gem.snowgoons.ro

This is a very quick tip that I just hope gets picked up by Google and saves somebody else some time.

If (like me) you run NextCloud[1] on your own infrastructure to provide filesharing and collaboaration services, and you run it behind Cloudflare[2], you may find yourself banging your head against the screen trying to work out why *everything* works *except* for uploading files through the web interface.

Instead, you'll get an enigmatic `an unknown error occurred` message in the web interface, and absolutely nothing in the NextCloud logs. Looking in your browser network logs may give you a clue - the `PUT` request to the `/remote.php/webdav` URL will be getting `HTTP/403` (forbidden) responses.

I am here to save you some debugging...

It turns out that if you use Cloudflare's WAF "Managed Rules" (which I think are on by default, and which even if they're not - you probably should be using them anyway,) one of the rules in their 'Managed OWASP' ruleset is triggered by the `PUT` request from the NextCloud Web UI, and Cloudflare blocks it.

The Solution

The solution is simple. Go to your WAF configuration in Cloudflare (`Security > WAF`), and under *Managed Rules* you need to add an exception.

Click "Add an exception", and set some suitable criteria to match requests (e.g. the specific host or URI path of your NextCloud installation,) and then "Skip specific rules from a managed ruleset". The rule you want to skip is `949110: Inbound Anomaly Score Exceeded` in the `Cloudflare OWASP Core Ruleset`: {{< figure src="img/managed-rule.png" caption="949110: Inbound Anomaly Score Exceeded" captionPosition="right">}}

Deploy your new rule, and hey-presto: working NextCloud through Cloudflare.

1: https://nextcloud.com

2: https://cloudflare.com

--------------------

Home - gem.snowgoons.ro