 
server: nginx
date: Tue, 21 May 2024 05:35:58 GMT
content-type: text/html
content-length: 162
location: https://nextcloud.example.com/index.php/.well-known/webfinger
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-robots-tag: noindex, nofollow

HTTP/2 404 
server: nginx
date: Tue, 21 May 2024 05:35:58 GMT
content-type: application/json; charset=utf-8
content-length: 37
set-cookie: oc_sessionPassphrase=<PASSPHRASE>; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: <COOKIE>; path=/; secure; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-request-id: <ID>
cache-control: no-cache, no-store, must-revalidate
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
x-robots-tag: noindex, nofollow
x-nextcloud-well-known: 1
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-robots-tag: noindex, nofollow

{"message":"webfinger not supported"}

are you talking about these directives?

yes, those are the ones I meant.
Best way to find out why it isn’t working, is to enable nignx debug log and issue the the curl command from above and see which location serves the request in the end.

turning off these includes had no effect

I checked my access.log and it has duplicates of the / as an example
“/index.php//.well-known/webfinger HTTP/1.1” 404 146"-““Next cloud Server Crawler””

I got the same error, only by updating from NC28 to NC29.
Even though I made the entries as described in the documentation, I still get the error.
I think it’s still an NC29 bug.