Update admin webserver config recommendations for well known handlers #5825
Conversation
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
On a side note this recommended nginx config really has some issues. I've reverted to my own version now. It's not idea, but works a lot better for development purposes (I don't care much about security headers there). |
| rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; | ||
| rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; | ||
| rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; | ||
|
|
||
| location = /.well-known/carddav { return 301 /remote.php/dav/; } |
There was a problem hiding this comment.
Would be good to at some point then also migrate the *dav related well known endpoints
There was a problem hiding this comment.
Absolutely. @rullzer and I brainstormed about using the new API and having a simple handler in the dav app. Then installations that are hosted in the document root don't ever need to fiddle with the rewrites/redirects.
|
This need confirmation, as I might be wrong, but I don't think the current API can handle https://tools.ietf.org/html/rfc6415#section-3.1 : |
This is doable today with the GenericResponse. See nextcloud/server#24702 (comment). |
|
Is it a great idea to redirect really all |
| location = /.well-known/carddav { return 301 /remote.php/dav/; } | ||
| location = /.well-known/caldav { return 301 /remote.php/dav/; } | ||
| # Anything else is dynamically handled by Nextcloud | ||
| location ^~ /.well-known { return 301 /index.php$uri; } |
There was a problem hiding this comment.
I think $request_uri must be used here as $uri is the normalised/decided URI with query string and anchor removed, which is not what is wanted here?
There was a problem hiding this comment.
@daita could that explain why you sometimes didn't see query parameters?!
My stack of thoughts ran into an overflow and I forgot our considerations but I seem to remember that we thought about this ACME challenge. Do you have a setup where you could test this? |
One with Nextcloud in This is with acme.sh webroot authentication. The client writes to
But it looks dangerous to go with the approach to redirect all |
If there is anything else that is never handled by Nextcloud then we can add it to this hard coded exclude pattern. But the idea was to let Nextcloud apps handle as much as they like dynamically. So from the PoV of Nextcloud we don't actually know what well known handlers are available as they are provided via apps. |
Fair point as well. Practically I guess it doesn't make much difference whether one needs to add an extra include or an extra exclude. However, ACME definitely needs to be excluded and likely pki-validation (whatever it is), to match the |
|
True. Would you mind sending the change as PR? |
|
Done: #6221 |
Please note that I didn't use the current nginx config from the administration manual as this would've broken ACME challenges[1]. Also added a fix for Microsoft clients. [1] nextcloud/documentation#5825 (comment)
Please note that I didn't use the current nginx config from the administration manual as this would've broken ACME challenges[1]. Also added a fix for Microsoft clients. [1] nextcloud/documentation#5825 (comment)
Please note that I didn't use the current nginx config from the administration manual as this would've broken ACME challenges[1]. Also added a fix for Microsoft clients. [1] nextcloud/documentation#5825 (comment) (cherry picked from commit 7977214)
For nextcloud/server#24702.
Basically well known has to go to Nextcloud, except for the hard-coded DAV routes.
I tested with nginx, both nextcloud hosted in the root as well as as sub directory. Ideally we'd have nginx answer to
./well-knowndirectly without the index.php prefix but I'm not able to change our default config for this. My previous hand-crafted nginx config allowed this.@daita please review and test