zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[BUG] "Block AI and Crawlers" blocks CalDAV / CardDAV and SSO

Open Morethanevil opened this issue 4 months ago • 4 comments

Describe the bug I just tried out the new security features and after enabling the new "Block AI and Crawlers"-feature, my Nextcloud is not able to sync via CalDAV anymore. I only get an error message on Android, but nothing in Zoraxys logs.

If I enable this feature for my Authentik host, some clients can not log in anymore, Vikunja for example (Internal server error). Maybe the same issue. "Block common exploits" works fine for those hosts.

To Reproduce Steps to reproduce the behavior:

  1. Have a running Nextcloud
  2. Enable this feature
  3. Try to sync contacts or calendars via CalDAV / CardDAV
  4. HTTPS web UI works fine, only CalDAV / CardDAV sync does not work anymore

Expected behavior Sync without errors :)

Host Environment (please complete following information, DO NOT REMOVE ANY FIELD(S)):

  • Arch: AMD64
  • OS: Ubuntu server 24.04 x64
  • Version Zoraxy v3.3.0 branch
  • Are you using Docker? No

Morethanevil avatar Nov 10 '25 00:11 Morethanevil

@Morethanevil Can I have the links or path for the mis-blocked requests? I guess there might be something wrong with the filtering regrex but I am not sure.

tobychui avatar Nov 10 '25 05:11 tobychui

RegEx for Authentik Callback URLs are similar to this:

https://my.domain.com/auth/openid/authentik

Authentik is the name of the SSO provider in this case. Authelia, Keycloak and others are using this scheme too.

https://my.domain.com/auth/openid/callback

This is a standard callback URL, mostly used

Rewrite rules for CalDAV /CardDAV in Apache is:

RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
    RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

Hope this helps :)

Morethanevil avatar Nov 10 '25 07:11 Morethanevil

Well I have checked the regex but I have no idea what might be the issue here. I do added the exception for .well-known since it is suppose to be used by bots and sometime crawlers.

I guess the best setup here will be disable this on Auth related hostnames.

tobychui avatar Nov 10 '25 13:11 tobychui

I tried the latest commit, but Nextcloud still gives me 404 for CalDAV if I enable this feature. I use DavX5 for syncing with Android. They provide a good debug.log. I am sending this to you via E-Mail, it contains sensitive information, but it may help you to troubleshoot.

Morethanevil avatar Nov 10 '25 15:11 Morethanevil