Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: nginx configuration flags webfinger / nodeinfo issue #38035

Closed
6 of 9 tasks
monochromec opened this issue May 3, 2023 · 11 comments
Closed
6 of 9 tasks

[Bug]: nginx configuration flags webfinger / nodeinfo issue #38035

monochromec opened this issue May 3, 2023 · 11 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback bug

Comments

@monochromec
Copy link

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration/webserver/proxy issue.
  • This issue is not already reported on Github (I've searched it).
  • Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • I agree to follow Nextcloud's Code of Conduct.

Bug description

The nginx configuration as documented in https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html causes NC (v25.0.6) to flag these issues. A 404 is returned proper but instead of {"message":"webfinger not supported"} I'm getting

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

More than happy to provide more info as required.

Steps to reproduce

  1. Configure nginx per documentation
  2. curl -vL https:///.well-known/webfinger

Expected behavior

Expected {"message":"webfinger not supported"}

Installation method

Community Manual installation with Archive

Nextcloud Server version

25

Operating system

Debian/Ubuntu

PHP engine version

PHP 7.4

Web server

Nginx

Database engine version

SQlite

Is this bug present after an update or on a fresh install?

Updated from a minor version (ex. 22.2.3 to 22.2.4)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
          "***REMOVED SENSITIVE VALUE***"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "sqlite3",
        "version": "25.0.6.1",
        "overwrite.cli.url": "http:\/\/localhost",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 1.5,
            "dbindex": 0
        },
        "loglevel": 0,
        "cron_log": true,
        "log_rotate_size": 524288000,
        "defaultapp": "files",
        "default_phone_region": "DE",
        "remember_login_cookie_lifetime": 1296000,
        "session_lifetime": 86400,
        "updatechecker": false,
        "logtimezone": "Europe\/Berlin",
        "logtype": "syslog",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "enable_previews": true,
        "preview_max_x": 100,
        "preview_max_y": 100,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": ""
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - gpoddersync: 3.7.3
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.4
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - admin_audit
  - bruteforcesettings
  - encryption
  - files_external
  - suspicious_login
  - twofactor_totp
  - user_ldap

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"Pwj86JbRSMX0zSXjm4Y4","level":0,"time":"2023-05-03T08:45:03+02:00","remoteAddr":"217.94.29.78","user":"--","app":"no app in context","method":"GET","url":"/nextcloud/index.php/.well-known/webfin
ger","message":"2 well known handlers registered","userAgent":"curl/7.74.0","version":"25.0.6.1","data":[]}

Additional info

No response

@monochromec monochromec added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels May 3, 2023
@joshtrichards
Copy link
Member

Are you running NC out of a subdirectory of your webroot (i.e. /nextcloud/)? If so, make sure you're using the second example configuration provided for nginx: https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-the-nginx-webroot

@kesselb
Copy link
Contributor

kesselb commented May 3, 2023

Thank you for taking the time to report a problem 👍

As this seems to be a setup issue I would like to ask you to raise your question at https://help.nextcloud.com

@kesselb kesselb closed this as completed May 3, 2023
@monochromec
Copy link
Author

As this doesn't address the RC (incorrect content on the web site), I am going to open another issue so this can be addressed and tracked.

@kesselb
Copy link
Contributor

kesselb commented May 4, 2023

"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
/nextcloud/index.php/.well-known/webfinger
"overwrite.cli.url": "http:\/\/localhost",

I assume you added trusted_proxies because you are using a reverse proxy.
The log record shows an url with /nextcloud/.

Did you read https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html?

Likely Nextcloud does not know how to route your request due the subdirectory.
Try overwritewebroot.

And the next time, go to https://help.nextcloud.com/.

@monochromec
Copy link
Author

Unfortunately the link you referred to results in a "File not found" web page :-(

Perhaps another opportunity for optimising the website? :-)

And if the proxy setup was incorrect the instance would not be working in general.

Fun fact: Removing this from config.php doesn't make a difference. :-)

@joshtrichards
Copy link
Member

@monochromec

  • You're running NC in subdirectory
  • You appear to be using a reverse proxy

One - and certainly both - of these scenarios means that the /.well-known/ handling is a little different.

If you have a reverse proxy in front then it is intercepting requests to anything /.well-known/ by definition.

If you're able to find where that 404 is being logged I suspect it'll lead you to the root cause of the matter.

Momentarily commenting out trusted_proxies in your NC config doesn't change that there is still a proxy in front of the connection path.

@monochromec
Copy link
Author

The 404 comes back from the FPM invocation according to the rewrite debug logs. In contrast to this, the Apache invocation gives back "method not supported" (as it should), although the URL rewrites are equivalent:

return 301 /nextcloud/index.php$request_uri;(nginx)
Redirect 301 /.well-known/webfinger /nextcloud/index.php/.well-known/webfinger (Apache)

@ChrislyBear-GH
Copy link

Same issue here: NC 27. Rewrite rules are working (i.e. redirecting to /index.php/.well-known/webfinger using a 301 response) this URL only reults in 404 with nginx.

@PolishTanker
Copy link

PolishTanker commented Nov 23, 2023

I placed this here for future generations.
This will be always working, even with custom pages and fastcgi_intercept_errors on; in nginx.

    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;

        location /.well-known/nodeinfo {
                default_type application/json;
                return 404 '{"message": "nodeinfo not supported"}';
                add_header x-nextcloud-well-known 1 always;
        }

        location /.well-known/webfinger {
                default_type application/json;
                return 404 '{"message": "webfinger not supported"}';
                add_header x-nextcloud-well-known 1 always;
        }
    }

@monochromec
Copy link
Author

What about updating the main documentation (although community-maintained)?

@kellogcheung
Copy link

@PolishTanker
I was running my instance of Nginx (npm) at a port other than 80/443 with my router set to port forward request to the correct port (ie.8443) . The rewrite rules somehow rewrote the request to the forwarded port (ie. https://webpage:8443/remote.php), which obviously would not work for my case.
I rewrote line 5-6 of your config to this and it finally worked for me now.

        location = /.well-known/carddav { 
               return 301 https://$host/remote.php/dav; 
        }
        location = /.well-known/caldav  { 
               return 301 https://$host/remote.php/dav; 
        }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback bug
Projects
None yet
Development

No branches or pull requests

7 participants