Our owncloud instance is running behind a WAF (Sophos UTM). As an added layer of security we were using the reverse authentication feature of the firewall.
When upgrading the OS from debian 9 to 10, owncloud got upgraded from 9.1 to 10.3 as well.
Expected behaviour
The user logs in on the login page provided by the WAF. The login details are getting passed to the owncloud webserver via basic auth. Owncloud logs the user in and returns the requested page.
Actual behaviour
The user logs in on the login page provided by the WAF. The login details are getting passed to the webserver via basic auth. Owncloud ignores them and requests that the user logs in on the owncloud login page.
As a workaround we have disabled reverse authentication from the WAF.
Both are using the same LDAP server to validate the login details.
Server configuration
Operating system:
Debian 10 Buster
Web server:
Apache 2.4.38
Database:
MariaDB 10.3.18
PHP version:
PHP 7.2.25
Updated from 7.0 together with owncloud and the OS.
ownCloud version:
10.3.2
Updated from an older ownCloud or fresh install:
Updated from 9.1
Where did you install ownCloud from:
Initial installation (as far as I can tell) and upgrade has been done via APT.
Are you using encryption: yes/no
No. The WAF handles HTTPS.
Logs
Nothing that points to an authentication error in the owncloud and in the apache error log.
Only token refresh messages in owncloud.log.
Has there been an update that changed the way owncloud handles logins? I didnt find anything that could be connected to my issue in the changelogs.