403 error on request with MOVE method after uploading a chunked file


We’ve got an instance of ownCloud deployed, and we’re having some difficulty uploading files that are larger than 10MB, and thus get chunked by the jQuery file uploader.

Specifically, we’re getting a 403 error whenever we try to upload a file larger than 10MB. I can see the various chunks of the file being PUT successfully, but after the last chunk, a MOVE request is erroring out. In the main pane of the web panel, it says “processing”, but never completes.

We don’t have any issues on smaller files, only files that have been chunked.

We believed that this might be related to Cloudflare, but we’re still getting these errors after disabling their proxying functionality through their portal.

Steps to reproduce

  1. Using the web interface, upload a file larger than 10MB.

Expected behaviour

File should be uploaded as normal.

Actual behaviour

The interface shows the file uploaded, and “Processing”, but this never completes, and never shows the file being uploaded.

Server configuration

Operating system: Ubuntu 16.04.3

Web server: nginx/1.13.6

Database: 10.0.34-MariaDB-0ubuntu0.16.04.1

PHP version: 7.1.14-1+ubuntu16.04.1+deb.sury.org+1

ownCloud version:

Updated from an older ownCloud or fresh install: Unknown, inherited from previous admin

Where did you install ownCloud from: Unknown, inherited from previous admin

Signing status (ownCloud 9.0 and above):
No errors were found.

The content of config/config.php:

    "system": {
        "updatechecker": false,
        "instanceid": "ocpXXXXXXwgj",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbtype": "mysql",
        "version": "",
        "dbname": "owncloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "localhost",
            "port": 6379
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"

List of activated apps:

  - comments: 0.3.0
  - configreport: 0.1.1
  - dav: 0.3.2
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - files: 1.5.1
  - files_external: 0.7.1
  - files_sharing: 0.10.1
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - market: 0.2.3
  - notifications: 0.3.2
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - templateeditor: 0.2
  - theme-example: 1.0.0
  - updatenotification: 0.2.1
  - encryption
  - external
  - user_external

Are you using external storage, if yes which one: No, local

Are you using encryption: No

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Tested on both Firefox 61 and Chrome 67

Operating system: Windows 10


Web server error log

2018/07/10 00:44:53 [error] 1463#1463: *64852 access forbidden by rule, client: 97.XXX.XXX.XX, server: xxxx.company.com, request: "MOVE /remote.php/dav/uploads/$USER/web-file-upload-ef9d70f8b6bXXXXXXXXXXXX1a328a2e-1531183477372/.file HTTP/2.0", host: "xxxx.company.com"

2018/07/10 00:45:00 [error] 1463#1463: *64852 access forbidden by rule, client: 97.XXX.XXX.XX, server: xxxx.company.com, request: "GET /remote.php/dav/uploads/$USER/web-file-upload-ef9d70f8b6bXXXXXXXXXXXX1a328a2e-1531183477372/.file HTTP/2.0", host: "xxxx.company.com"

ownCloud log (data/owncloud.log)

I checked the ownCloud log, and using the default “Warnings, errors, and fatal issues” there are no entries from the time I attempted to upload a larger file.

Browser log

This is the request that gives a 403:
Request is for: https://xxxx.company.com/remote.php/dav/uploads/$USER/web-file-upload-ef9d7XXXXXXXXXXXXXXXXX311a328a2e-1531183477372/.file

Host: xxxx.company.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
X-OC-Mtime: 1530305899.23
OC-Total-Length: 32209920
Destination: https://xxxx.company.com/remote.php/dav/files/$USER/test-20180709/phpipam-1.3.2.tar
Cookie: __cfduid=d831d842a8ff719a97XXXXXXXXXXXXXXXX946369; _ga=GA1.2.1810868013.152XXXXXX3; __stripe_mid=6eb064fa-77ee-4105-b04a-5eXXXXXXXXX9a; ocpekkq32wgj=3e0c57518cabc367b01ad8f161844365; oc_sessionPassphrase=PyaXFWtJ8IzPIOXXXXXXXXXXXXXXXXXXXXXXX4NTII5s%2BA2Ik8oB87%2BDCyeBzfYOJPCghVANJEwDwXD4DgoEDCF9R%2FFtgy08MbVNEK0h6AbFH6H6qlYTu
DNT: 1
Connection: keep-alive

This is the response:

HTTP/2.0 403 Forbidden
server: nginx
date: Tue, 10 Jul 2018 00:30:47 GMT
content-type: text/html; charset=UTF-8
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-Firefox-Spdy: h2



This is an nginx error message - looks like our nginx config is not allowing MOVE?