[HELP] Nextcloud wellknown settings #613
Comments
|
i need this to |
|
I didn't have a nextcloud instance in my homelab but what I think is that you can just leave all those out and Zoraxy will just works. Like Proxy_read_timeout and Client_max_body_size are nginx settings that do not works in Zoraxy. Zoraxy will do flow control by itself and you usually do not need to setup anything. For locations, have you tried using "Virtual Directory" or redirection function? |
|
for me it is important that all errors are eliminated as before with npm, whether they affect the function or not does not matter. also the welknows is important for nextcloud and brings additional security because the cloud should also be made accessible to the internet. with virtual directory or similar I have not yet tried it with zoraxy because we do not know how to configure it correctly there example screnshoots would be helpful. "Your web server is not properly configured to resolve |
|
@Stoony1 As I mentioned, I didn't have any nextcloud instance running in my homelab. You gonna wait for other nextcloud users to help you with this. I will keep this open for now. |
|
You already have a number of Nextcloud tickets, which would be beneficial for everyone. Can you set up a test instance of Nextcloud for testing purposes, or can we work with you to find a solution? |
|
@tobychui There are a lot of users these days who have Nextcloud in their home labs, and not just us. Zoraxy is currently establishing itself in the market. Zoraxy is great, there's no question about it. Only when users who have Nextcloud ask themselves, "Should we switch and neglect Wellknown?" In most cases, the answer is no. I would like to use Zoraxy in my home lab because it's better than npm in many ways, but security is also important to me for my applications. I and all other users would be very happy if you could work together to solve the problem with Wellknown. We already have the instance. |
|
Hey @SnakeEater96 @Stoony1, why don't you guys just knock yourself out and create a pull request to add NextCloud support? I mean this is an open source project, you can feel free to change anything to fit your needs. |
|
@tobychui we are hobbyists and not programmers / have no knowledge of programming |
|
I know it's open source, the code is open, but I have no idea how to fix it. Please, can you take care of this problem? |
|
@SnakeEater96 I see. No wonder you guys are asking for feature such aggressively. I recommend you guys check out the license for this project, in section 15, it stated that Generally speaking, open source doesn't mean free software with free support. You can either wait for someone to pick it up one day (which no one knows when this will happen) or you try to trace the code and add the feature you wanted. And since I don't use it, I do not have any incentive or interest to work on it. That is why I recommend you guys creating a pull request to add a working prototype and that will be the faster way to get what you wanted. |
|
NPM uses NGINX as backend, a COMPLETE WEBSERVER, but Zoraxy is only a reverse proxy and not a fully powered webserver. What you can do is use NGINX on your system via docker or directly via package manager and point Zoraxy to NGINX. I use this way with Apache. Internet -> Zoraxy -> Apache -> Nextcloud Works without issues. I can provide a working Apache conf: <VirtualHost *:8032>
ServerAdmin admin@mydomain.com
DocumentRoot /var/www/html/nextcloud/
ServerName cloud.domain.com
Protocols h2 h2c http/1.1
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
SetEnvIf X-Forwarded-Proto "^https$" HTTPS=on
<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
AllowOverride All
Require all granted
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
Satisfy Any
</Directory>
<FilesMatch \.php$>
# For Apache version 2.4.10 and above, use SetHandler to run PHP as a fastCGI process server
SetHandler "proxy:unix:/run/php/php8.4-fpm.sock|fcgi://localhost"
</FilesMatch>
RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" proxy
</VirtualHost>In my case Zoraxy points to localhost:8032 and Apache takes care of the rest. Same goes for Nginx. Here is a modified example for Nextcloud from the docs. I removed SSL from it, since Zoraxy already takes care of it. upstream php-handler {
#server 127.0.0.1:9000;
server unix:/var/run/php/php8.4-fpm.sock;
}
server {
listen 8032;
listen [::]:8032;
server_name cloud.example.com;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html/nextcloud;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}How to use this in docker? Read the wiki example for Docmost. Change your domain name and the root path of Nextcloud if needed. |
|
We use nextcloud in a vm in proxmox running with nginx |
|
what did you set as custom header? |
|
Then point Zoraxy to your NGINX in Proxmox. Well-known and DAV-Directives are working without any special configuration in Zoraxy. Keep in mind that officially supported by Nextcloud is only Apache. I did not need to add any additional headers.
|
What happened?
i have integrated nextcloud and can / find the entries to set wellknown entries which are mandatory with nextcloud
Describe what have you tried
I tried to solve the problem with the header but in vain everything else works except wellknown
Additional context
settings NPM which have always worked for nextcloud but under the new reverse proxy this urgently needs to be integrated and yes I know that zoraxy is not npm and it acts completely different than npm
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
real_ip_header X-Real-IP;
real_ip_recursive on;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/host-meta {
return 301 $scheme://$host/public.php?service=host-meta;
}
location /.well-known/host-meta.json {
return 301 $scheme://$host/public.php?service=host-meta-json;
}
location /.well-known/webfinger {
return 301 $scheme://$host/index.php/.well-known/webfinger;
}
location /.well-known/nodeinfo {
return 301 $scheme://$host/index.php/.well-known/nodeinfo;
}
The text was updated successfully, but these errors were encountered: