Owncloud + nginx Docker: Too many redirects

10

#1

Hi guys,

I have the following problem:

I used to run owncloud with Apache but decided to move to nginx as I was using it for other services as well.

When accessing owncloud, I get: ERR_TOO_MANY_REDIRECTS

Testing with curl:

[root@server:~] # curl -I https://www.example.com/owncloud/index.php/login
HTTP/1.1 302 Found
Server: nginx
Date: Tue, 11 Jul 2017 13:05:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.0.20
Set-Cookie: <redacted>; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=<redacted>; path=/owncloud; secure; HttpOnly
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Location: https://www.example.com/owncloud/index.php/login
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none

nginx logs:

2017-07-11T13:08:12.038838712Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.126279135Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.215170922Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.299842449Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.384554276Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.456765009Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.551453891Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.640845620Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.729627535Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.803119594Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.897911686Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:12.984467704Z 172.17.0.1 - - [11/Jul/2017:13:08:12 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.068813309Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.161391458Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.245489414Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.352306593Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.433078938Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.511978130Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.585847890Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.668548916Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:13.742487980Z 172.17.0.1 - - [11/Jul/2017:13:08:13 +0000] "GET /owncloud/index.php/apps/files/ HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-07-11T13:08:14.426523012Z 2017/07/11 13:08:14 [error] 14#14: *623 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 172.17.0.1, server: www.example.com, request: "GET /owncloud/status.php HTTP/1.1", upstream: "fastcgi://172.17.0.9:9000", host: "www.example.com"
2017-07-11T13:08:14.427029572Z 2017/07/11 13:08:14 [error] 14#14: *623 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 172.17.0.1, server: www.example.com, request: "GET /owncloud/status.php HTTP/1.1", upstream: "fastcgi://172.17.0.9:9000", host: "www.example.com"
2017-07-11T13:08:14.427242166Z 172.17.0.1 - - [11/Jul/2017:13:08:14 +0000] "GET /owncloud/status.php HTTP/1.1" 404 162 "-" "Mozilla/5.0 (Macintosh) mirall/2.3.2 (build 4250)"
2017-07-11T13:08:14.590137404Z 172.17.0.1 - - [11/Jul/2017:13:08:14 +0000] "GET /owncloud/owncloud/status.php HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Macintosh) mirall/2.3.2 (build 4250)"
2017-07-11T13:08:14.789027984Z 172.17.0.1 - - [11/Jul/2017:13:08:14 +0000] "GET /owncloud/index.php/apps/files/ HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Macintosh) mirall/2.3.2 (build 4250)"

Docker:

nginx
owncloud fpm (10.0.2)

docker create --name owncloud \
              --expose 9000 \
              --link mysql \
              -v /opt/docker/containers/owncloud/config:/var/www/html/config \
              -v /opt/docker/containers/owncloud/apps:/var/www/html/apps \
              -v /mnt/storage/owncloud:/var/www/html/data \
              owncloud:fpm

docker create --name nginx \
              -p "80:80" \
              -p "443:443" \
              --link owncloud \
              --volumes-from owncloud \
              -v /opt/docker/containers/nginx/config/nginx.conf:/etc/nginx/nginx.conf:ro \
              -v /opt/docker/containers/nginx/config/conf.d:/etc/nginx/conf.d:ro \
              -v /opt/docker/containers/nginx/certs:/etc/nginx/certs \
              nginx

nginx configuration modified for my use case:

upstream php-handler { server owncloud:9000; }

server {
    listen 80 default_server;
    listen [::]:80;

    server_name www.example.com;

    include /etc/nginx/mime.types;

    root /var/www;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.example.com;

    include /etc/nginx/mime.types;

    root /var/www;

    ssl on;

    ssl_certificate /etc/nginx/certs/www.example.com.crt;
    ssl_certificate_key /etc/nginx/certs/www.example.com.key;

    ssl_protocols TLSv1.2;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

    ssl_dhparam /etc/nginx/certs/dhparams.pem;

    ssl_ecdh_curve secp384r1;

    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/www.example.com.crt;

    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    location = / {
        deny all;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location = /.well-known/carddav {
        return 301 $scheme://$host/owncloud/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/owncloud/remote.php/dav;
    }

    location ^~ /owncloud {
        root /var/www/html/;

        client_max_body_size 512M;
        fastcgi_buffers 64 4K;

        gzip off;

        error_page 403 /owncloud/core/templates/403.php;
        error_page 404 /owncloud/core/templates/404.php;

        location /owncloud {
            rewrite ^ /owncloud/index.php$uri;
        }

        location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            return 404;
        }
        location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
            return 404;
        }

        location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
            fastcgi_split_path_info ^/owncloud(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
            fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off; #Available since NGINX 1.7.11
        }

        location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri $uri/ =404;
            index index.php;
        }

        location ~ /owncloud(\/.*\.(?:css|js)) {
            try_files $1 /owncloud/index.php$1$is_args$args;
            add_header Cache-Control "max-age=15778463";
            add_header X-Content-Type-Options nosniff;
            add_header X-Frame-Options "SAMEORIGIN";
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            access_log off;
        }

        location ~ /owncloud(/.*\.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map)) {
            try_files $1 /owncloud/index.php$1$is_args$args;
            add_header Cache-Control "public, max-age=7200";
            access_log off;
        }
    }
}

owncloud config.php

<?php
$CONFIG = array (
  'instanceid' => '<redacted>',
  'passwordsalt' => '<redacted>',
  'trusted_domains' =>
  array (
    0 => 'www.example.com',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '10.0.2.1',
  'dbname' => 'owncloud',
  'dbhost' => 'mysql',
  'dbtableprefix' => 'oc_',
  'dbuser' => '<redacted>',
  'dbpassword' => '<redacted>',
  'installed' => true,
  'theme' => '',
  'maintenance' => false,
  'loglevel' => 1,
  'secret' => '<redacted>',
  'trashbin_retention_obligation' => 'auto',
  'updater.secret' => '<redacted>',
  'overwritewebroot' => '/owncloud',
);

Any ideas what is going on? I can't seem to find the error.