Thank you for the help. I’m using binary with systemd managing the service. The system is Debian 12, and the ocis is version 4.0.2. I’m now using the same utils.rego
and postprocessing.rego
as you posted.
My full ocis.env
is
OCIS_URL=https://<domain_name>
PROXY_HTTP_ADDR=0.0.0.0:9200
PROXY_TRANSPORT_TLS_KEY=/etc/ocis/<domain_name>.key
PROXY_TRANSPORT_TLS_CERT=/etc/ocis/<domain_name>_bundle.crt
PROXY_HTTPS_CACERT=/etc/ocis/<domain_name>_root.crt
OCIS_GRPC_CLIENT_TLS_CACERT=/etc/ocis/<domain_name>_root.crt
OCIS_GRPC_TLS_KEY=/etc/ocis/<domain_name>.key
OCIS_GRPC_TLS_CERTIFICATE=/etc/ocis/<domain_name>_bundle.crt
OCIS_HTTP_TLS_CERTIFICATE=/etc/ocis/<domain_name>_bundle.crt
OCIS_HTTP_TLS_KEY=/etc/ocis/<domain_name>.key
NATS_TLS_CERTIFICATE=/etc/ocis/<domain_name>_bundle.crt
NATS_TLS_KEY=/etc/ocis/<domain_name>.key
OCIS_INSECURE=false
PROXY_POLICIES_QUERY=data.proxy.granted
OCIS_LOG_LEVEL=warn
OCIS_EVENTS_ENABLE_TLS=false
OCIS_CONFIG_DIR=/etc/ocis
OCIS_BASE_DATA_PATH=<ownCloudData_location>
OCIS_ASYNC_UPLOADS=true
STORAGE_USERS_OCIS_ASYNC_UPLOADS=true
OCIS_EXCLUDE_RUN_SERVICES=
OCIS_ADD_RUN_SERVICES="antivirus,policies"
And I have a policies.yaml
:
grpc:
addr: 127.0.0.1:9125
tls: null
debug:
addr: 127.0.0.1:9129
token: ""
pprof: false
zpages: false
token_manager:
jwt_secret: <my_jwt_secret>
events:
endpoint: 127.0.0.1:9233
cluster: ocis-cluster
tls_insecure: false
tls_root_ca_certificate: ""
enable_tls: false
reva:
address: com.owncloud.api.gateway
tls:
mode: ""
cacert: ""
grpc_client_tls: null
log:
level: ""
pretty: false
color: false
file: ""
engine:
timeout: 10
policies:
- /etc/ocis/postprocessing.rego
- /etc/ocis/proxy.rego
- /etc/ocis/utils.rego
mimes: ""
postprocessing:
query: data.postprocessing.granted
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
Here is postprocessing.yaml
:
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
debug:
addr: 127.0.0.1:9255
token: ""
pprof: false
zpages: false
store:
store: memory
nodes: []
database: postprocessing
table: postprocessing
ttl: 0
size: 0
postprocessing:
events:
endpoint: 127.0.0.1:9233
cluster: ocis-cluster
tls_insecure: false
tls_root_ca_certificate: ""
enable_tls: true
steps:
- virusscan
- policies
delayprocessing: 0
proxy.yaml
:
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
debug:
addr: 127.0.0.1:9205
token: ""
pprof: false
zpages: false
http:
addr: 0.0.0.0:9200
root: /
tls_cert: ~/.ocis/proxy/server.crt
tls_key: ~/.ocis/proxy/server.key
tls: true
reva:
address: com.owncloud.api.gateway
tls:
mode: ""
cacert: /etc/ocis/<domain_name>_root.crt
grpc_client_tls: null
role_quotas: {}
policies:
- name: ocis
routes:
- endpoint: /
service: com.owncloud.web.web
unprotected: true
- endpoint: /.well-known/webfinger
service: com.owncloud.web.webfinger
unprotected: true
- endpoint: /.well-known/openid-configuration
service: com.owncloud.web.idp
unprotected: true
- endpoint: /branding/logo
service: com.owncloud.web.web
- endpoint: /konnect/
service: com.owncloud.web.idp
unprotected: true
- endpoint: /signin/
service: com.owncloud.web.idp
unprotected: true
- endpoint: /archiver
service: com.owncloud.web.frontend
- endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications/sse
service: com.owncloud.sse.sse
- endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications
service: com.owncloud.userlog.userlog
- type: regex
endpoint: /ocs/v[12].php/cloud/user/signing-key
service: com.owncloud.web.ocs
- type: regex
endpoint: /ocs/v[12].php/config
service: com.owncloud.web.frontend
unprotected: true
- endpoint: /sciencemesh/
service: com.owncloud.web.ocm
- endpoint: /ocm/
service: com.owncloud.web.ocm
- endpoint: /ocs/
service: com.owncloud.web.frontend
- type: query
endpoint: /remote.php/?preview=1
service: com.owncloud.web.webdav
- type: regex
method: REPORT
endpoint: (/remote.php)?/(web)?dav
service: com.owncloud.web.webdav
- type: query
endpoint: /dav/?preview=1
service: com.owncloud.web.webdav
- type: query
endpoint: /webdav/?preview=1
service: com.owncloud.web.webdav
- endpoint: /remote.php/
service: com.owncloud.web.ocdav
- endpoint: /dav/
service: com.owncloud.web.ocdav
- endpoint: /webdav/
service: com.owncloud.web.ocdav
- endpoint: /status
service: com.owncloud.web.ocdav
unprotected: true
- endpoint: /status.php
service: com.owncloud.web.ocdav
unprotected: true
- endpoint: /index.php/
service: com.owncloud.web.ocdav
- endpoint: /apps/
service: com.owncloud.web.ocdav
- endpoint: /data
service: com.owncloud.web.frontend
unprotected: true
- endpoint: /app/list
service: com.owncloud.web.frontend
unprotected: true
- endpoint: /app/
service: com.owncloud.web.frontend
- endpoint: /graph/v1.0/invitations
service: com.owncloud.graph.invitations
- endpoint: /graph/
service: com.owncloud.graph.graph
- endpoint: /api/v0/settings
service: com.owncloud.web.settings
oidc:
issuer: https://localhost:9200
insecure: false
access_token_verify_method: jwt
skip_user_info: false
user_info_cache:
store: memory
addresses: []
database: ocis
table: userinfo
ttl: 10
size: 0
jwks:
refresh_interval: 60
refresh_timeout: 10
refresh_limit: 60
refresh_unknown_kid: true
rewrite_well_known: false
service_account:
service_account_id: ""
service_account_secret: ""
role_assignment:
driver: default
oidc_role_mapper:
role_claim: roles
role_mapping:
- role_name: admin
claim_value: ocisAdmin
- role_name: spaceadmin
claim_value: ocisSpaceAdmin
- role_name: user
claim_value: ocisUser
- role_name: guest
claim_value: ocisGuest
policy_selector:
static:
policy: ocis
claims: null
regex: null
pre_signed_url:
allowed_http_methods:
- GET
enabled: true
account_backend: cs3
user_oidc_claim: preferred_username
user_cs3_claim: username
machine_auth_api_key: <some_key>
auto_provision_accounts: false
enable_basic_auth: false
insecure_backends: false
backend_https_cacert: /etc/ocis/<domain_name>_root.crt
auth_middleware:
credentials_by_user_agent: {}
proxy.rego
is a constant true
:
package proxy
default granted := true
In finding the potential config problems, I have yaml config files for many services, but they are not different from the examples in doc.owncloud.com. If you think some of them are suspicious, I can provide as well.
The reverse proxy is through nginx by the network administration, which is mostly out of my control. According to their message, the setting is like
server {
listen 80 ;
listen [::]:80 ;
server_name <domain_name>;
access_log /var/log/nginx/<domain_name>.access.log main;
location / {
if ( $http_user_agent ~ "(Mozilla/5.0)" ) {
return 301 https://$server_name$request_uri;
}
proxy_pass https://<IP_address>:9200;
}
location /.well-known/ {
root /etc/nginx/ssl/web/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <domain_name>;
ssl_certificate /etc/nginx/ssl/<domain_name>.crt;
ssl_certificate_key /etc/nginx/ssl/<domain_name>.key;
add_header Strict-Transport-Security $hsts_header;
add_header Content-Security-Policy upgrade-insecure-requests;
access_log /var/log/nginx/<domain_name>.access.log main;
location / {
proxy_buffers 4 256k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;
client_max_body_size 0;
proxy_pass https://<IP_address>:9200;
proxy_set_header Host $host;
}
location /favicon.ico {
root /etc/nginx/conf.d;
}
}