I have a problem with trusting my own proxy or domain

webserver_issue
help

#1

Hi, I have a docker-compose setup very similar to what is described in this blogpost.

Now I want to setup the picoCMS app. It recommends to proxy /sites/ to example.org/index.php/apps/cms_pico/pico/. Now this is where my problems begin.
(I replaced my domain with “example.org” in this post for security reasons.)

I created a ProxyPass rule for this in the apache config, and i can now access example.org/sites/test in the browser. But instead of showing me the picoCMS page, it shows me the following error message:

I already tried to add the ip the container has inside the docker network to trusted_proxies, but it didn’t help.

Steps to reproduce

  1. install picoCMS app
  2. create a test website in the backend: example.org/settings/personal?sectionid=cms_pico
  3. enable the proxy modules in the container: a2enmod proxy_http proxy_connect proxy_ajp proxy_wstunnel proxy_balancer ssl
  4. add the following lines to /etc/templates/apache.conf:
  ProxyPass /sites/ https://example.org//index.php/apps/cms_pico/pico/
  ProxyPassReverse /sites/ https://example.org//index.php/apps/cms_pico/pico/
    SSLProxyEngine on
  1. restart the container: docker-compose stop && docker-compose start
  2. access the test website in the browser through the proxy shortcut: example.org/sites/test
    (optional:)
  3. add the following line to the docker-compose.yml:
    - OWNCLOUD_TRUSTED_PROXIES=172.18.0.2
  4. rebuild the container with the trusted proxy setting:
docker-compose down
docker-compose up -d
sleep 15
docker-compose exec owncloud_owncloud_1 a2enmod proxy_http proxy_connect proxy_ajp proxy_wstunnel proxy_balancer ssl  # you have to reactivate the apache modules for it to work
docker cp apache.conf owncloud_owncloud:/etc/templates/  # that's how you have to change the apache config
docker-compose stop # restart the container this way, because you can't restart only apache2
docker-compose start

Expected behaviour

It displays the test website at example.org/sites/test.

Actual behaviour

It shows the following error:

"You are accessing the server from an untrusted domain.

Please contact your administrator. If you are an administrator of this instance, configure the “trusted_domains” setting in config/config.php. An example configuration is provided in config/config.sample.php or at the documentation."

Server configuration

Operating system: Debian GNU/Linux 9.8 (stretch)

Web server: Apache2 2.4.29

Database: mysql Ver 15.1 Distrib 10.3.13-MariaDB, for Linux (x86_64) using readline 5.1

PHP version: 7.2.10

ownCloud version: 10.0.10

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: docker-hub: owncloud/server:latest

Signing status (ownCloud 9.0 and above):

- cms_pico
	- FILE_MISSING
		- vendor/ezyang/htmlpurifier/maintenance/.htaccess
		- vendor/picocms/pico/.htaccess
	- EXTRA_FILE
		- vendor/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer/URI/4.9.3,3478238e680361cd87bf880f5b3cc50a1e7abc6c,1.ser
		- vendor/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer/HTML/4.9.3,42d2529d2d2aa4f137a4d6d6292a92e3ee82eb86,1.ser
		- vendor/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer/CSS/4.9.3,4114918a13a428a8482a8a449792a5a8747582b5,1.ser

The content of config/config.php:

{
    "basic": {
        "license key": "***REMOVED SENSITIVE VALUE***",
        "date": "Thu, 09 May 2019 17:05:06 +0000",
        "ownCloud version": "10.0.10.4",
        "ownCloud version string": "10.0.10",
        "ownCloud edition": "Community",
        "server OS": "Linux",
        "server OS version": "Linux f45effbbb176 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64",
        "server SAPI": "apache2handler",
        "webserver version": "Apache",
        "hostname": "example.org",
        "logged-in user": "admin"
    },
    "stats": {
        "users": {
            "Database": {
                "count": 28,
                "seen": 17,
                "logged in (30 days)": 7
            }
        },
        "groups": {
            "OC\\Group\\Database": 3
        }
    },
    "config": {
        "apps_paths": [
            {
                "path": "\/var\/www\/owncloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/owncloud\/custom",
                "url": "\/custom",
                "writable": true
            }
        ],
        "trusted_domains": [
            "example.org"
        ],
        "trusted_proxies": [
            "172.18.0.2"
        ],
        "datadirectory": "\/mnt\/data\/files",
        "dbtype": "mysql",
        "dbhost": "db:3306",
        "dbname": "owncloud",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "log_type": "owncloud",
        "supportedDatabases": [
            "sqlite",
            "mysql",
            "pgsql"
        ],
        "upgrade.disable-web": true,
        "default_language": "en",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": 25,
        "mail_smtpsecure": "tls",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "http:\/\/example.org\/",
        "htaccess.RewriteBase": "\/",
        "logfile": "\/mnt\/data\/files\/owncloud.log",
        "loglevel": 2,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "mysql.utf8mb4": "true",
        "filelocking.enabled": true,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "redis",
            "port": "6379"
        },
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "version": "10.0.10.4",
        "logtimezone": "UTC",
        "installed": true,
        "instanceid": "ocyjcpub7drj",
        "maintenance": false,
        "singleuser": false
    },
[...]

List of activated apps:

Enabled:
  - cms_pico: 0.9.7
  - comments: 0.3.0
  - configreport: 0.1.1
  - contacts: 1.5.5
  - dav: 0.4.0
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - files: 1.5.1
  - files_external: 0.7.1
  - files_pdfviewer: 0.10.0
  - files_sharing: 0.11.0
  - files_texteditor: 2.3.0
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 16.1.1
  - market: 0.2.5
  - notifications: 0.3.5
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - updatenotification: 0.2.1
Disabled:
  - encryption
  - external
  - user_external
  - user_ldap

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 66.0.4

Operating system: Ubuntu 18.04

Logs

owncloud_1_2c50e71a2fd4 | 2019-05-09T17:12:18.561978999Z 172.18.0.2 - - [09/May/2019:17:12:18 +0000] "GET //index.php/apps/cms_pico/pico/copyleft HTTP/1.1" 400 7495 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0"                                                                                                                                                                               
owncloud_1_2c50e71a2fd4 | 2019-05-09T17:12:18.562420815Z 172.18.0.2 - - [09/May/2019:17:12:18 +0000] "GET /sites/copyleft HTTP/1.1" 400 7495 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0"                                                                                                                                                                                                       

#2

Hey,

from what i have seen in the past the IP/domain used to access the ownCloud installation which is causing the “untrusted domain” message is logged in the owncloud.log. I think this could help to understand which IP/domain is used to access the installation.

There seems to be also a documentation about proxy configurations available here:

https://doc.owncloud.com/server/10.1/admin_manual/configuration/server/reverse_proxy_configuration.html

Maybe you proxy isn’t using the X-Forwarded-For correctly or the ProxyPass configurations are not correct?