Where should nextcloud be installed under apache, and does it affect the .well-known redirect problems?

🚧 Installation
1

I have installed nextcloud from source (actually many years ago and moved it around since then to new servers).

In the nextcloud docs it doesn’t explicitly say to install nextcloud at /var/www/nextcloud but the example configuration and virtual hosts file indicate it is there:

<VirtualHost *:80>
  DocumentRoot /var/www/nextcloud/
  ServerName  your.server.com

  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
</VirtualHost>

This is where nextcloud is on my server.

Now the actual DocumentRoot of my server is (in 000-default.conf) /var/www/html.

In my case nextcloud is curretly accessed from a subdomain like nextcloud.mydoman.tld and nextcloud is resolved fine.

However, I am also, like many others having problems with getting error like

Your web server is not properly set up to resolve "/.well-known/carddav"

I have tried creating a .htaccess file like the following in /var/www and /var/www/html

<IfModule mod_rewrite.c>
	RewriteEngine on
	RewriteRule ^/\.well-known/host-meta /public.php?service=host-meta [QSA,L]
	RewriteRule ^/\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
	RewriteRule ^/\.well-known/carddav /remote.php/dav/ [R=301,L]
	RewriteRule ^/\.well-known/caldav /remote.php/dav/ [R=301,L]
	RewriteRule ^\.well-known/nodeinfo /index.php/.well-known/nodeinfo [R=301,L]
	RewriteRule ^\.well-known/webfinger /index.php/.well-known/webfinger [R=301,L]
</IfModule>

I had it in only one of these locations at a time, and restarted apache each time before testing the configuration.

But no matter what I do I cannot get rid of these errors.

Is it possible this is because I need to move my nextcloud installation to /var/www/html/nextcloud?

If not, what do I actually have to do to get rid of these errors? Nothing I have tried helps.

For reference my Virtualhosts file for nextcloud looks like this:

<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName nextcloud.<redacted>
        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        </IfModule>

	ServerAdmin sysadmin@<redacted>
	DocumentRoot /var/www/nextcloud


	<Directory /var/www/nextcloud/>
		Require all granted
		AllowOverride All
		Options FollowSymLinks MultiViews

		<IfModule mod_dav.c>
			Dav off
		</IfModule>
	</Directory>

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	<IfModule mod_rewrite.c>
		RewriteEngine on
		RewriteRule ^/\.well-known/host-meta /public.php?service=host-meta [QSA,L]
		RewriteRule ^/\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
		RewriteRule ^/\.well-known/carddav /remote.php/dav/ [R=301,L]
		RewriteRule ^/\.well-known/caldav /remote.php/dav/ [R=301,L]
		RewriteRule ^\.well-known/nodeinfo /index.php/.well-known/nodeinfo [R=301,L]
		RewriteRule ^\.well-known/webfinger /index.php/.well-known/webfinger [R=301,L]
	</IfModule>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


	SSLCertificateFile <redacted>
	SSLCertificateKeyFile <redacted>
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
2

Sorry to drag up this post but can noone offer any tips on this?

3

In your case these rules need to be in /var/www/nextcloud

4

Hi @crobarcro

Yep @Bernie_O is right and they already are, because Nextcloud provides a .htacces file, which does include these rules. No need to include these rules again in your apache config files.

5

Nextcloud is installed in /var/www/nextcloud, and there is indeed the nextcloud supplied .htaccess file in this directory which I have not modified.

For the avoidance of doubt, this file contains:

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Download-Options
    Header always set X-Download-Options "noopen"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

# PHP 7.x
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

# PHP 8+
<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>

<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

AddDefaultCharset utf-8
Options -Indexes
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //

So I don’t think this is the exact issue?

6

Have you ever tried to disable the 000-default conf? I mean do you actually serve anything out of /var/www/html? If not, there is no need to keep it acvtive.

I serve my Nextcloud from /var/www/html/nextcloud, mainly because the tutorial used it like that, when I started years ago. :wink: And to be honest I am not a 100% sure if it makes any difference. But I don’t think the path matters, unless other global directives in in /etc/conf-enabled or in the /etc/apache2.conf file are active which may affect this path?

Anyways… This is my working Apache config on Ubuntu 18.04: Maybe it is of any help…

/etc/apache2/apache2.conf

This is the only section I changed anything in the file:

# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all denied
</Directory>

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all denied
</Directory>

#<Directory /srv/>
#       Options Indexes FollowSymLinks
#       AllowOverride None
#       Require all granted
#</Directory>

/etc/apache2/sites-available/001-nextcloud.conf

<VirtualHost *:80>
Servername cloud.mydomain.tld
DocumentRoot /var/www/html/nextcloud

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.mydomain.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

/etc/apache2/sites-available/001-nextcloud-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cloud.mydomain.tld
DocumentRoot /var/www/html/nextcloud

<Directory /var/www/html/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews

<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
</Directory>

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/cloud.mydomain.tld/fullchain.pem
SSLCACertificateFile /etc/letsencrypt/live/cloud.mydomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.mydomain.tld/privkey.pem
</VirtualHost>

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
SSLOpenSSLConfCmd Curves X448:secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
</IfModule>
7

Thanks for your help, after pulling my hair out, I finally realised it was an own goal, I had another old default site in sites-enabled (which I had set up to serve nextcloud) which should have been disabled. It was taking precedence over the nextcloud configuration. Feeling pretty silly now.

8

I have the same configuration as @crobarcro and tried a lot to insert those rules - to no avail. The forum-posts tell everything about nginx, but if it’s Apache, all posts tell me to use .htaccess. Why htaccess? The Apache-documentation advices me to not use htaccess but to use the config-file. I did not find any answer where to insert the well-kown-rules, if the configuration is like the one in the first post.

(My Nextcloud is 21 on Debian-Buster)

Does anyone has an advice?

Spielmops

9

As far as I can tell, you don’t need to do anything with .htaccess. Nextcloud provide an appropriate .htaccess with the rules in them. The other place you need to put the rules are in your Apache configuration files as above. In my case the files were configured correctly.

My problem was that I had at some point modified the default site to point to Nextcloud, as well as having a Nextcloud specific configuration file. The default site was taking precedence, so none of the rules I put in the Nextcloud specific configuration were being used.

If this isn’t your problem, you could also check that you actually have the appropriate modules installed and enabled in apache (using a2enmod etc.). If you have stuff wrapped in IFModule and it isn’t installed, it won’t do anything.

I would look at bb77’s configuration files above which are very similar to mine.

10

I do not find, where bb77 has inserted any of those well-known-rules in his configs. My goal is to not use htaccess.

In general, you should only use .htaccess files when you don’t have access to the main server configuration file.

(Apache-documentation: https://httpd.apache.org/docs/2.4/howto/htaccess.html

Spielmops

11

Ah, you’re right, here is my (redacted) site configuration file:

#Alias /nextcloud "/var/www/nextcloud/"
#
#<Directory /var/www/nextcloud/>
#  Require all granted
#  AllowOverride All
#  Options FollowSymLinks MultiViews
#
#  <IfModule mod_dav.c>
#    Dav off
#  </IfModule>
#</Directory>


<IfModule mod_ssl.c>
<VirtualHost *:443>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    ServerName nextcloud.<redacted>.com
        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        </IfModule>

    ServerAdmin sysadmin@<redacted>.com
    DocumentRoot /var/www/nextcloud


    <Directory /var/www/nextcloud/>
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews

        <IfModule mod_dav.c>
            Dav off
        </IfModule>
    </Directory>

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteRule ^/\.well-known/host-meta /public.php?service=host-meta [QSA,L]
        RewriteRule ^/\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
        RewriteRule ^/\.well-known/carddav /remote.php/dav/ [R=301,L]
        RewriteRule ^/\.well-known/caldav /remote.php/dav/ [R=301,L]
        RewriteRule ^\.well-known/nodeinfo /index.php/.well-known/nodeinfo [R=301,L]
        RewriteRule ^\.well-known/webfinger /index.php/.well-known/webfinger [R=301,L]
    </IfModule>

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf


    SSLCertificateFile /etc/letsencrypt/live/nextcloud.<redacted>.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.<redacted>.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
12

Just to confirm, I am not using my own .htaccess file anywhere at all, and all checks pass

13

Thanks, I will try that tomorrow.

Spielmops

14

I inserted those rewrite-rule from IfModule mod-rewrite to /IfModule in the file "Nextcloud.conf and restartet Apache2. Then had in look in “Overview” of Nextcloud and nothing changed … :frowning:

Spielmops

15

@Spielmops I’m afraid I don’t know what the issue is, but perhaps if you share the full apache configuration file and more details, someone can diagnose (remove any info that can identify your server).

16

As far as I understand it @crobarcro does use .htaccess, or at least I see the AllowOvverride All directive in the config. And if I’m not completely wrong, this thread was never about not using .htaccess but rather about .htaccess not working for @crobarcro .

I unfortunatley cannot help you without your specific issue, and I would recommend using .htaccess for Nextcloud as it is recommended in the the Nextcloud documentation.

Or maybe you could open a new thread where you post your goal, what you already have tried and your apache configuration, maybe others can help…

Another option would be using nginx or maybe you can “translate” the nginx config to apache…

https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

17

I only use the .htaccess file in the /var/www/nextcloud directory which was provided by nextcloud and I have not modified it. There are no other .htaccess files anywhere in my /var/www directory tree. There may have been when I created my original post, but once I realised my real problem I made sure to delete all other .htaccess files to avoid any confusion. My working setup therefore does not use any of my own .htaccess files.

The AllowOverride directive is included because it is copied from the example in the Nextcloud documentation.