.well-known seems to work but still a warning (using Traefik)

I have nextcloud up and running using Traefik as proxy. When I navigate to my-cloud.de/.well-known/caldav I get redirected to my-cloud.de/remote.php/dav - which I think is correct. However, in the settings I still get a warning

Your web server is not properly set up to resolve “/.well-known/caldav”.

Also, while I’m able to connect the calendar on my phone, it fails on OSX. I’m assuming, has to do with this “.well-known” issue.

There have been quite some questions around this topic in this forum, however, most are about configuring Apache, I’m using Traefik. The configuration is:

      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.regex=/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.replacement=/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.permanent=true"
      - traefik.http.services.nextcloud.loadbalancer.server.port=80

Do I have to set any headers, maybe?

i use “replacepathregex” instead of “redirectregex”:

nevertheless up to now i couldn’t get rid of the webfinger warning. but remote.php/dav seems to work well.

1 Like

Hm, this does not seem to change anything. The redirect still works, but the Warning is still displayed and I cannot connect my OSX clients.

Hey, since I read your name very often here and I guess you know what you are doing I wanted to ask if you were able to resolve the well known webfinger warning?
I can’t get rid of it sadly with traefik and nextcloud:apache image.
image
Currently my traefik lables in nc look like this:
I tried different suggestions from github but couldn’t make them work.

      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-app.entrypoints=http"
      - "traefik.http.routers.nextcloud-app.rule=Host(`example.secureserver.de`)"  #set url (cloud.example.com)
      - "traefik.http.middlewares.nextcloud-app-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.nextcloud-app.middlewares=nextcloud-app-https-redirect"
      - "traefik.http.routers.nextcloud-app-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-app-secure.rule=Host(`example.secureserver.de`)"  #set url (cloud.example.com)
      - "traefik.http.routers.nextcloud-app-secure.tls=true"
      - "traefik.http.routers.nextcloud-app-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-app-secure.service=nextcloud-app"
      - "traefik.http.services.nextcloud-app.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.nextcloud-app-secure.middlewares=nextcloud-dav,secHeaders@file"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"

@SimonWolf I’m afraid no. I could find the correct traefik settings for this yet. sorry.

I think the issue disappeared now.
I didn’t change anything but checked again if it’s working now and it seems to be working just fine on arm aswell now…
Do you still have any Traefik warnings about well-known?
(This is the configuration I am using)

Maybe just my 50cents here, also nearly spent 2 days until I digged a bit deeper:

TL;DR;

traefik conifg for a nextcloud accessible in domainname root, e.g. https://mydomain.com/ (not in subpath)

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`$(DOMAINNAME)`)"
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex1,nextcloud-redirectregex2"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.regex=https?://([^/]*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.replacement=https://$${1}/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.regex=https?://([^/]*)(/.well-known[^#]*)"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.replacement=https://$${1}/index.php$${2}"

Why did the issue (maybe) suddenly disappeared, without any (obvious) change?

the requests to webfinger and nodeinfo get cached, so only if you wait until the cached time is over (and a real reload takes place) or if you disable the caching in F12 DevTools you get the real changes.
image

So the caching is maybe a hint here.

How to configure traefik?

For CalDav and CardDav the documentation tells a little bit on how to configure traefik here
Reverse proxy — Nextcloud latest Administration Manual latest documentation, which in labels is already mentioned here:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`$(DOMAINNAME)`)"
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.regex=https?://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav/"

unfortunatley for webfinger and nodeinfo nothing is said.

I looked at an nginx example configuration here
https://github.com/nextcloud/docker/blob/211229f8dc1ddbede16f7bb67d4bcada75d6a047/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf#L100-L117

this configures the nginx like that:

# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
    # The rules in this block are an adaptation of the rules
    # in `.htaccess` that concern `/.well-known`.

    location = /.well-known/carddav { return 301 /remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /remote.php/dav/; }

    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

    # Let Nextcloud's API for `/.well-known` URIs handle all other
    # requests by passing them to the front-end controller.
    return 301 /index.php$request_uri;
}

the formerly seen traefik labels are for these two lines

location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav  { return 301 /remote.php/dav/; }

result for traefik

      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.regex=https?://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav/"

but for this part

# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;

nothing is provided. So in other words the webfinger request to e.g.https://mydomain.com/.well-known/webfinger should be redirected to https://mydomain.com/index.php/.well-known/webfinger

so I added a new middleware

      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.regex=https?://([^/]*)(/.well-known[^#]*)"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.replacement=https://$${1}/index.php$${2}"

The regex is a little bit special and it is essential to understand as otherwise it leads to issues and you get an endless redirect.
my nextcloud is available via https://mydomain.com/ so NO SUB PATH, for sub path the regex needs to be adapted.

What the regex right now does:
https?://([^/]*)(/.well-known[^#]*)

  • the first match group ([^/]*) only matches the host and port information (host [ “:” port ]) - up before the first occurrence of a /
  • the second group (/.well-known[^#]*) matches the full original request URI (with arguments) but without any fragment/comment/anchor, if it starts with /.well-known - this group content is comparable to the nginx.conf variable $request_uri

The second group then gets appended to the new location: https://$${1}/index.php$${2}

Why the first group is so important:
This redirect is different than the one for Cal/CardDav, it appends the magic string /.well-known again, to the new url: https://mydomain.com/index.php/.well-known/webfinger
so the regex needs to ensure that the redirected url is NOT matched again, otherwise you end in an endless redirection loop: https://mydomain.com/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/.well-known/webfinger

The regex can be tested e.g. here:
regex101: build, test, and debug regex
Sample Urls

  • https://mydomain.com/.well-known/webfinger
  • https://mydomain.com/.well-known/webfinger/longersample
  • https://mydomain.com/.well-known/webfinger#anchor_should_not_match

Full configuration:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`$(DOMAINNAME)`)"
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex1,nextcloud-redirectregex2"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.regex=https?://([^/]*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.replacement=https://$${1}/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.regex=https?://([^/]*)(/.well-known[^#]*)"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.replacement=https://$${1}/index.php$${2}"

More Details

Uniform Resource Identifiers:
By RFC URIs have been known by many names: WWW addresses, Universal Document Identifiers, Universal Resource Identifiers, and finally the combination of Uniform Resource Locators (URL). As far as HTTP is concerned, Uniform Resource Identifiers are simply formatted strings which identify–via name, location, or any other characteristic–a resource.

Further Sources:
https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2
http://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_uri

2 Likes