Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android | DAVx5 autoconfig does not work | PROPFIND |405 Not Allowed #562

Open
tenhishadow opened this issue Apr 23, 2024 · 0 comments
Open

Android | DAVx5 autoconfig does not work | PROPFIND |405 Not Allowed #562

tenhishadow opened this issue Apr 23, 2024 · 0 comments
Labels
Ingress Anything to do with ingress or ingress controllers

Comments

@tenhishadow
Copy link

Issue Description:

I am currently deploying NextCloud using the official Helm chart which includes Nginx and PHP-FPM. However, I am facing an issue with the DAVx⁵ app on Android, where it reports a "PropFind method not allowed" error. It seems this issue has been previously documented in other issues, but the provided solutions do not resolve the problem and are not applicable to Kubernetes Ingress setups.

Actual Behavior:
When attempting to connect using DAVx⁵, the app encounters an error stating that the PropFind method is not allowed. This indicates a potential misconfiguration in either the Nginx setup or the Kubernetes Ingress rules that restrict HTTP methods essential for DAVx⁵'s operation.

Logs and Errors

Logs from DavX5 
2024-04-23 18:08:44 3338 [network.HttpClient] <-- END HTTP (162-byte body)
2024-04-23 18:08:44 3338 [at.bitfire.dav4jvm.DavResource] Redirected, new location = https://nextcloud.domain.org/remote.php/dav
2024-04-23 18:08:44 3338 [network.HttpClient] --> PROPFIND https://nextcloud.domain.org/remote.php/dav h2
2024-04-23 18:08:44 3338 [network.HttpClient] Depth: 0
2024-04-23 18:08:44 3338 [network.HttpClient] User-Agent: DAVx5/4.3.16-gplay (2024/04/14; dav4jvm; okhttp/4.12.0) Android/14
2024-04-23 18:08:44 3338 [network.HttpClient] Accept-Language: en-US, en;q=0.7, *;q=0.5
2024-04-23 18:08:44 3338 [network.HttpClient] Content-Type: application/xml; charset=utf-8
2024-04-23 18:08:44 3338 [network.HttpClient] Content-Length: 198
2024-04-23 18:08:44 3338 [network.HttpClient] Host: nextcloud.domain.org
2024-04-23 18:08:44 3338 [network.HttpClient] Connection: Keep-Alive
2024-04-23 18:08:44 3338 [network.HttpClient] Accept-Encoding: gzip
2024-04-23 18:08:44 3338 [network.HttpClient] Cookie: __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=m9mP9pEbF9zPiMg2Kgt6ghDxtoFqtgmyk7FzV5%2ByWdh47jq5q20laNNZ%2BltR7wQH5wxUu5d6lfYoURfL1E5F%2BQPH3C13Zipc5sSQEiVYGoKyRvi1lXmVEU8Wcu8fIOww; oc4sncy5go9g=902649cb2332def72f7f651f52a27fba; stickounet=1713888525.944.11986.785516|ec59da9da29dd3ab51c3e45939dab7d1; __Host-nc_sameSiteCookielax=true
2024-04-23 18:08:44 3338 [network.HttpClient] 
2024-04-23 18:08:44 3338 [network.HttpClient] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
2024-04-23 18:08:44 3338 [network.HttpClient] --> END PROPFIND (198-byte body)
2024-04-23 18:08:44 3338 [network.HttpClient] <-- 207 https://nextcloud.domain.org/remote.php/dav (32ms)
2024-04-23 18:08:44 3338 [network.HttpClient] date: Tue, 23 Apr 2024 16:08:45 GMT
2024-04-23 18:08:44 3338 [network.HttpClient] content-type: application/xml; charset=utf-8
2024-04-23 18:08:44 3338 [network.HttpClient] expires: Thu, 19 Nov 1981 08:52:00 GMT
2024-04-23 18:08:44 3338 [network.HttpClient] cache-control: no-store, no-cache, must-revalidate
2024-04-23 18:08:44 3338 [network.HttpClient] pragma: no-cache
2024-04-23 18:08:44 3338 [network.HttpClient] content-security-policy: default-src 'none';
2024-04-23 18:08:44 3338 [network.HttpClient] vary: Brief,Prefer
2024-04-23 18:08:44 3338 [network.HttpClient] dav: 1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nextcloud-checksum-update, nc-calendar-search, nc-enable-birthday-calendar
2024-04-23 18:08:44 3338 [network.HttpClient] x-request-id: edeqq8Dx40jtfYqMaOG7
2024-04-23 18:08:44 3338 [network.HttpClient] x-debug-token: edeqq8Dx40jtfYqMaOG7
2024-04-23 18:08:44 3338 [network.HttpClient] content-encoding: gzip
2024-04-23 18:08:44 3338 [network.HttpClient] referrer-policy: no-referrer
2024-04-23 18:08:44 3338 [network.HttpClient] x-content-type-options: nosniff
2024-04-23 18:08:44 3338 [network.HttpClient] x-download-options: noopen
2024-04-23 18:08:44 3338 [network.HttpClient] x-frame-options: SAMEORIGIN
2024-04-23 18:08:44 3338 [network.HttpClient] x-permitted-cross-domain-policies: none
2024-04-23 18:08:44 3338 [network.HttpClient] x-robots-tag: noindex, nofollow
2024-04-23 18:08:44 3338 [network.HttpClient] x-xss-protection: 1; mode=block
2024-04-23 18:08:44 3338 [network.HttpClient] strict-transport-security: max-age=31536000; includeSubDomains
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-origin: *
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-credentials: true
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-methods: COPY, DELETE, GET, HEAD, MKCOL, MOVE, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PUT, REPORT
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-max-age: 1728000
2024-04-23 18:08:44 3338 [network.HttpClient] 
2024-04-23 18:08:44 3338 [network.HttpClient] <?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns"><d:response><d:href>/remote.php/dav/</d:href><d:propstat><d:prop><d:current-user-principal><d:href>/remote.php/dav/principals/users/t81e783b9-3e64-495d-a63a-a7028840bc17/</d:href></d:current-user-principal></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>

2024-04-23 18:08:44 3338 [network.HttpClient] <-- END HTTP (448-byte, 259-gzipped-byte body)
2024-04-23 18:08:44 3338 [servicedetection.DavResourceFinder] Found current-user-principal: https://nextcloud.domain.org/remote.php/dav/principals/users/t81e783b9-3e64-495d-a63a-a7028840bc17/
2024-04-23 18:08:44 3338 [network.HttpClient] --> OPTIONS https://nextcloud.domain.org/remote.php/dav/principals/users/t81e783b9-3e64-495d-a63a-a7028840bc17/ h2
2024-04-23 18:08:44 3338 [network.HttpClient] Content-Length: 0
2024-04-23 18:08:44 3338 [network.HttpClient] Accept-Encoding: identity
2024-04-23 18:08:44 3338 [network.HttpClient] User-Agent: DAVx5/4.3.16-gplay (2024/04/14; dav4jvm; okhttp/4.12.0) Android/14
2024-04-23 18:08:44 3338 [network.HttpClient] Accept-Language: en-US, en;q=0.7, *;q=0.5
2024-04-23 18:08:44 3338 [network.HttpClient] Host: nextcloud.domain.org
2024-04-23 18:08:44 3338 [network.HttpClient] Connection: Keep-Alive
2024-04-23 18:08:44 3338 [network.HttpClient] Cookie: __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=m9mP9pEbF9zPiMg2Kgt6ghDxtoFqtgmyk7FzV5%2ByWdh47jq5q20laNNZ%2BltR7wQH5wxUu5d6lfYoURfL1E5F%2BQPH3C13Zipc5sSQEiVYGoKyRvi1lXmVEU8Wcu8fIOww; oc4sncy5go9g=902649cb2332def72f7f651f52a27fba; stickounet=1713888525.944.11986.785516|ec59da9da29dd3ab51c3e45939dab7d1; __Host-nc_sameSiteCookielax=true
2024-04-23 18:08:44 3338 [network.HttpClient] --> END OPTIONS
2024-04-23 18:08:44 3338 [network.HttpClient] <-- 204 https://nextcloud.domain.org/remote.php/dav/principals/users/t81e783b9-3e64-495d-a63a-a7028840bc17/ (3ms)
2024-04-23 18:08:44 3338 [network.HttpClient] date: Tue, 23 Apr 2024 16:08:45 GMT
2024-04-23 18:08:44 3338 [network.HttpClient] strict-transport-security: max-age=31536000; includeSubDomains
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-origin: *
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-credentials: true
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-methods: COPY, DELETE, GET, HEAD, MKCOL, MOVE, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PUT, REPORT
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-max-age: 1728000
2024-04-23 18:08:44 3338 [network.HttpClient] content-length: 0
2024-04-23 18:08:44 3338 [network.HttpClient] <-- END HTTP (0-byte body)
2024-04-23 18:08:44 3338 [servicedetection.DavResourceFinder] Principal https://nextcloud.domain.org/remote.php/dav/principals/users/t81e783b9-3e64-495d-a63a-a7028840bc17/ doesn't provide caldav service
2024-04-23 18:08:44 3338 [servicedetection.DavResourceFinder] Trying to determine principal from initial context path=https://nextcloud.domain.org/
2024-04-23 18:08:44 3338 [network.HttpClient] --> PROPFIND https://nextcloud.domain.org/ h2
2024-04-23 18:08:44 3338 [network.HttpClient] Depth: 0
2024-04-23 18:08:44 3338 [network.HttpClient] User-Agent: DAVx5/4.3.16-gplay (2024/04/14; dav4jvm; okhttp/4.12.0) Android/14
2024-04-23 18:08:44 3338 [network.HttpClient] Accept-Language: en-US, en;q=0.7, *;q=0.5
2024-04-23 18:08:44 3338 [network.HttpClient] Content-Type: application/xml; charset=utf-8
2024-04-23 18:08:44 3338 [network.HttpClient] Content-Length: 198
2024-04-23 18:08:44 3338 [network.HttpClient] Host: nextcloud.domain.org
2024-04-23 18:08:44 3338 [network.HttpClient] Connection: Keep-Alive
2024-04-23 18:08:44 3338 [network.HttpClient] Accept-Encoding: gzip
2024-04-23 18:08:44 3338 [network.HttpClient] Cookie: __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=m9mP9pEbF9zPiMg2Kgt6ghDxtoFqtgmyk7FzV5%2ByWdh47jq5q20laNNZ%2BltR7wQH5wxUu5d6lfYoURfL1E5F%2BQPH3C13Zipc5sSQEiVYGoKyRvi1lXmVEU8Wcu8fIOww; oc4sncy5go9g=902649cb2332def72f7f651f52a27fba; stickounet=1713888525.944.11986.785516|ec59da9da29dd3ab51c3e45939dab7d1; __Host-nc_sameSiteCookielax=true
2024-04-23 18:08:44 3338 [network.HttpClient] 
2024-04-23 18:08:44 3338 [network.HttpClient] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
2024-04-23 18:08:44 3338 [network.HttpClient] --> END PROPFIND (198-byte body)
2024-04-23 18:08:44 3338 [network.HttpClient] <-- 405 https://nextcloud.domain.org/ (3ms)
2024-04-23 18:08:44 3338 [network.HttpClient] date: Tue, 23 Apr 2024 16:08:45 GMT
2024-04-23 18:08:44 3338 [network.HttpClient] content-type: text/html
2024-04-23 18:08:44 3338 [network.HttpClient] content-length: 157
2024-04-23 18:08:44 3338 [network.HttpClient] referrer-policy: no-referrer
2024-04-23 18:08:44 3338 [network.HttpClient] x-content-type-options: nosniff
2024-04-23 18:08:44 3338 [network.HttpClient] x-download-options: noopen
2024-04-23 18:08:44 3338 [network.HttpClient] x-frame-options: SAMEORIGIN
2024-04-23 18:08:44 3338 [network.HttpClient] x-permitted-cross-domain-policies: none
2024-04-23 18:08:44 3338 [network.HttpClient] x-robots-tag: noindex, nofollow
2024-04-23 18:08:44 3338 [network.HttpClient] x-xss-protection: 1; mode=block
2024-04-23 18:08:44 3338 [network.HttpClient] strict-transport-security: max-age=31536000; includeSubDomains
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-origin: *
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-credentials: true
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-methods: COPY, DELETE, GET, HEAD, MKCOL, MOVE, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PUT, REPORT
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-allow-headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For
2024-04-23 18:08:44 3338 [network.HttpClient] access-control-max-age: 1728000
2024-04-23 18:08:44 3338 [network.HttpClient] 
2024-04-23 18:08:44 3338 [network.HttpClient] <html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.25.5</center>
</body>
</html>

Environment

values.yaml 
image:
  repository: core.harbor.domain.org/docker-nextcloud # fpm version

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer:                      "letsencrypt-prod"
    kubernetes.io/ingress.class:                         "nginx"
    kubernetes.io/tls-acme:                              "true"
    nginx.ingress.kubernetes.io/affinity:                "cookie"
    nginx.ingress.kubernetes.io/cors-allow-headers:      "X-Forwarded-For"
    nginx.ingress.kubernetes.io/enable-cors:             "true"
    nginx.ingress.kubernetes.io/enable-websocket:        "true"
    nginx.ingress.kubernetes.io/hsts-include-subdomains: "true"
    nginx.ingress.kubernetes.io/hsts-max-age:            "31536000"
    nginx.ingress.kubernetes.io/hsts-preload:            "true"
    nginx.ingress.kubernetes.io/hsts:                    "true"
    nginx.ingress.kubernetes.io/keep-alive:              "75"
    nginx.ingress.kubernetes.io/proxy-body-size:         '0'
    nginx.ingress.kubernetes.io/session-cookie-name:     "stickounet"
    nginx.ingress.kubernetes.io/ssl-redirect:            "true"
    nginx.ingress.kubernetes.io/server-snippet: |-
      server_tokens off;
      proxy_hide_header X-Powered-By;
      rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
      rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
      rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
      location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
      }
      location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
      }
      location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
      }
      location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
      }
      location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
        deny all;
      }
  tls:
    - secretName: nextcloud-tls
      hosts:
        - nextcloud.domain.org
  labels: {}
  path: /
  pathType: Prefix

phpClientHttpsFix:
  enabled: true
  protocol: https

  phpConfigs:
    custom.ini: |
      upload_max_filesize = 10000M
      post_max_size = 10000M
      max_input_time = 3600
      max_execution_time = 3600
      output_buffering = 0
      memory_limit 10000M
      opcache.enable=1
      opcache.interned_strings_buffer=8
      opcache.max_accelerated_files=10000
      opcache.memory_consumption=1024
      opcache.save_comments = 1
      opcache.revalidate_freq = 60
      opcache.validate_timestamps = 0
      opcache.jit = 1255
      opcache.jit_buffer_size = 128M

    www.conf: |
      [www]
      user = www-data
      group = www-data
      listen = 127.0.0.1:9000
      pm = dynamic
      pm.max_children = 120
      pm.start_servers = 12
      pm.min_spare_servers = 11
      pm.max_spare_servers = 34


  defaultConfigs:
    .htaccess: false
    redis.config.php: false
    apache-pretty-urls.config.php: false
    apcu.config.php: true
    apps.config.php: true
    autoconfig.php: true
    smtp.config.php: false
  configs:
    rediscluster.config.php: |-
      <?php
      if (getenv('REDISCLUSTERPWD')) {
        $CONFIG = array (
          'filelocking.enabled' => 'true',
          'memcache.distributed' => '\OC\Memcache\Redis',
          'memcache.locking' => '\OC\Memcache\Redis',
          'redis.cluster' => [
             'seeds' => [
                'redis-cluster:6379'
             ],
             'failover_mode'   => \RedisCluster::FAILOVER_ERROR,
             'timeout'         => 0.0,
             'read_timeout'    => 0.0,
             'password'        => getenv('REDISCLUSTERPWD'),
             'dbindex'         => 0,
          ]
        );
      }
    proxy.config.php: |-
      <?php
      $CONFIG = array (
        'trusted_proxies' => array(
          '0' => '127.0.0.1',
          '1' => '10.0.0.0/8',
        ),
        'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
      );
    chunk.config.php: |-
      <?php
      $CONFIG = array (
        'chunkSize' => '100MB',
      );
    preview.config.php: |-
      <?php
      $CONFIG = array (
        'enabledPreviewProviders' => array(
          '0'  => 'OC\\Preview\\BMP',
          '1'  => 'OC\\Preview\\GIF',
          '2'  => 'OC\\Preview\\HEIC',
          '3'  => 'OC\\Preview\\Image',
          '4'  => 'OC\\Preview\\Imaginary',
          '5'  => 'OC\\Preview\\JPEG',
          '6'  => 'OC\\Preview\\Krita',
          '7'  => 'OC\\Preview\\MP3',
          '8'  => 'OC\\Preview\\MP4',
          '9'  => 'OC\\Preview\\MarkDown',
          '10' => 'OC\\Preview\\Movie',
          '11' => 'OC\\Preview\\Movie',
          '12' => 'OC\\Preview\\OpenDocument',
          '13' => 'OC\\Preview\\PDF',
          '14' => 'OC\\Preview\\PNG',
          '15' => 'OC\\Preview\\TIFF',
          '16' => 'OC\\Preview\\TXT',
          '17' => 'OC\\Preview\\TXT',
          '18' => 'OC\\Preview\\XBitmap',
        ),
        'preview_imaginary_url'      => 'http://imaginary:9000',
        'preview_max_filesize_image' => 100,
        'preview_max_x'              => 8192,
        'preview_max_y'              => 8192,
      );
  extraEnv:
    - name: TZ
      value: 'Europe/Warsaw'
    # https://github.com/nextcloud/docker/issues/1288
    # https://www.postgresql.org/docs/current/libpq-envars.html
    - name: PGSSLMODE
      value: 'verify-ca'
    - name: PGSSLROOTCERT
      value: '/certs/root.crt'
    - name: PGSSLCERT
      value: '/certs/client.crt'
    - name: PGSSLKEY
      value: '/certs/client.key'
    - name: REDISCLUSTERPWD
      valueFrom:
        secretKeyRef:
          name: nextcloud--redis-redis-cluster
          key: redis-password
    - name: PHP_MEMORY_LIMIT
      value: '10000M'
    - name: PHP_UPLOAD_LIMIT
      value: '10000M'

  extraVolumes:
   - name: bashrc
     configMap:
       name: container-bashrc
   - name: postgresqlrc
     configMap:
       name: container-postgresqlrc
   - name: psql-bouncer
     secret:
       secretName: nextcloud--psql-pg-db-pgbouncer
       items:
         - key:  pgbouncer-frontend.ca-roots
           path: root.crt
           mode: 0777
         - key:  pgbouncer-frontend.crt
           path: client.crt
           mode: 0600
         - key:  pgbouncer-frontend.key
           path: client.key
           mode: 0777
  extraVolumeMounts:
    - name:      psql-bouncer
      mountPath: "/psql/bouncer"
    - name:      bashrc
      mountPath: /root/.bashrc
      subPath:   bashrc
      readOnly:  true
    - name:      postgresqlrc
      mountPath: /root/.postgresqlrc
      subPath:   postgresqlrc
      readOnly:  true

nginx:
  enabled: true
  image:
    repository: core.harbor.domain.org/replication/nginx
    tag: mainline-alpine
    pullPolicy: Always
  containerPort: 80
  config:
    default: true

internalDatabase:
  enabled: false
  name: nextcloud

externalDatabase:
  enabled: true
  type: postgresql
  existingSecret:
    enabled:     true
    secretName:  lalala
    usernameKey: ololoev
    passwordKey: ololo
    hostKey:     pgbouncer-host
    databaseKey: dbname

mariadb:
  enabled: false
postgresql:
  enabled: false
redis:
  enabled: false
cronjob:
  enabled: true
  lifecycle:
    postStartCommand:
      - "/bin/sh"
      - "-c"
      - |
        mkdir /certs
        cat /psql/bouncer/client.key > /certs/client.key
        cat /psql/bouncer/client.crt > /certs/client.crt
        cat /psql/bouncer/root.crt > /certs/root.crt
        chown -R www-data:www-data /certs
        chmod 0600 /certs/*

affinity:
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/instance
                operator: In
                values:
                  - nextcloud
          topologyKey: "kubernetes.io/hostname"

Explicit CORS ingress annotations do not resolve the issue with auto-discovery

I checked this #410
and tested by adding

nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET HEAD POST OPTIONS PUT PATCH DELETE PROPFIND MKCOL REPORT"
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For"

It does not make any sense because it's not on the ingress side; it's about the nextcloud-nginx container.
Once I add those annotations to the ingress and test Davx5 again, it shows that those methods
are allowed, but I'm still encountering a 405 error.

DAVx5 logs after adding excplicit CORS annotations 
2024-04-23 19:13:32 5350 [network.HttpClient] --> PROPFIND https://nextcloud.domain.org/ h2
2024-04-23 19:13:32 5350 [network.HttpClient] Depth: 0
2024-04-23 19:13:32 5350 [network.HttpClient] User-Agent: DAVx5/4.3.16-gplay (2024/04/14; dav4jvm; okhttp/4.12.0) Android/14
2024-04-23 19:13:32 5350 [network.HttpClient] Accept-Language: en-US, en;q=0.7, *;q=0.5
2024-04-23 19:13:32 5350 [network.HttpClient] Content-Type: application/xml; charset=utf-8
2024-04-23 19:13:32 5350 [network.HttpClient] Content-Length: 198
2024-04-23 19:13:32 5350 [network.HttpClient] Host: nextcloud.domain.org
2024-04-23 19:13:32 5350 [network.HttpClient] Connection: Keep-Alive
2024-04-23 19:13:32 5350 [network.HttpClient] Accept-Encoding: gzip
2024-04-23 19:13:32 5350 [network.HttpClient] Cookie: __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=pk5ZtvMczxv9NDTpvGHK5jpn%2FtjouU7lgLxyziS7rgiRRE3XkGNLzM4VJZXe7U1wq%2BdccZyf7mLlIaERwsGVDIL9N9CT3w6ASnW7NREBynQLowqjsipIcivVWdqdKS%2BW; oc4sncy5go9g=b42d9a10347aa65d7a8ad1a755536214; stickounet=1713892414.005.13187.415743|ec59da9da29dd3ab51c3e45939dab7d1; __Host-nc_sameSiteCookielax=true
2024-04-23 19:13:32 5350 [network.HttpClient] 
2024-04-23 19:13:32 5350 [network.HttpClient] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
2024-04-23 19:13:32 5350 [network.HttpClient] --> END PROPFIND (198-byte body)
2024-04-23 19:13:32 5350 [network.HttpClient] <-- 405 https://nextcloud.domain.org/ (3ms)
2024-04-23 19:13:32 5350 [network.HttpClient] date: Tue, 23 Apr 2024 17:13:33 GMT
2024-04-23 19:13:32 5350 [network.HttpClient] content-type: text/html
2024-04-23 19:13:32 5350 [network.HttpClient] content-length: 157
2024-04-23 19:13:32 5350 [network.HttpClient] referrer-policy: no-referrer
2024-04-23 19:13:32 5350 [network.HttpClient] x-content-type-options: nosniff
2024-04-23 19:13:32 5350 [network.HttpClient] x-download-options: noopen
2024-04-23 19:13:32 5350 [network.HttpClient] x-frame-options: SAMEORIGIN
2024-04-23 19:13:32 5350 [network.HttpClient] x-permitted-cross-domain-policies: none
2024-04-23 19:13:32 5350 [network.HttpClient] x-robots-tag: noindex, nofollow
2024-04-23 19:13:32 5350 [network.HttpClient] x-xss-protection: 1; mode=block
2024-04-23 19:13:32 5350 [network.HttpClient] strict-transport-security: max-age=31536000; includeSubDomains
2024-04-23 19:13:32 5350 [network.HttpClient] access-control-allow-origin: *
2024-04-23 19:13:32 5350 [network.HttpClient] access-control-allow-credentials: true
2024-04-23 19:13:32 5350 [network.HttpClient] access-control-allow-methods: GET HEAD POST OPTIONS PUT PATCH DELETE PROPFIND MKCOL REPORT
2024-04-23 19:13:32 5350 [network.HttpClient] access-control-allow-headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For
2024-04-23 19:13:32 5350 [network.HttpClient] access-control-max-age: 1728000
2024-04-23 19:13:32 5350 [network.HttpClient] 
2024-04-23 19:13:32 5350 [network.HttpClient] <html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.25.5</center>
</body>
</html>

2024-04-23 19:13:32 5350 [network.HttpClient] <-- END HTTP (157-byte body)
2024-04-23 19:13:32 5350 [servicedetection.DavResourceFinder] No resource found
EXCEPTION at.bitfire.dav4jvm.exception.HttpException: HTTP 405 
	at at.bitfire.dav4jvm.DavResource.checkStatus(DavResource.kt:3)
	at at.bitfire.dav4jvm.DavResource.checkStatus(DavResource.kt:1)
	at at.bitfire.dav4jvm.DavResource.processMultiStatus(DavResource.kt:2)
	at at.bitfire.dav4jvm.DavResource.propfind(DavResource.kt:76)
	at at.bitfire.davdroid.servicedetection.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.kt:37)
	at at.bitfire.davdroid.servicedetection.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.kt:301)
	at at.bitfire.davdroid.servicedetection.DavResourceFinder.findInitialConfiguration(DavResourceFinder.kt:29)
	at at.bitfire.davdroid.servicedetection.DavResourceFinder.findInitialConfiguration(DavResourceFinder.kt:4)
	at at.bitfire.davdroid.ui.setup.LoginModel$detectResources$job$1$configuration$1.invoke(LoginModel.kt:3)
	at at.bitfire.davdroid.ui.setup.LoginModel$detectResources$job$1$configuration$1.invoke(LoginModel.kt:1)
	at kotlinx.coroutines.InterruptibleKt$runInterruptible$2.invokeSuspend(Interruptible.kt:59)
	at kotlinx.coroutines.InterruptibleKt$runInterruptible$2.invoke(Interruptible.kt:13)
	at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:16)
	at kotlinx.coroutines.BuildersKt.withContext(Unknown Source:41)
	at org.apache.commons.text.WordUtils.runInterruptible$default(WordUtils.java:9)
	at at.bitfire.davdroid.ui.setup.LoginModel$detectResources$job$1.invokeSuspend(LoginModel.kt:38)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:9)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:111)
	at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:4)
	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:3)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:98)
So, those Kubernetes annotations are essentially ineffective and permit unrestricted access. I'm not entirely convinced that this is beneficial for security purposes.

Wayout

It appears that the "discovery" functionality is not functioning properly. However,
it is possible to manually configure DAVx5 to sync contacts by obtaining the URL from
the web interface. It seems like the URL format is:
https://nextcloud.domain.org/remote.php/dav/addressbooks/users/username/contacts/

Addional

If someone could provide annotations for CORS, HSTS, etc. to enhance security, caching, and load balancing, I would greatly appreciate it. If someone revised my configuration from a high availability (HA) and security best practices standpoint, or offered criticism, I would be very grateful.

It's quite odd that nginx is disclosing its version.
I believe it's preferable to disable server tokens by default in the configuration of the nextcloud-nginx container.

<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.25.5</center>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ingress Anything to do with ingress or ingress controllers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jessebot @tenhishadow