Hi,
yesterday I upgraded my Owncloud from 9.x to 10.2.0.5 (including all intermediate major releases). Everything seems to work fine except for one thing:
My webserver (NGinX) allows connections if one of these requirements are met:
- The client is in my LAN.
- The client is not in my LAN, but provides some credentials using HTTP basic auth.
Accessing the new Owncloud 10 from the LAN works without any problems.
If I access Owncloud from outside the LAN I get the http basic auth login prompt, as it should be. After entering the details I get to Owncloud’s login page.
However, if I enter my owncloud credentials there it first seems that I get logged in: according to the browser network log I get redirected to the /index.php/apps/files/ .
But when trying to access that, the browser gets redirected back to the login page.
Steps to reproduce
-
use some NGinX config like this:
satisfy any;
allow 192.168.1.0/24;
deny all;
auth_basic “Secured”;
auth_basic_user_file /etc/nginx/ext_users.conf;
Expected behaviour
Everything should work as when accessing the site from LAN.
Actual behaviour
Trying to login from outside the LAN returns to the login prompt (if credentials are ok, although the logs says login failed).
Server configuration
Operating system: Ubuntu 16.04
Web server: NGinX
Database: MySQL
PHP version: 7.0
ownCloud version: 10.2.0.5
Updated from an older ownCloud or fresh install: Updated from 9.x.
Where did you install ownCloud from:
manual (tar.gz)
The content of config/config.php:
{
"system": {
"instanceid": "INSTANCE",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"MYDOMAIN.org"
],
"datadirectory": "\/var\/owncloud_data",
"overwrite.cli.url": "https:\/\/MYDOMAIN.org",
"dbtype": "mysql",
"version": "10.2.0.5",
"dbname": "owncloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "tls",
"loglevel": 0,
"htaccess.RewriteBase": "\/",
"maintenance": false
}
}
List of activated apps:
Enabled:
- activity: 2.5.0
- comments: 0.3.0
- configreport: 0.2.0
- dav: 0.4.0
- federatedfilesharing: 0.4.0
- federation: 0.1.0
- files: 1.5.2
- files_external: 0.7.1
- files_pdfviewer: 0.11.0
- files_sharing: 0.11.0
- files_texteditor: 2.3.0
- files_trashbin: 0.9.1
- files_versions: 1.3.0
- files_videoplayer: 0.10.1
- firstrunwizard: 1.2.0
- market: 0.5.0
- notifications: 0.5.0
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- templateeditor: 0.4.0
- updatenotification: 0.2.1
Disabled:
- encryption
- external
- user_external
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Recent Chrome/Firefox
Operating system: Windows, MacOS, Linux
Logs
ownCloud log (data/owncloud.log)
This is the log when accessing the server from outside the LAN.
To me it looks like it tries to use the HTTP auth header as some other kind of token ?!
{"reqId":"5L6A8UcJ89yJCXPL9qmg","level":0,"time":"2019-06-26T18:01:43+00:00","remoteAddr":"---.---.---.---","user":"--","app":"cron","method":"GET","url":"\/cron.php","message":"Job with id 13 and class OCA\\UpdateNotification\\Notification\\BackgroundJob not running due to interval. Last run 1561567110 and interval 86400. Wait 81407 seconds."}
{"reqId":"55SWx5GhHbzuHxTmzJUl","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"--","app":"OC\\User\\Session::login","method":"POST","url":"\/index.php\/login","message":"regenerating session id for uid mkay, password set"}
{"reqId":"55SWx5GhHbzuHxTmzJUl","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::getToken","method":"POST","url":"\/index.php\/login","message":"token 616d81fae3aa4c2cee02fb55cbaf7418be399ac0c3cb920a64c7392d5032225f1777dd95a9c17242408cbd5ed5a2772da310cb1283305616165dd45aa8615765 does not exist"}
{"reqId":"55SWx5GhHbzuHxTmzJUl","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"--","app":"OC\\User\\Session::validateToken","method":"POST","url":"\/index.php\/login","message":"token 616d81fae3aa4c2cee02fb55cbaf7418be399ac0c3cb920a64c7392d5032225f1777dd95a9c17242408cbd5ed5a2772da310cb1283305616165dd45aa8615765, not found"}
{"reqId":"55SWx5GhHbzuHxTmzJUl","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"mkay","app":"OC\\Authentication\\Token\\DefaultTokenProvider::getToken","method":"POST","url":"\/index.php\/login","message":"token 616d81fae3aa4c2cee02fb55cbaf7418be399ac0c3cb920a64c7392d5032225f1777dd95a9c17242408cbd5ed5a2772da310cb1283305616165dd45aa8615765 does not exist"}
{"reqId":"55SWx5GhHbzuHxTmzJUl","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"mkay","app":"OC\\Authentication\\Token\\DefaultTokenProvider::generateToken","method":"POST","url":"\/index.php\/login","message":"generating token 5edf857c26b19380910224c544b6141f02ec4c0537cbd6a290ce1fb9015062c1faecd799f2f4a1c9abd22045f4c71115bdda91be2dcedc5729ddcebe215d70e6, uid mkay, loginName mkay, pwd set, name Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.13; rv:67.0) Gecko\/20100101 Firefox\/67.0, type temporary"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"mkay","app":"OC\\User\\Session::validateToken","method":"GET","url":"\/index.php\/apps\/files\/","message":"token 5edf857c26b19380910224c544b6141f02ec4c0537cbd6a290ce1fb9015062c1faecd799f2f4a1c9abd22045f4c71115bdda91be2dcedc5729ddcebe215d70e6 with token id 45 found, validating"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"mkay","app":"OC\\Authentication\\Token\\DefaultTokenProvider::getToken","method":"GET","url":"\/index.php\/apps\/files\/","message":"token 2ce7550b2eb70c628f03381bcfe8b53f641ae56b0f2d1ac76cce5a730003e636a3cc64a0e7794540d96724be197c9cf4dd001002b94bddf8d6a21a2226505bca does not exist"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":2,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"mkay","app":"core","method":"GET","url":"\/index.php\/apps\/files\/","message":"Login failed: 'mkay' (Remote IP: '---.---.---.---')"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"mkay","app":"OC\\User\\BasicAuthModule::auth","method":"GET","url":"\/index.php\/apps\/files\/","message":"Invalid password for username mkay, trying as email."}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:50+00:00","remoteAddr":"---.---.---.---","user":"mkay","app":"OC\\Authentication\\Token\\DefaultTokenProvider::invalidateToken","method":"GET","url":"\/index.php\/apps\/files\/","message":"invalidating token 5edf857c26b19380910224c544b6141f02ec4c0537cbd6a290ce1fb9015062c1faecd799f2f4a1c9abd22045f4c71115bdda91be2dcedc5729ddcebe215d70e6"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:51+00:00","remoteAddr":"---.---.---.---","user":"--","app":"no app in context","method":"GET","url":"\/index.php\/apps\/files\/","message":"0"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:51+00:00","remoteAddr":"---.---.---.---","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::getToken","method":"GET","url":"\/index.php\/apps\/files\/","message":"token 5edf857c26b19380910224c544b6141f02ec4c0537cbd6a290ce1fb9015062c1faecd799f2f4a1c9abd22045f4c71115bdda91be2dcedc5729ddcebe215d70e6 does not exist"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:51+00:00","remoteAddr":"---.---.---.---","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::getToken","method":"GET","url":"\/index.php\/apps\/files\/","message":"token 2ce7550b2eb70c628f03381bcfe8b53f641ae56b0f2d1ac76cce5a730003e636a3cc64a0e7794540d96724be197c9cf4dd001002b94bddf8d6a21a2226505bca does not exist"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:51+00:00","remoteAddr":"---.---.---.---","user":"--","app":"OC\\User\\Session::login","method":"GET","url":"\/index.php\/apps\/files\/","message":"regenerating session id for uid mkay, password set"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:51+00:00","remoteAddr":"---.---.---.---","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::getToken","method":"GET","url":"\/index.php\/apps\/files\/","message":"token 2ce7550b2eb70c628f03381bcfe8b53f641ae56b0f2d1ac76cce5a730003e636a3cc64a0e7794540d96724be197c9cf4dd001002b94bddf8d6a21a2226505bca does not exist"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:51+00:00","remoteAddr":"---.---.---.---","user":"--","app":"OC\\User\\Session::validateToken","method":"GET","url":"\/index.php\/apps\/files\/","message":"token 2ce7550b2eb70c628f03381bcfe8b53f641ae56b0f2d1ac76cce5a730003e636a3cc64a0e7794540d96724be197c9cf4dd001002b94bddf8d6a21a2226505bca, not found"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":2,"time":"2019-06-26T18:01:51+00:00","remoteAddr":"---.---.---.---","user":"--","app":"core","method":"GET","url":"\/index.php\/apps\/files\/","message":"Login failed: 'mkay' (Remote IP: '---.---.---.---')"}
{"reqId":"oB6yT0ks4BK7prUfWQ6y","level":0,"time":"2019-06-26T18:01:51+00:00","remoteAddr":"---.---.---.---","user":"--","app":"no app in context","method":"GET","url":"\/index.php\/apps\/files\/","message":"Current user is not logged in"}
{"reqId":"xKzvfdiAH23GKoiSPjSm","level":0,"time":"2019-06-26T18:01:55+00:00","remoteAddr":"---.---.---.---","user":"--","app":"cron","method":"GET","url":"\/cron.php","message":"Running job with id 15 and class OCA\\Files_Sharing\\DeleteOrphanedSharesJob. Last run 1561568099 and interval 900"}
{"reqId":"xKzvfdiAH23GKoiSPjSm","level":0,"time":"2019-06-26T18:01:55+00:00","remoteAddr":"---.---.---.---","user":"--","app":"cron","method":"GET","url":"\/cron.php","message":"Started background job of class : OCA\\Files_Sharing\\DeleteOrphanedSharesJob with arguments : "}
{"reqId":"xKzvfdiAH23GKoiSPjSm","level":0,"time":"2019-06-26T18:01:55+00:00","remoteAddr":"---.---.---.---","user":"--","app":"DeleteOrphanedSharesJob","method":"GET","url":"\/cron.php","message":"0 orphaned share(s) deleted"}
{"reqId":"xKzvfdiAH23GKoiSPjSm","level":0,"time":"2019-06-26T18:01:55+00:00","remoteAddr":"---.---.---.---","user":"--","app":"cron","method":"GET","url":"\/cron.php","message":"Finished background job, the job took : 0 seconds, this job is an instance of class : OCA\\Files_Sharing\\DeleteOrphanedSharesJob with arguments : "}
Browser log
POST /index.php/login HTTP/1.1
Host: DOMAIN.org
Connection: keep-alive
Content-Length: 186
Pragma: no-cache
Cache-Control: no-cache
Authorization: Basic TOKEN...=
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ...
HTTP/1.1 303 See Other
Server: nginx
Date: Wed, 26 Jun 2019 18:06:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: ...
Cache-Control: no-cache, must-revalidate
Location: https://DOMAIN.org/index.php/apps/files/
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Strict-Transport-Security: max-age=15768000
GET /index.php/apps/files/ HTTP/1.1
Host: DOMAIN.org
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Authorization: Basic TOKEN...=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ---
HTTP/1.1 303 See Other
Server: nginx
Date: Wed, 26 Jun 2019 18:06:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: oc_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; secure; HttpOnly
Set-Cookie: oc_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; secure; HttpOnly
Set-Cookie: oc_remember_login=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; secure; HttpOnly
Set-Cookie: oc_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
Set-Cookie: oc_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
Set-Cookie: oc_remember_login=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: ...
Cache-Control: no-cache, must-revalidate
Location: /index.php/login?redirect_url=%252Findex.php%252Fapps%252Ffiles%252F
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Strict-Transport-Security: max-age=15768000
