This is a very quick tip that I just hope gets picked up by Google and saves somebody else some time.
If (like me) you run NextCloud on your own infrastructure to provide filesharing and collaboaration services, and you run it behind Cloudflare, you may find yourself banging your head against the screen trying to work out why everything works except for uploading files through the web interface.
Instead, you’ll get an enigmatic
an unknown error occurred message in
the web interface, and absolutely nothing in the NextCloud logs. Looking in
your browser network logs may give you a clue - the
PUT request to the
/remote.php/webdav URL will be getting
HTTP/403 (forbidden) responses.
I am here to save you some debugging…
It turns out that if you use Cloudflare’s WAF “Managed Rules” (which I think
are on by default, and which even if they’re not - you probably should be
using them anyway,) one of the rules in their ‘Managed OWASP’ ruleset is
triggered by the
PUT request from the NextCloud Web UI, and Cloudflare
The solution is simple. Go to your WAF configuration in Cloudflare
Security > WAF), and under Managed Rules you need to add an exception.
Click “Add an exception”, and set some suitable criteria to match requests
(e.g. the specific host or URI path of your NextCloud installation,) and
then “Skip specific rules from a managed ruleset”. The rule you want to skip
949110: Inbound Anomaly Score Exceeded in the
Cloudflare OWASP Core Ruleset:
Deploy your new rule, and hey-presto: working NextCloud through Cloudflare.