Update the server URL on server address change

[maranov]

Is your feature request related to a problem? Please describe.

Hi, I've changed the address of my NC server and set up a redirect to the new address. I was unable to change the URL in the app and had to re-add the account instead.

Describe the solution you'd like

Since changing the URL from the app might be considered a security issue (#3877), I'd like to propose the app changing the URL automatically, when receiving "301 Moved Permanently" response from the server.

Describe alternatives you've considered

Changing the URL manually via settings, but that is not available either.

Additional context

It seems that the Desktop client has this functionality and has updated the URL on its own after my changes.

[mixxit]

This is also an issue for me, i was able to happily update the URL defined in the nextcloud.cfg file in appdata on windows but android i could not find wher ethe cfg file is

[AlexNi245]

Hey i would work on this issue. I would extend the dotmenu within manage account with an option to edit the server credentials.

[AndyScherzinger]

@AlexNi245 thanks for offering to pick this one up. We do need some feedback from @tobiasKaminsky first though since:

• changing the server adress is considered a security issue, see #3877

so the only part that is likely up for discussion:

• app changing the URL automatically, when receiving "301 Moved Permanently" response from the server

which would require a completely different approach and is also unclear to me if this should be implemented.

[tobiasKaminsky]

• changing the server adress is considered a security issue, see #3877

We indeed should not do this. In my opinion/experience this is a very rare case and then it is ok to have a new account (for an example on google you also cannot change your id without creating a new account and removing the other).

• app changing the URL automatically, when receiving "301 Moved Permanently" response from the server

I am not entirely sure, but if we get 301, we do follow this. While it is not ideal to then have two calls, nowadays that should not matter too much.

[realies]

Why are you so inconsistent in the manual configuration for desktop and mobile clients? Are desktop clients more secure than mobile clients and why? Changing a server address on a desktop client is not an issue via the nextcloud cfg file, although its alternative in a mobile app is not to be found. Reconfiguring (removing/re-adding) a server on a mobile app would remove the queued auto-upload list, which would require manual sync for every auto-upload folder, and their addition and configuration every time the server address changes. In my case the server address change is temporary, accomplishing this via the desktop client is trivial, I would like it to be similar on mobile.

[redtux]

I just would like to confirm that many users like myself would have loved such a feature (as it still exits in the OC client btw.), given sometimes even big providers like Hetzner need to change their server names — affecting hundreds if not thousands of users. https://wiki.hetzner.de/index.php/Storage_Share/en#Renaming

Hetzner recommends creating a new profile, but then the average would have to download everything again, right?

(Which might be even worse if you have lot of files in different folders that you do not want to sync, meaning that you had to click on every single file you want to be synced to your phone. This could take ages…)

[redtux]

Okay, I have now read #3877 again, and from this statement it seems that this will not be fixed. https://github.com/nextcloud/android/issues/3877#issuecomment-495194482 So the files stay on the smartphone and the app will know which one to sync and which one not?

[fafische]

Unfortunatly the app does not even follow the the moved permanently. Android app tells in in notifications: Hochladen fehlgeschlagen, Moved Permanently. In app: "Server nicht verfügbar". Recreating the account means for me:

• downloading about 30GB of music, audiobooks.. again (not an entire folder -> I have to check which I want to download.
• tell other apps where to find the files.
• loosing some metadata e.g. listening state of audiobooks
• reconfiguring autoupload, contacts backup... AND: I am not the only user of my nextcloud.

In my case old url will be available as long as I want., But: I moved from folder to subdomain and RewriteBase in .htaccess file of nextcloud has to point to either / or /nextcloud. Because of that I can not have both Urls working at the same time.

[maxim-kukushkin]

@fafische Very similar issue here! Because of changes on ISP's side I've recently had to jump between IPv6 and IPv4 addresses and then to a DNS name. And every time it's not only just transfer of lots of data, but also all kinds of metadata updates related to it

I hope this issue can be prioritized

[redtux]

From what I understand, this is a "feature" and will not be fixed (which means others decide for us what is good or right). The only solution I could find so far is to create a new profile, to stop syncing, and then to move all the synced files locally. Worked for me at least…

[GAS85]

Please, this is very needed feature. If I move now nextcloud from host subfolder to e.g. cloud.domain.com, then all users needs to resetup they Mobile clients.

Desktop respects Redirects and did not cause any error by test, but for Android it does not fully work.

Client will fetch files List by following redirect, but will not be able to create/change/upload new files, will not be able to fetch activity etc. It's always goes to the old URL and simply stops when redirected.

[mm0zct]

I'd like to vote for this as well, I have my nextcloud running at home, and was using my ISP provided domain for my house (username.ispname.net), but I have just moved hosue to a location where my previous ISP is no longer available.

I have set up my nextcloud at the new house under a proper domain name, and currently have a raspberypi sitting at my old flat with an SSH forwarding rule to tunnel any traffic to the old URL to my new house. This let's the cloud work (slowly) until I terminate my ISP ocntract and sell the old flat.

We have two accounts on mobile phones which use the nextcloud as an automatic photo backup, and I would like to migrate both phones (since the desktop clients you can edit the config file) without the phones getting confused over the 10s of GBs of photos (one phone also has a 30GB holiday photo folder synced from the nextcloud, I don't want to resync this in either direction!)

I can set a 301 permenantly moved on the pi instead of the ssh tunnel, but from what I read here the Android client doesn't respect this and move anyway. I will have to give up the old domain in a few weeks.

From a security perspective, can't you have the option to "migrate URL" and have the client check the identify of the nextcloud server as a security step? If you're paranoid about someone pointing it to their own cloud, this should address the problem.

You used the example of migrating google accounts, but this is more like if microsoft moves the mail server from mail.hotmail.com to mail.live.com (made up examples), but with the same accounts, you dont' want to have to re-sync your whole mailbox.

[tobiasKaminsky]

You used the example of migrating google accounts, but this is more like if microsoft moves the mail server from mail.hotmail.com to mail.live.com (made up examples), but with the same accounts, you dont' want to have to re-sync your whole mailbox.

Good example, but then all users would have to re-setup all their mail clients, which is the same you would have to do on Android Files. Solution is to have a redirect.

With some proper check, as you mentioned, this indeed might work and be transparent to user. Currently I fear that we do not have time to work on such feature, but contributions are welcome :+1:

[benjaminbertram]

@tobiasKaminsky : You proposed, that the use case to switch the url where the the nextcloud server is to be reached, was an edge case. So let me add our (family home server raspi nextcloud) scenario as one more data point that this missing feature is really annoying. I started with one raspi at one fixed IP, just reachable in our local network. Some phone was setup with the local IP, some with the pure unix host name ("raspberrypi"), and now I try to do the next step and make the server reachable from the wide wide web using a dynamic DNS entry.

Sorry that I've not thought about all the implications in the first place and just started to use nextcloud because I thought that it was flexible and customizable. Turns out it isn't, at least this issue (and the bug that links here) is a complete deal breaker for me. And now I have to make some good points to my family members why we don't just move all our stuff to dropbox or google drive. Have you ever considered what security issue that is.

At the other hand I read the complete discussion and there was just no argument at all, that that clearly explains why modifying the url of an existing account is a security issue. Just anologies that just don't work in my head, so I'd like to give you another:

Backup is going to some server at dont.givea.where via ssh. And now for one out of a gazillion reasons it is reachable on another URL. And in analogy to this app my rsync would prompt me with an error: sorry, but you have sworn an oath to always use dont.givea.where as home base, so to move somewhere else you have to disguise your old identity, start over fresh at the new url (and don't think about making an incremental backup there it could all fall back on you later).

@AlexNi245 have you considered forking the app? If so, please let me know.

[zroug]

For me this feature certainly isn't a deal breaker. I'm very happy with both, Nextcloud and the Android app. But this feature would make changing the server URL much easier. Especially when you have users, who are not that good at configuring such things.

That being said, I had a very pleasant experience with Thunderbird and its calendar feature. I recently changed my server URL and at the old URL I created a 301 Moved Permanently redirect to the new URL. At first Thunderbird kept using the old URL but it followed the redirect, so everything was still working. After some time I restarted Thunderbird and then it told me that a redirect is happening, showed me both, the old and the new URL, and asked me if I want to update the configuration to use the new URL. All I had to do was click on yes. I think that is a very good example of how it could work.

[tobiasKaminsky]

The UX @zroug mentioned seems to be a nice middle way:

• It lets user change url
• url cannot be randomly re-assigned
• user, as last resort, has to accept it

[RubinXnibu]

I am another user wanting to update the server URL. I have just created a nextcloud server inside a NAT. with port forwarding. When I connect to my nextcloud locally, it's with a 192.168.* address. When I connect remotely, it's with a fqdn URL. What I really want is to have multiple URL's for the same server in the app and have the app intelligently try both. However, I'm willing to re-enter the URL once or twice a day when I'm at home or remote. How else is the home user supposed to use a home nextcloud?

BTW, since you are OK with people editing the URL in the desktop app, you should accept editing it on the phone apps. Phones are much more secure than desktops: With physical access, a bad actor can edit the locked desktop's nextcloud cfg file by mounting the hard drive on another computer. Physical access to a phone still doesn't let them edit anything until the phone is unlocked. The phone apps need less protection against bad actors than the desktops, not more.

[add1989]

+1

My girlfriend and I got married and she changed her domain from FirstName-OldLastName.co.uk to FirstName-NewLastName.co.uk - but not being able to change this in the app is a real PITA :(

[RubinXnibu]

As a workaround, why not delete the app and re-install it and configure it for the new domain name?

On Sun, Mar 14, 2021 at 4:36 PM add1989 @.***> wrote:

+1

My girlfriend and I got married and she changed her domain from FirstName-OldLastName.co.uk to FirstName-NewLastName.co.uk - but not being able to change this in the app is a real PITA :(

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nextcloud/android/issues/4157#issuecomment-799002150, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALQW4R5HGQ2SVYEB6X6NSIDTDVCAPANCNFSM4HYRRETA .

[redtux]

@RubinXnibu Unfortunately, in cases where you have synced lot of data this is no workaround. 😕

[stefan2904]

I don't think proposing a config change in case of an 301 solves the issue.

I have a Nextcloud instance with is reachable using multiple Domains (blame Hetzner), so there is no old and new one. This works without problems, apart from the fact that OnlyOffice only works on one of those domains (which sometimes changes; blame my setup).

Since there is no option in the Nextcloud mobile app to change the URL of the server, the only way is to delete the old account and add the same account with the new URL. Since this involves moving the synced files and re-configuring of the auto-uploads every time, this is annoying. :/

(As noted before, this is not a problem with other apps that use my nextcloud shares, for example my password manager. 😅)

[stefan2904]

Given your security concerns, could it be an option that the server also authenticates with the app, so that the app could detect if it is talking to the same server or a new (potentially malicious) server?

[GAS85]

that the app could detect if it is talking to the same server

I hope this could be done via HTTP Public Key Pinning (HPKP) by add hash of server 1 key and hash of server 2 key in both server configurations.

[redtux]

@GAS85 "Public Key Pinning mechanism was deprecated in favor of Certificate Transparency and Expect-CT header." https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

[NoelzeN]

I have changed the Port where Nextcloud is running at. Previously I had it running on Port 8080 and now migrated it to Port 443. I noticed after a few days that my Instant Upload was not working anymore. I had a 301 Redirect on Port 8080. Now I removed the redirect and simply run Nextcloud on both ports. That seems to work fine, however it would be nice to add the possibility to change the Server URL in the Nextcloud app so at some point in time I can close port 8080.

[realies]

I've needed this feature on more than a dozen occasions, including right now.

[gomme600]

+1

[GAS85]

From a security perspective, can't you have the option to "migrate URL" and have the client check the identify of the nextcloud server as a security step? If you're paranoid about someone pointing it to their own cloud, this should address the problem

Want to mention, if Security is only reason that hold this feature, then it is already failed - if I control DNS (e.g with pi-hole) and redirect user to a "bad" Server, then I can see already now user login name and password by Files List operation, but other functionality simply does not work and seems as clear bug for me:

Client will fetch files List by following redirect, but will not be able to create/change/upload new files, will not be able to fetch activity etc. It's always goes to the old URL and simply stops when redirected.

[danieldietsch]

I am with most of the people here:

• I am again in the situation where I need to change the URL
• Redirect is not an option anymore (no control over the old domain)
• Imo, preventing the URL change has no security benefits. Malicious users with access to the device can already access all data, can redirect DNS, can install VPN, etc. etc.

[waydwnsouth]

tl;dr: Implement a server fingerprint, allow the server URL to be changed as long as the fingerprint remains the same.

I just ran into this issue and it's definitely going to be a headache. Not everyone is hosting Nextcloud on a public domain. IP addresses change, Dynamic DNS providers come and go, and the idea that a malicious actor with physical access to your phone could change the domain in the settings, but somehow not just recreate the account like we're being told to do, is a stretch.

There are ways to ensure the authenticity of a remote server, but DNS certainly isn't one of them. From a security standpoint the DNS response should be considered untrusted anyway, and the authenticity of the server should be verified via HTTPS or some type of server fingerprint instead. What threat vector this is trying to protect against?

Problems with current "solution" (New account setup):

• App loses knowledge of which files have been auto-synced
  • Either you re-upload everything, or you only upload future files (and missing anything created between the last successful auto sync & the new account being configured)
• Requires manually setting up all account settings, auto-sync, etc. every time on every single device
• Time consuming, frustrating

Problems with proposed solution (301 Redirect):

• Not exactly a Dynamic DNS-friendly solution for home users
• Assumes you have access to a web server running at the original domain to return the 301
  • If you still have access to the previous domain, why are you trying to change it in the app?
• If this is being argued as a security feature, this assumes the authenticity of the 301 message is being verified.
  • The Android app certainly didn't complain about the self-signed certificate being used on my Nextcloud server, so how is this preventing a (arguably easier) DNS hijack on the local network from returning a 301 to every single user on the network instead of having to manually reconfigure every endpoint device?
• Many comments indicate that the 301 doesn't work for the Android app anyway. I haven't tested it personally.
• Will the app update the server settings after receiving a 301, or must the 301 be hosted in perpetuity?

That being said, I do believe a (properly verified) 301 would be the appropriate way to go for a production system at scale with lots of users if possible. It's just not necessarily feasible for every deployment or in every situation.

Possible solutions: (I vote for option 2)

1. Leave device security up to the user & allow them to change the domain/IP
   • Developers have made it pretty clear they're not supportive of this option
2. Implement a server fingerprint that can be verified by the client app (similar to SSH, Signal protocol, etc.)
   • If the user changes the server URL, still enforce the original server fingerprint
   • If the fingerprint ever changes, warn the user of possible MitM/redirect
   • Optionally, force the user to do the manual account re-creating on server fingerprint change
3. Pin the HTTPS certificate on initial server connection
   • If the certificate ever changes, alert the end user and/or force account re-creation
   • This is less ideal than the fingerprint, since certificates expire and would likely change with the domain
4. Provide an option in the Nextcloud server settings to enable/disable the user's ability to change the server information in the app
   • Those running this at home and small-scale deployments can assume the risk that comes with this feature
   • Large-scale production deployments could disable this feature for their users, either globally or on a per-user/group basis