MacOS deployment with nginx fails with 401 access denied

sam2 · December 4, 2023, 3:22pm

Hi, I’m attempting to setup ocis on a mac, with nginx as a reverse proxy however it appears as though the request to /api/v0/settings/values-list fails with 401 Unauthorized.

ocis appears to be running normally, and I am able to sign in. It looks like I’m getting a bearer token, but when making a request using the token (a POST request to /api/v0/settings/values-list), it fails with 401.

When running ocis on it’s own without nginx in front it appears to work correctly.

ocis version: 4.0.3 binary
operating system: MacOS Catalina
nginx installed through brew brew install nginx

I’m getting a few errors in ocis logs:

{"level":"error","service":"gateway","pkg":"rgrpc","traceid":"00000000000000000000000000000000","error":"internal error: gateway: error finding an auth provider for type: bearer","type":"bearer","time":"2023-12-04T09:59:03.494301-05:00","message":"error getting auth provider client"}

{"level":"error","service":"proxy","error":"failed to verify access token: Get \"https://ocis.mywebsite.com/.well-known/openid-configuration\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)","authenticator":"oidc","path":"/ocs/v1.php/cloud/user","time":"2023-12-04T10:09:01.12275-05:00","message":"failed to authenticate the request"}

and the access logs from nginx:

[04/Dec/2023:10:16:47 -0500] "POST /api/v0/settings/values-list HTTP/2.0" 401 0 "https://ocis.mywebsitecom/oidc-callback?code=wYsOICzQZTHYcQkD8om_wD-WrR_zktA-&scope=email%20openid%20profile&session_state=d33e88c72aff80ee0c9782cbe39264ba55728f14004a55f0e7ae4632018fadae.p2EsQJ-YhxulqgQGfXA3FyI95yxjUWx6sCAevvGnQhE&state=d65d98edd4bf49149f68a835918b5303" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0"

I’m running ocis through launchctl as a launch agent, here is the plist file in ~/Library/LaunchAgents/

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>ocis.server</string>
        <key>EnvironmentVariables</key>
        <dict>
                <key>OCIS_URL</key>
                <string>https://ocis.mywebsite.com</string>
                <key>OCIS_LOG_FILE</key>
                <string>/usr/local/var/log/ocis.log</string>
                <key>OCIS_LOG_LEVEL</key>
                <string>error</string>
                <key>PROXY_HTTP_ADDR</key>
                <string>0.0.0.0:9200</string>
                <key>PROXY_TLS</key>
                <false/>
                <key>OCIS_INSECURE</key>
                <true/>
        </dict>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/local/bin/ocis</string>
                <string>server</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
</dict>
</plist>

and the nginx configuration file

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    # gzip  on;
    server {
        listen 80;
        listen [::]:80;
        http2  on;

        server_name ocis.mywebsite.com;
        return 301 https://$server_name$request_uri;
    }

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2  on;

        server_name ocis.mywebsite.com;

        # certificates managed by Certbot
        ssl_certificate /etc/letsencrypt/live/ocis.mywebsite.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/ocis.mywebsite.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        location / {
            proxy_buffers 4 256k;
            proxy_buffer_size 128k;
            proxy_busy_buffers_size 256k;

            # Disable checking of client request body size
            client_max_body_size 0;

            proxy_set_header Host $host;
            proxy_pass https://localhost:9200/;
        }
    }
}

Any ideas on how to fix or debug this is much appreciated. Thanks!!

2403905 · December 4, 2023, 5:09pm

Maybe you could use the traefik deployment as example https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_traefik

2403905 · December 4, 2023, 5:28pm

Did you follow the docs below in your deployment?

sam2 · December 4, 2023, 5:35pm

Yes I followed the documentation for bare metal deploy, with a few modifications because this is being deployed on macOS (instead of using systemctl, I’m using launchctl, and some of the paths are different).

it seems like ocis on it’s own will work just fine, but as soon as I put the nginx reverse proxy in place (following the docs) the authentication POST calls fail.

mmattel · December 4, 2023, 7:03pm

I see OCIS_INSECURE set to true, this should be false as you are using Letsencrypt. See Handling Certificates in the admin documentation.

sam2 · December 4, 2023, 7:29pm

Ok, I’ve updated OCIS_INSECURE to have a value of false but I’m still seeing the problem.

To be clear, I am able to log in successfully, but the subsequent POST call to /api/v0/settings/values-list fails.

For reference I also tried setting PROXY_TLS to true and setting values for PROXY_TRANSPORT_TLS_KEY and PROXY_TRANSPORT_TLS_CERT with the pem files from Letsencrypt. But this also has the same problem.

Is this possibly an issue with forwarding the auth token through nginx?

Any other ideas are much appreciated. Thank you!

sam2 · December 4, 2023, 9:42pm

Looking at this more, I’ve turned off nginx completely and attempted to get ocis running on my local network only. This seems to work with the self-signed certs and the following env vars:

OCIS_URL https://<localNetworkIPAddress>
PROXY_HTTP_ADDR 0.0.0.0:443
PROXY_TLS true
OCIS_INSECURE true

but changing the OCIS URL to anything external like my actual url, or hard coded IP address will cause this error:

{"level":"error","service":"proxy","error":"failed to verify access token: Get \"https://ocis.mywebsite.com/.well-known/openid-configuration\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)","authenticator":"oidc","path":"/api/v0/settings/values-list","time":"2023-12-04T16:37:38.313315-05:00","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_auth.go:165","message":"failed to authenticate the request"}

at this point I’m guessing it is because some one or multiple ocis services are expecting certificates that match the public url/ip address, but I’m not sure what env vars need to be set, or how to get this to match. I am attempting to use LetsEncrypt, and have successfully generated certs for this url.

If anyone know if I’m on the right track, or has any suggestions, I’m all ears.
Thanks again!

micbar · December 5, 2023, 11:15am

This is very simple: Your ocis cannot reach itself on the hostname which it has from the outside. Make sure that you can curl to https://ocis.mywebsite.com/.well-known/openid-configuration from the localhost.

Could be achived by setting the host ocis.mywebsite.com to 127.0.0.1 in /etc/hosts

sam2 · December 5, 2023, 1:39pm

Ah thank you! Adding this entry to my hosts file fixed the problem.

With a couple of adjustments to file permissions through nginx, things are working as expected.
Thanks again!!