ios
ios copied to clipboard
nextcloud
Connecting through zero trust access proxies
Steps to reproduce
- Place Nextcloud server address behind zero trust access proxy like Cloudflare Access, Pomerium, etc.
- Attempt to setup account in iOS app; enter serve address normally, e.g., https://my.nextcloud.org
Expected behaviour
The iOS app shows the web-based authentication page for the access proxy, and after passing through that access proxy, it caches the authentication tokens, and the Nextcloud authentication pops up (or does not if it's configured for SSO). By caching the authentication tokens, normal usage of the app is allowed until they expire. When they expire, the app throws up the access proxy authentication page to refresh the access tokens.
Actual behaviour
After entering the server address and tapping log in, the iOS app produces this error "Connection error 200: Transfer stopped."
Reasoning or why should it be changed/implemented?
This makes a zero trust configuration impossible if wanting to allow usage of the iOS app by the server's users. This will be increasingly important for enterprise users.
Environment data
Nextcloud iOS app version: 3.3.1.1
The ability to set a client side header that can use a service token would be a great alternative.
Or, cloudflare only, basic auth credential input client side and a cloudflare worker that converts basic auth to a service token.
We need something for this.
Yes I have deployed zero trust on all my apps since its free so why the hell not! I get the same 200 error with nextcloud sadly. I was looking for an alternative, maybe auth with a cert to bypass the cloudflare proxy but no luck. This would increase security massively
Yes I have deployed zero trust on all my apps since its free so why the hell not! I get the same 200 error with nextcloud sadly. I was looking for an alternative, maybe auth with a cert to bypass the cloudflare proxy but no luck. This would increase security massively
mTLS for Cloudflare access is not free, FYI.
While my Nextcloud web UI is working under Cloudflare zero-trust the mobile/desktop apps received a 403 when trying to accessing the Nextcloud server even if the account has been already registered (using http/https endpoints).
Maybe this is related to the missing token cloudflare release to the client after authorization and could be bypassed by whitelisting the app user agent or by passing a specific custom header whitelisted, again, into cloudflare waf.
This is the same error seen when a nextcloud instance is sitting behind Traefik reverse proxy with an authentication forward service like Google Oauth2.
Accessing the nextcloud from a web browser works fine where the user gets redirected to authenticate with the Oauth2 provider and gets redirected back to the instance.
Is this something planned to get fixed or functionality added to support these use cases of self hosting?
I'm having the same problem. I've tried modifying 'overwriteprotocol' and 'overwritehost' in config.php, as some of others on the web have been indicating, but with no joy. Access via a browser (even on iOS) works fine, but the Nextcloud companion app errors out with NSURLError -999...
I second this. A lot of us are running NexCloud on non-dedicated local infrastructure and we need some sort of Access Policy to protect it, instead of just opening the firewall port forwarding and relying on internal security. Service authentification token would be a good start and a low hanging fruit. Easy to implement, easy to setup.
Another vote for addressing this issue. Have migrated my self-hosted apps to Cloudflare tunnels using Google Oauth, app is now useless since it doesn't account for an auth redirect prior to landing at the login page.
