We’ve got an instance of ownCloud deployed, and we’re having some difficulty uploading files that are larger than 10MB, and thus get chunked by the jQuery file uploader.
Specifically, we’re getting a 403 error whenever we try to upload a file larger than 10MB. I can see the various chunks of the file being PUT successfully, but after the last chunk, a MOVE request is erroring out. In the main pane of the web panel, it says “processing”, but never completes.
We don’t have any issues on smaller files, only files that have been chunked.
We believed that this might be related to Cloudflare, but we’re still getting these errors after disabling their proxying functionality through their portal.
Steps to reproduce
- Using the web interface, upload a file larger than 10MB.
Expected behaviour
File should be uploaded as normal.
Actual behaviour
The interface shows the file uploaded, and “Processing”, but this never completes, and never shows the file being uploaded.
Server configuration
Operating system: Ubuntu 16.04.3
Web server: nginx/1.13.6
Database: 10.0.34-MariaDB-0ubuntu0.16.04.1
PHP version: 7.1.14-1+ubuntu16.04.1+deb.sury.org+1
ownCloud version: 10.0.7.2
Updated from an older ownCloud or fresh install: Unknown, inherited from previous admin
Where did you install ownCloud from: Unknown, inherited from previous admin
Signing status (ownCloud 9.0 and above):
No errors were found.
The content of config/config.php:
{
"system": {
"updatechecker": false,
"instanceid": "ocpXXXXXXwgj",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"xxxx.company.com"
],
"datadirectory": "\/var\/www\/owncloud\/data",
"overwrite.cli.url": "http:\/\/localhost",
"dbtype": "mysql",
"version": "10.0.7.2",
"dbname": "owncloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"filelocking.enabled": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "localhost",
"port": 6379
},
"mail_smtpmode": "smtp",
"mail_smtpsecure": "ssl",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
}
}
List of activated apps:
Enabled:
- comments: 0.3.0
- configreport: 0.1.1
- dav: 0.3.2
- federatedfilesharing: 0.3.1
- federation: 0.1.0
- files: 1.5.1
- files_external: 0.7.1
- files_sharing: 0.10.1
- files_trashbin: 0.9.1
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- market: 0.2.3
- notifications: 0.3.2
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- templateeditor: 0.2
- theme-example: 1.0.0
- updatenotification: 0.2.1
Disabled:
- encryption
- external
- user_external
Are you using external storage, if yes which one: No, local
Are you using encryption: No
Are you using an external user-backend, if yes which one: No
Client configuration
Browser: Tested on both Firefox 61 and Chrome 67
Operating system: Windows 10
Logs
Web server error log
2018/07/10 00:44:53 [error] 1463#1463: *64852 access forbidden by rule, client: 97.XXX.XXX.XX, server: xxxx.company.com, request: "MOVE /remote.php/dav/uploads/$USER/web-file-upload-ef9d70f8b6bXXXXXXXXXXXX1a328a2e-1531183477372/.file HTTP/2.0", host: "xxxx.company.com"
2018/07/10 00:45:00 [error] 1463#1463: *64852 access forbidden by rule, client: 97.XXX.XXX.XX, server: xxxx.company.com, request: "GET /remote.php/dav/uploads/$USER/web-file-upload-ef9d70f8b6bXXXXXXXXXXXX1a328a2e-1531183477372/.file HTTP/2.0", host: "xxxx.company.com"
ownCloud log (data/owncloud.log)
I checked the ownCloud log, and using the default “Warnings, errors, and fatal issues” there are no entries from the time I attempted to upload a larger file.
Browser log
This is the request that gives a 403:
Request is for: https://xxxx.company.com/remote.php/dav/uploads/$USER/web-file-upload-ef9d7XXXXXXXXXXXXXXXXX311a328a2e-1531183477372/.file
Host: xxxx.company.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
requesttoken: JigoAQwPfBInDQXXXXXXXXXXXXXXXQHERQIHcuKGM=:XXXXXXXXXXXXXXXX8tULY6QT6TeriQ9EB2t/hf8WtvjQI=
X-OC-Mtime: 1530305899.23
OC-Total-Length: 32209920
Destination: https://xxxx.company.com/remote.php/dav/files/$USER/test-20180709/phpipam-1.3.2.tar
Cookie: __cfduid=d831d842a8ff719a97XXXXXXXXXXXXXXXX946369; _ga=GA1.2.1810868013.152XXXXXX3; __stripe_mid=6eb064fa-77ee-4105-b04a-5eXXXXXXXXX9a; ocpekkq32wgj=3e0c57518cabc367b01ad8f161844365; oc_sessionPassphrase=PyaXFWtJ8IzPIOXXXXXXXXXXXXXXXXXXXXXXX4NTII5s%2BA2Ik8oB87%2BDCyeBzfYOJPCghVANJEwDwXD4DgoEDCF9R%2FFtgy08MbVNEK0h6AbFH6H6qlYTu
DNT: 1
Connection: keep-alive
This is the response:
HTTP/2.0 403 Forbidden
server: nginx
date: Tue, 10 Jul 2018 00:30:47 GMT
content-type: text/html; charset=UTF-8
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-Firefox-Spdy: h2
Thanks!