[Bug]: nginx configuration flags webfinger / nodeinfo issue

[monochromec]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

The nginx configuration as documented in https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html causes NC (v25.0.6) to flag these issues. A 404 is returned proper but instead of {"message":"webfinger not supported"} I'm getting

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

More than happy to provide more info as required.

Steps to reproduce

1. Configure nginx per documentation
2. curl -vL https:///.well-known/webfinger

Expected behavior

Expected {"message":"webfinger not supported"}

Installation method

Community Manual installation with Archive

Nextcloud Server version

25

Operating system

Debian/Ubuntu

PHP engine version

PHP 7.4

Web server

Nginx

Database engine version

SQlite

Is this bug present after an update or on a fresh install?

Updated from a minor version (ex. 22.2.3 to 22.2.4)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
          "***REMOVED SENSITIVE VALUE***"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "sqlite3",
        "version": "25.0.6.1",
        "overwrite.cli.url": "http:\/\/localhost",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 1.5,
            "dbindex": 0
        },
        "loglevel": 0,
        "cron_log": true,
        "log_rotate_size": 524288000,
        "defaultapp": "files",
        "default_phone_region": "DE",
        "remember_login_cookie_lifetime": 1296000,
        "session_lifetime": 86400,
        "updatechecker": false,
        "logtimezone": "Europe\/Berlin",
        "logtype": "syslog",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "enable_previews": true,
        "preview_max_x": 100,
        "preview_max_y": 100,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": ""
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - gpoddersync: 3.7.3
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.4
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - admin_audit
  - bruteforcesettings
  - encryption
  - files_external
  - suspicious_login
  - twofactor_totp
  - user_ldap

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"Pwj86JbRSMX0zSXjm4Y4","level":0,"time":"2023-05-03T08:45:03+02:00","remoteAddr":"217.94.29.78","user":"--","app":"no app in context","method":"GET","url":"/nextcloud/index.php/.well-known/webfin
ger","message":"2 well known handlers registered","userAgent":"curl/7.74.0","version":"25.0.6.1","data":[]}

Additional info

No response

[joshtrichards]

Are you running NC out of a subdirectory of your webroot (i.e. /nextcloud/)? If so, make sure you're using the second example configuration provided for nginx: https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-the-nginx-webroot

[kesselb]

Thank you for taking the time to report a problem 👍

As this seems to be a setup issue I would like to ask you to raise your question at https://help.nextcloud.com

[monochromec]

As this doesn't address the RC (incorrect content on the web site), I am going to open another issue so this can be addressed and tracked.

[kesselb]

"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
/nextcloud/index.php/.well-known/webfinger
"overwrite.cli.url": "http:\/\/localhost",

I assume you added trusted_proxies because you are using a reverse proxy.
The log record shows an url with /nextcloud/.

Did you read https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html?

Likely Nextcloud does not know how to route your request due the subdirectory.
Try overwritewebroot.

And the next time, go to https://help.nextcloud.com/.

[monochromec]

Unfortunately the link you referred to results in a "File not found" web page :-(

Perhaps another opportunity for optimising the website? :-)

And if the proxy setup was incorrect the instance would not be working in general.

Fun fact: Removing this from config.php doesn't make a difference. :-)

[joshtrichards]

@monochromec

• You're running NC in subdirectory
• You appear to be using a reverse proxy

One - and certainly both - of these scenarios means that the /.well-known/ handling is a little different.

If you have a reverse proxy in front then it is intercepting requests to anything /.well-known/ by definition.

If you're able to find where that 404 is being logged I suspect it'll lead you to the root cause of the matter.

Momentarily commenting out trusted_proxies in your NC config doesn't change that there is still a proxy in front of the connection path.

[monochromec]

The 404 comes back from the FPM invocation according to the rewrite debug logs. In contrast to this, the Apache invocation gives back "method not supported" (as it should), although the URL rewrites are equivalent:

return 301 /nextcloud/index.php$request_uri;(nginx)
Redirect 301 /.well-known/webfinger /nextcloud/index.php/.well-known/webfinger (Apache)

[ChrislyBear-GH]

Same issue here: NC 27. Rewrite rules are working (i.e. redirecting to /index.php/.well-known/webfinger using a 301 response) this URL only reults in 404 with nginx.

[PolishTanker]

I placed this here for future generations.
This will be always working, even with custom pages and fastcgi_intercept_errors on; in nginx.

    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;

        location /.well-known/nodeinfo {
                default_type application/json;
                return 404 '{"message": "nodeinfo not supported"}';
                add_header x-nextcloud-well-known 1 always;
        }

        location /.well-known/webfinger {
                default_type application/json;
                return 404 '{"message": "webfinger not supported"}';
                add_header x-nextcloud-well-known 1 always;
        }
    }

[monochromec]

What about updating the main documentation (although community-maintained)?

[kellogcheung]

@PolishTanker
I was running my instance of Nginx (npm) at a port other than 80/443 with my router set to port forward request to the correct port (ie.8443) . The rewrite rules somehow rewrote the request to the forwarded port (ie. https://webpage:8443/remote.php), which obviously would not work for my case.
I rewrote line 5-6 of your config to this and it finally worked for me now.

        location = /.well-known/carddav { 
               return 301 https://$host/remote.php/dav; 
        }
        location = /.well-known/caldav  { 
               return 301 https://$host/remote.php/dav; 
        }