With Nextcloud update: "Not properly set up to resolve “/ocm-provider/” and “/ocs-provider/” on NGINX server

ℹ️ Support
, ,
1
Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): Nextcloud 26.0.0
Operating system and version: Ubuntu 22.04.2 LTS
Apache or nginx version: nginx/1.18.0 (Ubuntu)
PHP version: PHP 8.1.2-1ubuntu2.11 (cli) (built: Feb 22 2023 22:56:18) (NTS)

The issue you are facing:
I’ve just updated my NextCloud installation to 26.0.0 and have encountered an issue. This is what I see in settings/overview warnings:

  • The web server is not properly configured to resolve the path “/ocm-provider/”. This is most likely due to the web server configuration not being updated to access this folder directly. Compare your configuration with the supplied Apache .htaccess rewrite rules or those provided in the Nginx documentation on the documentation page :arrow_upper_right:. Nginx usually needs to update the lines that start with “location ~”.
  • The web server is not properly configured to resolve the path “/ocs-provider/”. This is most likely due to the web server configuration not being updated to access this folder directly. Compare your configuration with the supplied Apache .htaccess rewrite rules or those provided in the Nginx documentation on the documentation page :arrow_upper_right:. Nginx usually needs to update the lines that start with “location ~”.
    Is this the first time you’ve seen this error? (Y/N): Yes

Config location: /etc/nginx/conf.d/nextcloud.conf
Nextcloud web-files location: /var/www/nextcloud/

No SSL used. Run on external IP without domain.
Redis installed.

Here is my nextcloud.conf:

server {
    listen 80;
    listen [::]:80;
    server_name 192.168.1.10, XX.XXX.XX.XXX;
    # XX.XXX.XX.XXX - external IP that I use, numbers were hidden with XX. here

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Download-Options                "noopen"            always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    #I found this header is needed on Ubuntu, but not on Arch Linux. 
    #add_header X-Frame-Options "SAMEORIGIN";

    # Path to the root of your installation
    root /var/www/nextcloud/;

    access_log /var/log/nginx/nextcloud.access;
    error_log /var/log/nginx/nextcloud.error;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
    
    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location ^~ /.well-known {
          return 301 /index.php$uri;
        }
    location = /.well-known/webfinger {
          return 301 /index.php$uri;
        }

    # set max upload size
    client_max_body_size 2048M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       try_files $fastcgi_script_name =404;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php/php8.1-fpm.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }
   
     
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
        # Optional: Don't log access to assets
        access_log off;
   }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;   
    }
}

What should I change in my nextcloud.conf to fix the warning issues?

2 Likes
2

+1 Same here.

3

Hello
my config looks like yours and I managed to remove the warning message by modifying…

in your line:
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34]).php(?:$|/) {

replace ocs-provider/ by oc[ms]-provider/

and in your line:

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;

replace ocs-provider by oc[ms]-provider

then reload nginx
sudo systemctl reload nginx.service

2 Likes
4

It turned out that it works, but notifications disappeared not immediately for some reason - after some time. Thank you for your help.
Also by chance maybe you know how to remove similar notifications:
The web server is not properly configured to allow “/.well-known/webfinger”. Additional information is provided in the documentation :arrow_upper_right:.
The web server is not properly configured to allow “/.well-known/nodeinfo”. Additional information is provided in the documentation :arrow_upper_right:.

???

5

If you running Nginx, add this to your nextcloud.conf file:

location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in .htaccess that concern /.well-known.

    location = /.well-known/carddav { return 301 /remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /remote.php/dav/; }

    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

    # Let Nextcloud's API for `/.well-known` URIs handle all other
    # requests by passing them to the front-end controller.
    return 301 /index.php$request_uri;

}

Re-start Nginx and check if the warning is gone.

6

Hey Laurent, I have the same Issue but i’m using Apache Server.
Any idea what i needed to change to solve this issue?

Here is my .htaccess file

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "noindex, nofollow"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
    <If "%{QUERY_STRING} =~ /(^|&)v=/">
      Header set Cache-Control "max-age=15778463, immutable"
    </If>
    <Else>
      Header set Cache-Control "max-age=15778463"
    </Else>
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

# PHP 7.x
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

# PHP 8+
<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddType application/wasm wasm
  AddEncoding gzip svgz
</IfModule>

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>

<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

AddDefaultCharset utf-8
Options -Indexes
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /index.php/error/403
ErrorDocument 404 /index.php/error/404
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4|mp3|ogg|wav|wasm|tflite)$
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update\.php
  RewriteCond %{REQUEST_FILENAME} !/core/img/(favicon\.ico|manifest\.json)$
  RewriteCond %{REQUEST_FILENAME} !/(cron|public|remote|status)\.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v(1|2)\.php
  RewriteCond %{REQUEST_FILENAME} !/robots\.txt
  RewriteCond %{REQUEST_FILENAME} !/(ocm-provider|ocs-provider|updater)/
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/proxy.php$
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

Thankyou for your valuable time

1 Like
7

hey bro, did you find any solution?

8

For others that end up here, the original poster’s configuration looks like it’s based on an old NGINX configuration from something like ~v14 of Nextcloud (versus v26 and soon to be v27 today).

If you’re going to use a web-app server that isn’t supported directly by the NC installer/updater process, that’s totally fine but you’re going to have to assume more responsibility yourself for monitoring that section of the documentation for changes.

In this case those parameters - but also others too that simply may not have turned out to be big enough issues to bother digging further into - have changed in the provided example NGINX configurations. The up-to-date doc can always be found here:

https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

(or somewhere within the Admin Manual in any case - in the event things get re-organized)

Keep an eye on this document and carefully note any changes that aren’t reflected in your local configuration whenever you’re upgrading between major releases (probably fine between minor point releases).

Also cross-check before using any third-party documentation that tells you how to install or update NC with NGINX – they may be out of date!

The installer/updater automatically deploys these changes for Apache (at least if configured in the default way).

9

As a follow-up to myself (hah) if you’re looking for a shortcut to “see if anything has changed recently” with the NGINX sample configurations you can glance at these URLs:

And, to a lesser extent, this one:

The most important are probably either of the first two, but I’d check all three.

The provided links are the callouts of breaking made in a given release (that may indicate changes to recommended webserver configurations) and the the histories of commits (i.e. changes made) to the NGINX sample configurations embedded in the documentation. Just don’t update to a config past the version of NC you’re going to be using. :laughing:

10

@PratikPathak - Your configuration is completely different from the original poster’s (Apache versus NGINX) so the installer/update process for the htaccess is very different and the causes will be different.

You’ll need to provide more context on your configuration. Please do that in a separate thread - where your issue can be looked at in a thoughtful and dedicated manner by others - since both the cause and the resolution will be different.

11

This happened when I upgraded from 26 to 27 today. This ‘resolution’ is a top result in search engine and doesn’t help.

but I suppose better try than other threads ‘cache’ revelation /boggle.

edit3: I was wrong, your browser cache CAN and WILL keep you from fixing this issue, clear your browser’s data/cache for your site if you can when updating your config and restarting your web server.

Where is the ocm-provider suppose to be because my install has ocs-provider and doesn’t show a warning for that. Edit: Actually now it does

I followed the example nginx config for subdir install and that broke even more things. Back to original config and live with the warning for now I suppose.

12

I use Apache2 as my web server, and it has been fine until the update from 27.1.1 to 27.1.2. It appears that the file ocm-provider is no longer provided, I tried to copy a copy from 27.1.1 but that made no difference. From reading I think that it is something to do with .htaccess but I have NO CLUE what to change or add

My current .htaccess is

=============================



SetEnvIfNoCase ^Authorization$ “(.+)” XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION


SetEnvIfNoCase Authorization “(.+)” HTTP_AUTHORIZATION=$1


SetEnvIfNoCase ^Authorization$ “(.+)” XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION

# Add security and privacy related headers 
# Avoid doubled headers by unsetting headers in "onsuccess" table,
# then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "no-referrer"

Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"

Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"

Header onsuccess unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"

Header onsuccess unset X-Robots-Tag
Header always set X-Robots-Tag "noindex, nofollow"

Header onsuccess unset X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"

SetEnv modHeadersAvailable true

Add cache control for static resources

<FilesMatch “.(css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite)$”>
<If “%{QUERY_STRING} =~ /(^|&)v=/”>
Header set Cache-Control “max-age=15778463, immutable”


Header set Cache-Control “max-age=15778463”

Let browsers cache WOFF files for a week

<FilesMatch “.woff2?$”>
Header set Cache-Control “max-age=604800”



php_value mbstring.func_overload 0
php_value default_charset ‘UTF-8’
php_value output_buffering 0

SetEnv htaccessWorking true

AddType image/svg+xml svg svgz AddType application/wasm wasm AddEncoding gzip svgz # Serve ESM javascript files (.mjs) with correct mime type AddType text/javascript js mjs DirectoryIndex index.php index.html ModPagespeed Off RewriteEngine on RewriteCond %{HTTP_USER_AGENT} DavClnt RewriteRule ^$ /remote.php/webdav/ [L,R=302] RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L] RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L] RewriteRule ^remote/(.*) remote.php [QSA,L] RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L] RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L] RewriteRule ^ocm-provider/?$ /index.php [QSA,L] RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]

AddDefaultCharset utf-8
Options -Indexes

DO NOT CHANGE ANYTHING ABOVE THIS LINE

ErrorDocument 403 /nextcloud/index.php/error/403
ErrorDocument 404 /nextcloud/index.php/error/404

=====================

I suspect it is the rewrite rules I need to add/alter

PHP 8.1
Apapche2 2.4.52
Ubuntu 22.04

Any help gratefully received
Ta

14

@jtr
https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
Yeah, I would but that sample for subdir has a handful of errors in it, e.g.
location /nextcloud {
try_files $uri $uri/ /nextcloud/index.php$request_uri;
}
fails with "nginx: [emerg] location “/nextcloud” is outside location “/nextcloud/”’

Should probably be:
location ~ /nextcloud {

15

I have the same problem on apache2 after updating nextcloud from 27.1.1 to 27.1.2, before that I never had this problem

16

@fuzunspm I’m having the same issue and opened a different thread:

[https://help.nextcloud.com/t/your-web-server-is-not-properly-set-up-to-resolve-ocm-provider-following-upgrade-to-27-1-2/]

17

I found out how to solve the problem on my installation.
I was missing the following in my Nextcloud .conf file for apache2:

  <Directory /var/www/html/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
1 Like
18

There is much chit-chat about this stuff in various nextcloud github issues related to upgrading to the latest 27.1.2 version. There seems to be a problem.

I’m running an apache server with nextcloud in a sub-directory. The fix in this comment solved the problem for me:

TL;DR - in the .htacces file found in your nextcloud root, drop the front slash of the index.php part of this line:

RewriteRule ^ocm-provider/?$ index.php [QSA,L]

I suspect you could also ignore the warning and it will be fixed in the next release of nextcloud.

19

Thank you… That worked for me

20

so i managed to fix this on my instance, going line by line and testing the “Nextcloud in a subdir of the NGINX webroot” sample (fixing errors from that sample as well) against my older install.
I did need to clear my browser cache as mentioned in another thread.
When I cleared cache in between each ‘test’ I was able to get the Nextcloud security check to pass successfully with:

oc[ms]-provider\/.+|.

and

location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }
21

For me also the same issue at Nginx & php 8.2 fpm, i tried all versions here & in other threads, nothing works
All caches cleared also at server level with redis & Memcache - always the same errors

Hopefully not the next error with webfinger and nodeinfo which cannot be resolved

I also had the issue never before

1 Like