[NC 21 RC1] No info about webfinger and nodeinfo settings

[tflidd]

On the settings, I get these warnings:

The given link redirects me to https://docs.nextcloud.com/server/21/admin_manual/issues/general_troubleshooting.html#service-discovery, however there is only information about .well-known/carddav and .well-known/caldav, nothing about webfinger and nodeinfo.

Since I am using nginx, I was also checking the example config: https://docs.nextcloud.com/server/21/admin_manual/installation/nginx.html?highlight=nginx But nothing about webfinger and nodeinfo on a first sight. However, there were some changes: https://github.com/nextcloud/documentation/pull/5825/files

I suggest to change the landing page by mentioning the webfinger/nodeinfo being generally handled by an updated .htaccess and that nginx users might check their configuration.

NC version: NC21 RC1
webserver: nginx

[tiiiecherle]

I stumbled accross the same problem after upgrading to NC21 using nginx.
I solved it by adding this to the nginx config:

        location /.well-known {       
            location = /.well-known/carddav   { return 301 /nextcloud/remote.php/dav/; }
            location = /.well-known/caldav    { return 301 /nextcloud/remote.php/dav/; }
            
            # according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }
            
            # anything else is dynamically handled by Nextcloud
            location ^~ /.well-known          { return 301 /nextcloud/index.php$uri; }
    
            try_files $uri $uri/ =404;
        }

[Lawkss]

I had the same problem on apache. I had to add these lines to htaccess make the warnings go away:

RewriteRule ^.well-known/webfinger /YOURSUBFOLDER/index.php/.well-known/webfinger [R=301,L]
RewriteRule ^.well-known/nodeinfo /YOURSUBFOLDER/index.php/.well-known/nodeinfo [R=301,L]

The documentation only mentions carddav and caldav but not webfinger and nodeinfo.

I dont know if this is the correct method, webfinger and nodeinfo are not in the standard htacess anymore that ships with NC21, however the error is still produced by the automatic checks and the link to the documentation does not mention them.

[DerVerruckteFuchs]

I use the Truenas Nextcloud plugin. I have it sitting behind an nginx reverse-proxy. I tried changing the nginx config for the plugin/Freebsd Jail, but that did not work. I tweaked the Nextcloud config on my nginx reverse-proxy and that got rid of the warning messages. I added these two lines:

rewrite ^/.well-known/webfinger /index.php$uri redirect;
rewrite ^/.well-known/nodeinfo /index.php$uri redirect;

Hopefully this helps anyone else using a reverse-proxy. The default nginx config included with the Truenas plugin is just fine, all I needed to really change was server_name and enable IPv6 since I have a dual-stack setup.

[sunjam]

Are you running Social? See these two open issues for possible context:

using Webfinger
nextcloud/social#1016

Nodeinfo
nextcloud/social#183

[Kixunil]

I wonder in which cases webfinger and nodeinfo are even required. It looks like they are only used by certain apps, so if these apps aren't installed, then not having them configured is fine? (Maybe also caldav only if calendar is installed and carddav if contacts are?)

I'm also concerned about it maybe leaking privacy. Can anyone explain if there are any privacy/security consequences to having them enabled all the time?

[DerVerruckteFuchs]

Are you running Social? See these two open issues for possible context:

using Webfinger
nextcloud/social#1016

Nodeinfo
nextcloud/social#183

I'm not running Social. There could be the possibility of some other app(s) using webfinger and/or nodeinfo though.

[dysonsphere-startmail]

I stumbled accross the same problem after upgrading to NC21 using nginx.
I solved it by adding this to the nginx config:

        location /.well-known {       
            location = /.well-known/carddav   { return 301 /nextcloud/remote.php/dav/; }
            location = /.well-known/caldav    { return 301 /nextcloud/remote.php/dav/; }
            
            # according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }
            
            # anything else is dynamically handled by Nextcloud
            location ^~ /.well-known          { return 301 /nextcloud/index.php$uri; }
    
            try_files $uri $uri/ =404;
        }

This did not get rid of the warnings for my instance.
Nextcloud upgrade from 20.0.8 to 21.0.1, nginx/1.18.0 (Ubuntu), Social app not installed

[chrissi55]

Same here, i also can't get rid of these two warnings.
Coming from NC 20.0.8 and thought could update to 20.0.9 -> instead the updater pushed me to 21.0.1 directly.
So my config is at the moment nginx 1.19 postgresql 13.2 php 8.0.3 ubuntu 20.04.2

my config looks like

location ^~ /.well-known {
location = /.well-known/carddav     { return 301 /remote.php/dav/; }
location = /.well-known/caldav      { return 301 /remote.php/dav/; }
# according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
location = /.well-known/webfinger   { return 301 /index.php$uri; }
location = /.well-known/nodeinfo   { return 301 /index.php$uri; }
location ^~ /.well-known            { return 301 /index.php/$uri; }
try_files $uri $uri/ =404;
}

In my case also the Social App is NOT installed.

But i use a reverse proxy (nginx 1.18) and here my config is

	server_name my.server.name;

	set $upstream LOCAL-IP-OF-NC-SERVER:443;

 
location / {
	proxy_pass https://$upstream;
	proxy_pass_request_headers on;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-Protocol $scheme;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header X-Forwarded-Port $server_port;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	### Set hash values
	proxy_headers_hash_max_size 512;
	proxy_headers_hash_bucket_size 128;
	proxy_buffering off;
	client_max_body_size 0;
	proxy_connect_timeout 10400;
	proxy_send_timeout 10400;
	proxy_read_timeout 10400;
	proxy_redirect off;
	proxy_ssl_session_reuse on;

	rewrite ^/.well-known/webfinger /index.php$uri redirect;
	rewrite ^/.well-known/nodeinfo /index.php$uri redirect;
	}
}

the two lines from above

Never the less, all this does not solve my problem.

[dysonsphere-startmail]

I noticed that I had the following in my nextcloud.conf:

location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

I modified it to:

location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
  location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

 location = /.well-known/webfinger {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/nodeinfo {
        return 301 $scheme://$host/remote.php/dav;
    }
    location ~ /.well-known/acme-challenge {
      allow all;
    }

I thought it might work, but no dice.

[zeus86]

I stumbled into the same Problem after upgrading to NC21. I don't use the social app, but i want to get rid of the error messages.
In the Documentation available under https://docs.nextcloud.com/server/21/Nextcloud_Server_Administration_Manual.pdf
(or just https://docs.nextcloud.com/server/21/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=proxy#haproxy ) there are sample-configs for various proxy settings listed. While the older methods for caldav and carddav work fine, there is no mention regarding to webfinger and nodeinfo and how to configure them in traefik or haproxy (which is what i use..). The HAProxy-Settings should also contain a word about configuring this inside of pfsense, because many people are using this setup.

[chrissi55]

So sorry i have to correct my post above...

The settings to nginx (Nextcloud) and nginx (Reverse Proxy) seems to be correct. After having the same messages from one PC with chromium Browser i switched to a tablet device et voila, no messages any longer.

So i cleared the whole browser cache and restartet my chromium - same here - a white tag on green spot appear :-)

Thanks for the help above.

[obakuhl]

I had to add the lines mentioned by @DerVerruckteFuchs in my ReverseProxy configuration after the carddav and caldav entries. Now the messages no longer appear. Thanks 😁

    location /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;
    }

    rewrite ^/.well-known/webfinger /index.php$uri redirect;
    rewrite ^/.well-known/nodeinfo /index.php$uri redirect;

[digitalcircuit]

Very minor optimization of @obakuhl 's post - you don't need to use regular expressions or rewrite rules, just copying the location blocks work too:

	# Nextcloud 20.x configuration
	location = /.well-known/carddav {
		return 301 $scheme://$host/remote.php/dav;
	}
	location = /.well-known/caldav {
		return 301 $scheme://$host/remote.php/dav;
	}

	# Adjusted to handle webfinger/nodeinfo
	location = /.well-known/webfinger {
		return 301 $scheme://$host/index.php$uri;
	}
	location = /.well-known/nodeinfo {
		return 301 $scheme://$host/index.php$uri;     
	}

[dysonsphere-startmail]

Very minor optimization of @obakuhl 's post - you don't need to use regular expressions or rewrite rules, just copying the location blocks work too:

	# Nextcloud 20.x configuration
	location = /.well-known/carddav {
		return 301 $scheme://$host/remote.php/dav;
	}
	location = /.well-known/caldav {
		return 301 $scheme://$host/remote.php/dav;
	}

	# Adjusted to handle webfinger/nodeinfo
	location = /.well-known/webfinger {
		return 301 $scheme://$host/index.php$uri;
	}
	location = /.well-known/nodeinfo {
		return 301 $scheme://$host/index.php$uri;     
	}

I edited my nextcloud.conf file with the above blocks, restarted nginx, cleared browser cache, and restarted browser, but still get the webfinger and nodeinfo warnings.

[chrissi55]

I edited my nextcloud.conf file with the above blocks, restarted nginx, cleared browser cache, and restarted browser, but still get the webfinger and nodeinfo warnings.

Are you concerning the nextcloud.conf file on the nextcloud server or the reverse proxy server?

I ask, because the two settings

location = /.well-known/webfinger {
		return 301 $scheme://$host/index.php$uri;
	}
	location = /.well-known/nodeinfo {
		return 301 $scheme://$host/index.php$uri;     
	}

are set on my proxy server.

these two lines are set in my "nextcloud.conf" on my nextcloud server

location = /.well-known/webfinger   { return 301 /index.php$uri; }
location = /.well-known/nodeinfo   { return 301 /index.php$uri; }

otherwise you can try to set this into your .htaccess file in /var/www/nextcloud (if this is your nc root)

RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]

[dysonsphere-startmail]

I edited my nextcloud.conf file with the above blocks, restarted nginx, cleared browser cache, and restarted browser, but still get the webfinger and nodeinfo warnings.

Are you concerning the nextcloud.conf file on the nextcloud server or the reverse proxy server?

I ask, because the two settings

location = /.well-known/webfinger {
		return 301 $scheme://$host/index.php$uri;
	}
	location = /.well-known/nodeinfo {
		return 301 $scheme://$host/index.php$uri;     
	}

are set on my proxy server.

these two lines are set in my "nextcloud.conf" on my nextcloud server

location = /.well-known/webfinger   { return 301 /index.php$uri; }
location = /.well-known/nodeinfo   { return 301 /index.php$uri; }

otherwise you can try to set this into your .htaccess file in /var/www/nextcloud (if this is your nc root)

RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]

Ok, fair enough. I don't have a reverse proxy so I set my nextcloud.conf as you showed above, but no dice. Then I added the rewrite rules to my .htaccess and again no dice.
Here are the files in question, in case I am missing something totally obvious (a likely scenario):
.htaccess:

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Download-Options
    Header always set X-Download-Options "noopen"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //
RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]

nextcloud.conf:

server {
    server_name xxxxxx;

    # Add headers to serve security related headers
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

    #I found this header is needed on Ubuntu, but not on Arch Linux. 
    add_header X-Frame-Options "SAMEORIGIN";

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud/;

    access_log /var/log/nginx/nextcloud.access;
    error_log /var/log/nginx/nextcloud.error;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    # rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    # rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    #  last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }
    location ~ /.well-known/acme-challenge {
      allow all;
    }
    

    # Adjusted to handle webfinger/nodeinfo
    location = /.well-known/webfinger   { return 301 /index.php$uri; }
    location = /.well-known/nodeinfo   { return 301 /index.php$uri; }

    # set max upload size
    client_max_body_size 16G;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }
            
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }


    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xxxxx/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xxxxxxx/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    add_header Strict-Transport-Security "max-age=31536000" always;

    ssl_trusted_certificate /etc/letsencrypt/live/xxxxxxxchain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

}
server {
    if ($host = xxxxxx) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name xxxxxxxx;
    listen 80;
    return 404; # managed by Certbot


}

[chrissi55]

At first set this block

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

into this

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

and delete the two appended lines at the end

[dysonsphere-startmail]

At first set this block

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

into this

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

and delete the two appended lines at the end

Unfortunately this did not work either.
I also, then went back to set my nextcloud.conf back to the original, and still no dice.
Thanks for your help. I will continue to dig further, let me know of any other possible suggestions if you can.

[digitalcircuit]

Unfortunately this did not work either.
I also, then went back to set my nextcloud.conf back to the original, and still no dice.
Thanks for your help. I will continue to dig further, let me know of any other possible suggestions if you can.

I think you need to set the webfinger and nodeinfo rewrites to point to a different backend, which tripped me up at first:

-  RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
-  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]
+  RewriteRule ^\.well-known/webfinger /index.php [R=301,L]
+  RewriteRule ^\.well-known/nodeinfo /index.php [R=301,L]

(The above is a guess as I'm not using Apache - I'm not sure if something special needs done for passing $uri to the end of index.php, or if that's handled by it being an Apache rewrite directive.)

[dysonsphere-startmail]

Unfortunately this did not work either.
I also, then went back to set my nextcloud.conf back to the original, and still no dice.
Thanks for your help. I will continue to dig further, let me know of any other possible suggestions if you can.

I think you need to set the webfinger and nodeinfo rewrites to point to a different backend, which tripped me up at first:

-  RewriteRule ^\.well-known/webfinger /remote.php/dav/ [R=301,L]
-  RewriteRule ^\.well-known/nodeinfo /remote.php/dav/ [R=301,L]
+  RewriteRule ^\.well-known/webfinger /index.php [R=301,L]
+  RewriteRule ^\.well-known/nodeinfo /index.php [R=301,L]

(The above is a guess as I'm not using Apache - I'm not sure if something special needs done for passing $uri to the end of index.php, or if that's handled by it being an Apache rewrite directive.)

I am using nginx. So right there was my mistake. Just found out that nginx doesn't even use the .htaccess file. So back at square one?

[mddvul22]

If the webfinger and nodeinfo well-known urls are only used by the social app, then the Security and setup warnings section should not warn the admin that they don't exist if the social app is not enabled.

[dysonsphere-startmail]

If the webfinger and nodeinfo well-known urls are only used by the social app, then the Security and setup warnings section should not warn the admin that they don't exist if the social app is not enabled.

If it is true that they are only used by the social app, then for sure that should be the case. I for sure do not even have the social app installed, and still get these messages. I did have it installed at one point, though. Maybe there is something that needs to be purged from the server?

[mddvul22]

I have never had the social app installed, and am getting the warning.

[Kixunil]

Same as @mddvul22 here

[Taxick]

Hi 🙂

First, I will say thanks for the "nextcloud" script - Its a very good script, I use it a lot

I also have the same problem as many others have!

I get this warning in my control panel!

I have tried to fix the problem as suggested in the post #6157 (comment) - No Luck :(

You can see my nextcloud config here: https://pastebin.com/6JpqwGc0

I use:

Nextcloud: 21.0.1
PHP 7.4.3
Ubuntu 20.04
I have used this guide to install NextCloud -> LINK

Please help.

Regards

Thomas

[Fiodin]

The Error comes from an old entry in the NGINX configuration with handling error-pages.

You just have to erease or uncomment these two lines and the error disapears:

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

No more else is to do!

I'm using NGINX directly, so I can't say if these lines exist in the configuration for reverse proxy.

[jonathanmmm]

So sorry i have to correct my post above...

The settings to nginx (Nextcloud) and nginx (Reverse Proxy) seems to be correct. After having the same messages from one PC with chromium Browser i switched to a tablet device et voila, no messages any longer.

So i cleared the whole browser cache and restartet my chromium - same here - a white tag on green spot appear :-)

Thanks for the help above.

Same here, had to include on the reverse proxy. And using Ctrl+Shift+I or rightclick Inspect, going to Network, disable Cache and reloading and they are gone. So it seems the check website doesn't delete the cache when reloading. A force cache reload, should be triggered or an info and a small guide, like I gave should be given.
Otherwise people will try changing and changing settings, without noticing they may have fixed it at some point, because of caching.

[stephang]

My apologies for spamming this issue with the same commit. Tried to conform to the contribution guidelines, so hopefully the resulting PR is more of less fine.

[k3a]

Suggested Nginx default configuration seems to be the culprit!

It says:

fastcgi_intercept_errors on;

That causes Nginx to intercept HTTP error codes returned by the PHP script with the configured error page or nginx default error pages. See the documentation.

Normally /.well-known/nodeinfo in NextCloud is supposed to return HTTP 404 with {"message":"nodeinfo not supported"} JSON. If you have fastcgi_intercept_errors on, default Nginx not found page (or configured custom error page) will be returned for any 404 code, causing this error message to be printed in the Administration/Settings.

So to fix this, just set it to off:

fastcgi_intercept_errors off;

Changing redirects to 301 and even redirecting these requests to remote.php/dav to "fix" this are IMO all wrong.

[jkroepke]

on nginx, define

fastcgi_intercept_errors off;

and

            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }

fix all the warnings.

[dysonsphere-startmail]

on nginx, define

fastcgi_intercept_errors off;

and

            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }

fix all the warnings.

This worked for me.
Thanks @jkroepke !

[hansaya]

If you are using haproxy you can use this config to get the warnings disappear. Hopefully this will help someone.

	acl			url_red_dav	var(txn.txnpath) -m str -i /.well-known/caldav
	acl			url_red_dav	var(txn.txnpath) -m str -i /.well-known/carddav
	acl			url_red_inf	var(txn.txnpath) -m str -i /.well-known/webfinger
	acl			url_red_inf	var(txn.txnpath) -m str -i /.well-known/nodeinfo
	http-request redirect code 301 location /remote.php/dav/  if  url_red_dav 
	http-request redirect code 301 location /index.php%[capture.req.uri]  if  url_red_inf 

[DonPicciotto]

The Error comes from an old entry in the NGINX configuration with handling error-pages.

You just have to erease or uncomment these two lines and the error disapears:

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

No more else is to do!

I'm using NGINX directly, so I can't say if these lines exist in the configuration for reverse proxy.

After 2 hours, finally! Thanks!

[zeus86]

The Error comes from an old entry in the NGINX configuration with handling error-pages.
You just have to erease or uncomment these two lines and the error disapears:

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

No more else is to do!
I'm using NGINX directly, so I can't say if these lines exist in the configuration for reverse proxy.

After 2 hours, finally! Thanks!

Awesome, this finally was the missing clue, works with nginx+haproxy on pfsense, thank you very much!

[shelterx]

Old issue but the haproxy configuratiom really needs to go into the documentation, it does mention caldav and carddav. But it still doesn't mention webfinger or nodeinfo.

I used a slightly less complex approach than the one that was posted here, here's what i did:

    # needed for nextcloud
    acl url_discovery path /.well-known/caldav /.well-known/carddav
    http-request redirect location /remote.php/dav/ code 301 if url_discovery
    acl url_discovery_finger_node path /.well-known/webfinger /.well-known/nodeinfo
    http-request redirect location /index.php%[capture.req.uri] code 301 if url_discovery_finger_node

[elgorro]

I've added a PR #8007 for webfinger and nodeinfo.

[fischer-felix]

For me, using $scheme://$host/index.php$uri fixed the error messages for both webfinger and nodeinfo, however neither this, nor setting fastcgi_intercept_errors off helped.
I ended up just giving it the absolute URL (I know, I also don't like it), i.e.
location = /.well-known/carddav { return 301 https://nc.example.com/remote.php/dav; } and the same for caldav.

Just thought I'd share this in case it helps anyone or anyone knows a better solution.

[elgorro]

@fischer-felix Just dropping code-parts in such cases makes no sense. Have you checked, if your root and server_name is set and correct? Nor there is no reason allowing Error 300...
Glad you've found a work-arround - just hard-coding isn't helpful in any cases!

[tomsrobots]

Old issue but the haproxy configuratiom really needs to go into the documentation, it does mention caldav and carddav. But it still doesn't mention webfinger or nodeinfo.

I used a slightly less complex approach than the one that was posted here, here's what i did:

    # needed for nextcloud
    acl url_discovery path /.well-known/caldav /.well-known/carddav
    http-request redirect location /remote.php/dav/ code 301 if url_discovery
    acl url_discovery_finger_node path /.well-known/webfinger /.well-known/nodeinfo
    http-request redirect location /index.php%[capture.req.uri] code 301 if url_discovery_finger_node

I have been trying to resolve this issue with HAProxy where I can't get DAVx to connect. I have tried putting these lines in both the backend and frontend for http and https. Am I doing something wrong?

[kashyn89]

on nginx, define

fastcgi_intercept_errors off;

and

            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }

fix all the warnings.

This one worked fine for me.

NC in Docker with selfbuild reverse nginx and nginx proxy manager.

[tiiiecherle]

This issue is back for me after upgrading to nextcloud 29.0.1 using nginx.

If I comment out

#error_page 404 /errors/404.html;

then I get a warning about caldav

Your web server is not properly set up to resolve .well-known URLs, failed on: /.well-known/caldav For more details see the [documentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-setup-well-known-URL).

and if I uncomment

error_page 404 /errors/404.html;

I get the warning about webfinger

Your web server is not properly set up to resolve .well-known URLs, failed on: /.well-known/webfinger For more details see the [documentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-setup-well-known-URL).

None of the solutions above helped. I did not change anything else in the config. It just occurred after the update to 29.0.1.

Is anyone having a solution?

Thanks

[tiiiecherle]

After doing some research it turns out this can have multiple issues. Mine (nginx and nextcloud in subdirectory) was solved doing these steps:

1. Applying patch from here:
   [Bug]: NC29 .well-known URLs, failed on: /.well-known/caldav server#45033 (comment)

/usr/share/webapps/nextcloud/apps/settings/lib/SetupChecks/CheckServerResponseTrait.php

add as new line 65

$hosts[] = rtrim(str_replace($this->urlGenerator->getWebroot(), '', $cliUrl), '/');

2. add the public url where nextcloud is reachable because some checks need this, e.g. if caldav or carddav would be used they would be used with the public url

/usr/share/webapps/nextcloud/config/config.php

'overwrite.cli.url' => 'https://full_external_domain.xyz/nextcloud_if_subfolder',

3. update nextcloud nginx config according to the documentation including the trailing slashes after /dav/

location = /.well-known/carddav { return 301 /nextcloud/remote.php/dav/; }
location = /.well-known/caldav  { return 301 /nextcloud/remote.php/dav/; }