Nextcloud with Cal/Cardav routing

broken.pipe · April 17, 2020, 10:45am

Hello everyone,
i'm trying to set up the correct routing for Cal/Cardav, but unfortunately there is still something wrong with the Traefik configuration. Everything works except Cal/Cardav.

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips
Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.entrypoints=http"
      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.example.com`)"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-https-redirect,nextcloud-dav"
      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.example.com`)"
      - "traefik.http.routers.nextcloud-secure.tls=true"
      - "traefik.http.routers.nextcloud-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-secure.service=nextcloud"
      - "traefik.http.middlewares.nextcloud-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
      - "traefik.http.middlewares.nextcloud-dav.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-dav.redirectregex.replacement=https://$$1/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-dav.redirectregex.permanent=true"
    networks:

mirko3107 · April 18, 2020, 11:48am

Hi,

i think, your middleware "nextcloud-dav" is in the wrong router, it should be in the router nextcloud-secure,
not nextcloud.

These are my headers:

- "traefik.http.middlewares.nc-header.headers.referrerPolicy=no-referrer"
- "traefik.http.middlewares.nc-header.headers.stsSeconds=31536000"
- "traefik.http.middlewares.nc-header.headers.forceSTSHeader=true"
- "traefik.http.middlewares.nc-header.headers.stsPreload=true"
- "traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nc-header.headers.browserXssFilter=true"
- "traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
- "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-rep,nc-header"

I hope i could help.

broken.pipe · April 18, 2020, 12:01pm

Thank you! I was able to fix it. All errors are gone

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.middlewares.nextcloud-https.redirectscheme.scheme=https"
      - "traefik.http.routers.nextcloud-http.entrypoints=http"
      - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.duckdns.org`)"
      - "traefik.http.routers.nextcloud-http.middlewares=nextcloud-https@docker"
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.duckdns.org`)"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=http"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-dav,secHeaders@file"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"

Traefik dynamic.yml

http:
  middlewares:
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"

    https-redirect:
      redirectScheme:
        scheme: https

mirko3107 · April 18, 2020, 2:13pm

Great

Could you show us your complete docker-compose.yml? I have still some problems with nextcloud:
The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy

broken.pipe · April 18, 2020, 3:25pm

Ok, i still have this message, although i adjusted the nextcloud config.php (i think) correctly. trusted_proxy wants to know the IP address of the traefik interface

'trusted_proxies' => array ('172.19.0.1'),
'forwarded-for-headers' => array ('HTTP_X_FORWARDED_FOR'),

docker network inspect *your-traefik-proxy-network* --format='{{(index .IPAM.Config 0).Gateway}}'

mirko3107 · April 18, 2020, 4:08pm

I still see this error, also with 172.31.0.1 as trusted proxy.

sebastian · January 19, 2023, 9:31pm

Can someone please help. Im searching for tree hours now....

Got nextcloud issue with not properly set up to resolve "/.well-known/cal and carddav" and HTTP header is not set to at least "15552000"

when i change
- "traefik.http.routers.nextcloud-app.middlewares=nextcloud-dav"
to
- "traefik.http.routers.nextcloud-app-secure.middlewares=nextcloud-dav"

The nextcloud website does not load.

These are my labels:

  - "traefik.enable=true"
  - "traefik.http.routers.nextcloud-app.entrypoints=web-secure"
  - "traefik.http.routers.nextcloud-app.rule=Host(`cloud.hostname.de`)"
  - "traefik.http.middlewares.nextcloud-dav.redirectscheme.scheme=https"
  - "traefik.http.routers.nextcloud-app.middlewares=nextcloud-dav"
  - "traefik.http.routers.nextcloud-app-secure.entrypoints=web-secure"
  - "traefik.http.routers.nextcloud-app-secure.rule=Host(`cloud.hostname.de`)"
  - "traefik.http.routers.nextcloud-app-secure.tls=true"
  - "traefik.http.routers.nextcloud-app-secure.tls.certresolver=default"
  - "traefik.http.routers.nextcloud-app-secure.service=nextcloud-app"
  - "traefik.http.services.nextcloud-app.loadbalancer.server.port=80"
  - "traefik.docker.network=traefik"
  - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
  - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"
  - "traefik.http.middlewares.nextcloud-dav.headers.stsincludesubdomains=false"
  - "traefik.http.middlewares.nextcloud-dav.headers.stspreload=true"
  - "traefik.http.middlewares.nextcloud-dav.headers.stsseconds=31536000"
  - "traefik.http.middlewares.nextcloud-dav.headers.isdevelopment=false"

i do not have a traefik dynamic.yml. is this my mistake?

bluepuma77 · January 19, 2023, 10:51pm

Try changing

  - "traefik.http.routers.nextcloud-app.entrypoints=web-secure"
  - "traefik.http.routers.nextcloud-app.rule=Host(`cloud.hostname.de`)"
  - "traefik.http.middlewares.nextcloud-dav.redirectscheme.scheme=https"
  - "traefik.http.routers.nextcloud-app.middlewares=nextcloud-dav"

to

  - "traefik.http.routers.nextcloud-app.entrypoints=web"
  - "traefik.http.routers.nextcloud-app.rule=Host(`cloud.hostname.de`)"
  - "traefik.http.middlewares.nextcloud-redirect.redirectscheme.scheme=https"
  - "traefik.http.routers.nextcloud-app.middlewares=nextcloud-redirect"

I think you listen on the wrong entrypoint for redirect and add the redirect-to-https middleware to the same name middleware you use with web-secure for headers.

sebastian · January 20, 2023, 8:19am

Now there are even more errors.

I think i have way too much labels. What can i delete?

system · January 23, 2023, 8:20am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
HTTP Strict Transport Security Traefik v2 docker , middleware , cli	3	15713	January 13, 2020
Enable HSTS Nextcloud docker Traefik v3 (latest) docker	3	431	February 18, 2025
Problem with cyphers and HSTS Traefik v2 docker	0	1678	November 25, 2019
redirectRegex not working as expected Traefik v2 docker , docker-swarm , file	4	3595	November 28, 2019
Redirect cloud.domain.com to other host Traefik v2 docker , file , tcp	5	597	February 25, 2020

Nextcloud with Cal/Cardav routing

Related topics