OK, digging a bit deeper, the clients are indeed querying the correct URLs as I’ve taken a log dump of the Windows client.
2023-03-02 16:22:12:422 [ info nextcloud.sync.networkjob.jsonapi C:\Users\sysadmin\AppData\Local\Temp\2\windows-13476\client-building\desktop\src\libsync\networkjobs.cpp:829 ]: JsonApiJob of QUrl("https://xxx.xxx.xxx/nextcloud/ocs/v1.php/cloud/user?format=json") FINISHED WITH STATUS "OK"
There are parallel 403s that align with these requests. In the case of the above, it looks like this:
Mar 02 16:21:46 DietPi apache2[1947977]: [authz_core:error] [pid 1947977:tid 140460974655232] [client 192.168.1.4:53370] AH01630: client denied by server configuration: /var/www/cloud
It appears something is happening with the request rewrite that’s allowing the actual request to go through (200 OK), but also triggering a 403. Let’s gather all the rewrite configs that I can find.
Here’s the default config file for the virtual host:
000-default.conf
<VirtualHost *:80>
ServerName xxx.xxx.xxx
RewriteEngine on
RewriteCond %{SERVER_NAME} =xxx.xxx.xxx
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Here’s the relevant portion of the .htaccess file located in the /var/www/nextcloud directory:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule ^$ /remote.php/webdav/ [L,R=302]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
ErrorDocument 403 /nextcloud/
ErrorDocument 404 /nextcloud/
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4|mp3|ogg|wav|wasm|tflite)$
RewriteCond %{REQUEST_FILENAME} !/core/ajax/update\.php
RewriteCond %{REQUEST_FILENAME} !/core/img/(favicon\.ico|manifest\.json)$
RewriteCond %{REQUEST_FILENAME} !/(cron|public|remote|status)\.php
RewriteCond %{REQUEST_FILENAME} !/ocs/v(1|2)\.php
RewriteCond %{REQUEST_FILENAME} !/robots\.txt
RewriteCond %{REQUEST_FILENAME} !/(ocm-provider|ocs-provider|updater)/
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/proxy.php$
RewriteRule . index.php [PT,E=PATH_INFO:$1]
RewriteBase /nextcloud
<IfModule mod_env.c>
SetEnv front_controller_active true
<IfModule mod_dir.c>
DirectorySlash off
</IfModule>
</IfModule>
</IfModule>
Here’s a config from /etc/apache/conf-enabled:
dietpi-dav_redirect.conf
# Redirect Cal/CardDAV requests to Nextcloud endpoint:
Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav /nextcloud/remote.php/dav
Here’s a config from /etc/apache2/sites-enabled:
dietpi-nextcloud.conf
# Location: /etc/apache2/sites-available/dietpi-nextcloud.conf
# Based on: https://github.com/nextcloud/documentation/blob/72736bb04e1e207e1d9068ea30328f11485d4d03/admin_manual/installation/source_installation.rst#apache-web-server-configuration
# Redirect webfinger and nodeinfo requests to Nextcloud endpoint
Redirect 301 /.well-known/webfinger /nextcloud/index.php/.well-known/webfinger
Redirect 301 /.well-known/nodeinfo /nextcloud/index.php/.well-known/nodeinfo
<Directory /var/www/nextcloud>
Require all granted
AllowOverride All
Options FollowSymLinks
<IfModule mod_dav.c>
Dav off
</IfModule>
# https://github.com/MichaIng/DietPi/issues/3694
Header unset Content-Security-Policy
Header always unset Content-Security-Policy
</Directory>