Sometimes OC login asks to add client IP as trusted domain , oc.js failure

9.1.x
10
hosting
webserver_issue

#1


One shared host with Owncloud 9 starts to refuse login(sporadically) after ~3 months of the first successful login.
Sometimes it works fine, but sometimes with no reasonable explanation pops up:

You are accessing the server from an untrusted domain.
Please contact your administrator. If you are an administrator of this instance, configure the "trusted_domains" setting in config/config.php. An example configuration is provided in config/config.sample.php.
Depending on your configuration, as an administrator you might also be able to use the button below to trust this domain.

The instability happens only with the domain with Let's Encrypt DNS challenge validation. I tested with a subdomain validation certificate (*.sslblindado.com from GeoTrust) and it is estable.

There is only one installation of owncloud, but the DNS zone has 2 domains pointed to the installation: example.com.br with letsencript and example2.ssblindado.com with Geo Trust)

When it works I can identify Content-Encoding:gzip.
The host has 256 MB of memory, but OC9 users have files with 300K
Do you have any hint what is causing the login failure?
REgards
Murilo

Steps to reproduce Test1

1.https://example.com.br

Steps to reproduce Test2

1.https://example.com.br/index.php/core/js/oc.js?v=[...]

Expected behaviour

Test1
The login window to type: user an password

Test2 Expected a javascript like
var oc_debug=false;
var oc_isadmin=false;
var oc_dataURL=false;
var oc_webroot="";
... ... ...

Actual behaviour

Test1
OC9 shows a html page without login fields, but
You are accessing the server from an untrusted domain. ....
ask to add Client IP as trusted domain

Test2
OC9 shows a html page with
You are accessing the server from an untrusted domain. ....

Server configuration

Operating system:
Linux:1 4.1.8-1.el6.elrepo.x86_64
Web server:
uolhost.com.br
Database:
sqlite3

PHP version:
PHP Version 5.6.28
ownCloud version: (see ownCloud admin page)
9.1.4 (stable) , but same behavior with Version 10.0.2
Updated from an older ownCloud or fresh install:
No
Where did you install ownCloud from:
https://owncloud.org/install/

http://example.com/index.php/settings/integrity/failed
No errors have been found.

The content of config/config.php:
<?php
$CONFIG = array (
'theme' => 'AA',
'instanceid' => 'EDIT',
'passwordsalt' => 'EDIT',
'secret' => 'EDIT',
'trusted_domains' =>
array (
0 => 'www.example.com.br',
1 => 'example.com.br',
2 => 'example2.sslblindado.com',
),
'datadirectory' => '/var/www/html/example2.com.br/web/data',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
'overwrite.cli.url' => 'https://example.com.br',
'dbtype' => 'sqlite3',
'version' => '9.1.4.2',
'logtimezone' => 'America/Sao_Paulo',
'installed' => true,
'mail_smtpmode' => 'smtp',
'mail_from_address' => 'EDIT',
'mail_domain' => 'example.com.br',
'mail_smtpauth' => 1,
'mail_smtphost' => 'smtp.example.com.br',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpport' => '587',
'mail_smtpname' => 'user@example.com.br',
'mail_smtppassword' => 'EDIT',
'loglevel' => 2,
'enable_certificate_management' => true,
'singleuser' => false,
'versions_retention_obligation' => 'auto,30',
'memcache.local' => '\OC\Memcache\ArrayCache',
);

List of activated apps:
The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
Enabled:
- activity: 2.3.2
- comments: 0.3.0
- configreport: 0.1.1
- dav: 0.2.7
- federatedfilesharing: 0.3.0
- federation: 0.1.0
- files: 1.5.1
- files_pdfviewer: 0.8.1
- files_sharing: 0.10.0
- files_texteditor: 2.1
- files_trashbin: 0.9.0
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- gallery: 15.0.0
- notifications: 0.3.0
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- templateeditor: 0.1
- updatenotification: 0.2.1
Disabled:
- encryption
- external
- files_antivirus
- files_external
- user_external
- user_ldap

Are you using external storage, if yes which one: local/smb/sftp/...
NO
Are you using encryption: yes/no
YES

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
NO

Client configuration

Browser:
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Operating system:
WIN10

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

{"reqId":"EDIT","remoteAddr":"123.321.123.321","app":"core","message":"Trusted domain error. \"123.321.123.321\" tried to access using \"123.321.123.321\" as host.","level":2,"time":"2017-08-04T17:44:42-03:00","method":"POST","url":"\/index.php\/heartbeat","user":"--"}

Browser log

Successful
Request URL:https://example.com.br/index.php/login
Request Method:GET
Status Code:200 OK
Remote Address:XXX.XXX.XXX.XXX:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Cache-Control:no-cache, must-revalidate
Connection:keep-alive
Content-Encoding:gzip
Content-Length:2096
Content-Security-Policy:default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Content-Type:text/html; charset=UTF-8
Date:Fri, 04 Aug 2017 19:58:08 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:Apache
Strict-Transport-Security:max-age=15768000
X-Cache-Status:BYPASS
X-Content-Type-Options:nosniff
X-Download-Options:noopen
X-Frame-Options:SAMEORIGIN
X-Permitted-Cross-Domain-Policies:none
X-Robots-Tag:none
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,de;q=0.6,pt-BR;q=0.4,pt;q=0.2
Connection:keep-alive
Cookie:Edited
DNT:1
Host:example.com.br
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

Bad Request
Request URL:https://www.example.com.br/
Request Method:GET
Status Code:400 Bad Request
Remote Address:XXX.XXX.XXX.XXX:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection:keep-alive
Content-Length:6932
Content-Security-Policy:default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Content-Type:text/html; charset=UTF-8
Date:Fri, 04 Aug 2017 19:44:40 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:Apache
Status:400 Bad Request
Strict-Transport-Security:max-age=15768000
X-Content-Type-Options:nosniff
X-Download-Options:noopen
X-Frame-Options:SAMEORIGIN
X-Permitted-Cross-Domain-Policies:none
X-Robots-Tag:none
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,de;q=0.6,pt-BR;q=0.4,pt;q=0.2
Cache-Control:max-age=0
Connection:keep-alive
Cookie:EDITED
DNT:1
Host:www.example.com.br
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36


#2

Hi murilomonteiro

There is already an open issue in GitHub about this behavior. Thanks for your post.


#3

Hi,

I changed the trigger of cron.php from ajax to webcron and it starts to work automagically. IMHO a cron task is a better solution than webcron - if your (shared) host allows.

I am still testing, but perhaps this helps someone.
Regards
Murilo