I ran into an issue when I migrated my Nextcloud reverse proxy from Apache2 (on my NAS) to ngnix on an opnsense firewall : my phone, and only it, could not synchronize contacts and calendar anymore. No issue with Nextcloud app, nor with contacts and calendar sync with Thunderbird or Windows 10 Mail app.
The error I got is a simple 403 response with a message telling I was banned and my mobile phone IP address was in the ban list on opnsense (in nginx module) but Nextcloud app still worked, it wasn’t banned.
So I looked at the user-agent DAVx⁵ was using to compare with le bot blocklist I read mentions of in one of the many sites, forum, faq… I read.
DAVx⁵ user-agent is :DAVx5/3.3.7-ose (2020/11/30; dav4jvm; okhttp/4.9.0) Android/10\r\n
The code responsible of the issue in opnsense is here :
As you can see, okhttp in the user-agent string triggers the bot protection option in opnsense nginx implemetation.
The workaround is really simple : disable bot protection for my nextcloud instance and it is okay until I open the service from outside.
I think I can develop a quick and dirty fix in opnsense configuration but not sure the community would accept the patch.
I will also open an issue on opnsense side. If you can’t do anything about the user-agent sent by DAVx⁵, at least maybe this post will allow others to understand their issue. I did not find a lot of usefull information anywhere, maybe my keywords were too generic or my issue is really specific.
If you want more details or if I am not clear feel free to ask, I can reproduce the issue really quickly until I make my dirty fix to be able to access my Nextcloud instance from outside my network.