Help to migrate Caddyfile V1 to V2 for Nextcloud

@Dougy If you can confirm that the fix works for you within the next couple days, I think we can get the fix merged in before the 2.0 release.

1 Like

@francislavoie I need your help as I do not know how to download your fix source code with git, here is what I tried :

root@caddytest:~ # git clone ""
Cloning into 'caddy'...
remote: Enumerating objects: 77, done.
remote: Counting objects: 100% (77/77), done.
remote: Compressing objects: 100% (52/52), done.
remote: Total 22243 (delta 42), reused 43 (delta 24), pack-reused 22166
Receiving objects: 100% (22243/22243), 12.75 MiB | 2.00 MiB/s, done.
Resolving deltas: 100% (13939/13939), done.
root@caddytest:~ # cd caddy/
root@caddytest:~/caddy # git checkout ca1df03a4a7a4896cd0a90db1dd7557b0d198816
fatal: reference is not a tree: ca1df03a4a7a4896cd0a90db1dd7557b0d198816

Yeah - the code is on my fork. Did you manage to check it out now?

$ git clone
$ git checkout origin/try-files-split-path

Yes, I compiled your fix, removed the @phpFiles rewrite in my Caddyfile, and it still works :slight_smile:


I found another bug, my header directive is not working properly because all header values are set twice.

Currently I have this in my Caddyfile for headers :

header {
        Strict-Transport-Security               max-age=15768000;
        X-Content-Type-Options                  nosniff
        X-XSS-Protection                        1; mode=block
        X-Robots-Tag                            none
        X-Download-Options                      noopen
        X-Permitted-Cross-Domain-Policies       none
        X-Frame-Options                         SAMEORIGIN
        Referrer-Policy                         no-referrer

But if you look at this sample request, some headers value are set twice such as “X-Frame-Options”: [“SAMEORIGIN”, “SAMEORIGIN”]

2020/04/23 15:18:33.447 INFO http.log.access.log0 handled request {"request": {"method": "PROPFIND", "uri": "/remote.php/dav/files/jacques/", "proto": "HTTP/1.1", "remote_addr": "", "host": "", "headers": {"Depth": ["0"], "Accept": ["*/*"], "X-Request-Id": ["4b32add6-36b7-4586-a52f-c0c43952f01a"], "Accept-Encoding": ["gzip, deflate"], "Accept-Language": ["en-US,*"], "Authorization": ["Basic amFjcXVlczo3VEQ1VkVob0k0M05qeXV5Qnh6Y1czYXRKY1lLTlM1WFZHODk4enVJeExTbmk3d25ZaTVzYTFWeEs1MFNyT1R4RGZOMTRlNng="], "User-Agent": ["Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)"], "Content-Type": ["text/xml; charset=utf-8"], "Cookie": ["oc_sessionPassphrase=zQUNkYPxfX530eWK7G9uMimSjjyB%2BTHng1V1m4%2B9uxCf3Dh%2Fri8sZ9VmzBq2hKRhOBzZ2Yn6W6fmZrIu%2BJ4Wow3JwFrcL4GWX2cR8OjFZ1%2B4aL42oidyXZrxvMWEd4Xc; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocih7olqwfvd=hijer9sh22bonifu30n7plh4c4"], "Content-Length": ["114"], "Connection": ["Keep-Alive"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "", "proto_mutual": true, "server_name": ""}}, "common_log": " - - [23/Apr/2020:17:18:33 +0200] \"PROPFIND /remote.php/dav/files/jacques/ HTTP/1.1\" 207 388", "latency": 0.115401907, "size": 388, "status": 207, "resp_headers": {"X-Xss-Protection": ["1; mode=block"], "Dav": ["1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-calendar-search, nc-enable-birthday-calendar"], "Referrer-Policy": ["no-referrer", "no-referrer"], "X-Permitted-Cross-Domain-Policies": ["none", "none"], "Expires": ["Thu, 19 Nov 1981 08:52:00 GMT"], "X-Robots-Tag": ["none", "none"], "Vary": ["Brief,Prefer"], "X-Download-Options": ["noopen", "noopen"], "X-Frame-Options": ["SAMEORIGIN", "SAMEORIGIN"], "Status": ["207 Multi-Status"], "Content-Type": ["application/xml; charset=utf-8"], "Content-Security-Policy": ["default-src 'none';"], "Server": ["Caddy"], "Strict-Transport-Security": ["max-age=15768000;"], "X-Content-Type-Options": ["nosniff", "nosniff"], "X-Powered-By": ["PHP/7.4.5"], "Pragma": ["no-cache"], "Cache-Control": ["no-store, no-cache, must-revalidate"]}}

Hence I get errors in NextCloud security check :

@Dougy If you remove your header directive and try again, do the headers only appear once or not at all?

If I remove all header directives, I only get this warning :

2020/04/23 15:39:28.478 INFO http.log.access.log0 handled request {"request": {"method": "PROPFIND", "uri": "/remote.php/dav/files/jacques/", "proto": "HTTP/1.1", "remote_addr": "", "host": "", "headers": {"Content-Type": ["text/xml; charset=utf-8"], "X-Request-Id": ["8afac727-8da7-425c-a78c-0395919604f2"], "Content-Length": ["105"], "Connection": ["Keep-Alive"], "Depth": ["0"], "User-Agent": ["Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)"], "Accept-Encoding": ["gzip, deflate"], "Accept-Language": ["en-US,*"], "Authorization": ["Basic amFjcXVlczo3VEQ1VkVob0k0M05qeXV5Qnh6Y1czYXRKY1lLTlM1WFZHODk4enVJeExTbmk3d25ZaTVzYTFWeEs1MFNyT1R4RGZOMTRlNng="], "Accept": ["*/*"], "Cookie": ["oc_sessionPassphrase=zQUNkYPxfX530eWK7G9uMimSjjyB%2BTHng1V1m4%2B9uxCf3Dh%2Fri8sZ9VmzBq2hKRhOBzZ2Yn6W6fmZrIu%2BJ4Wow3JwFrcL4GWX2cR8OjFZ1%2B4aL42oidyXZrxvMWEd4Xc; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocih7olqwfvd=hijer9sh22bonifu30n7plh4c4"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "", "proto_mutual": true, "server_name": ""}}, "common_log": " - - [23/Apr/2020:17:39:28 +0200] \"PROPFIND /remote.php/dav/files/jacques/ HTTP/1.1\" 207 387", "latency": 0.11005796, "size": 387, "status": 207, "resp_headers": {"Content-Type": ["application/xml; charset=utf-8"], "X-Robots-Tag": ["none"], "Referrer-Policy": ["no-referrer"], "Dav": ["1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-calendar-search, nc-enable-birthday-calendar"], "Server": ["Caddy"], "Status": ["207 Multi-Status"], "Expires": ["Thu, 19 Nov 1981 08:52:00 GMT"], "Pragma": ["no-cache"], "X-Frame-Options": ["SAMEORIGIN"], "Content-Security-Policy": ["default-src 'none';"], "X-Powered-By": ["PHP/7.4.5"], "Vary": ["Brief,Prefer"], "X-Xss-Protection": ["1; mode=block"], "X-Download-Options": ["noopen"], "X-Content-Type-Options": ["nosniff"], "X-Permitted-Cross-Domain-Policies": ["none"], "Cache-Control": ["no-store, no-cache, must-revalidate"]}}

Perfect, so I think all you need is to set that one header (Strict-Transport-Security) as it seems that the backend is probably setting all the other necessary headers. You can verify by adding this to the top of your Caddyfile:


which will enable debug logging, and you can see what response headers the backend is setting.

Thank you @matt, everything works like it’s supposed to be now.

Here is my latest Caddyfile v2 for NextCloud provided as a reference (it’s only working with @francislavoie fix which hopefully will be merged into v2 release) : {

        root    * /usr/local/www/nextcloud
        log {
                output file     /var/log/
                format single_field common_log


        header {
                # enable HSTS
                Strict-Transport-Security max-age=31536000;

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301

        # .htaccess / data / config / ... shouldn't be accessible from outside
        @forbidden {
                path    /.htaccess
                path    /data/*
                path    /config/*
                path    /db_structure
                path    /.xml
                path    /README
                path    /3rdparty/*
                path    /lib/*
                path    /templates/*
                path    /occ
                path    /console.php

        respond @forbidden 404


This one is easy… I had the same issue with the v1 config. Nextcloud already provides all theose headers, except for HSTS. that is the only one you need to set in your Caddyfile. The rest are returned by reverse_proxy.

Thanks @francislavoie for this. Nextcloud was my next conversion to v2 after my little MTA-STS issue ealier with not understanding matchers. I had a similar issue with another PHP app as well that I will try again with your @phpFiles fix.


Hey @Dougy, I think I’m having a similar issue but I can’t get your Caddyfile to work. Do you mind sharing your docker-compose.yml or docker run command?

I would like to add one more modification. With Caddy v2.1 (in beta) and in order to get rid of “index.php” in the url path, you need to set one environmental variable:

php_fastcgi {
  env front_controller_active true

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.