404 on getstoragestats.php NC 17 on nginX ubuntu with ISPConfig 3.1.2

Husky110 · December 21, 2019, 4:23pm

Nextcloud version (eg, 12.0.2): 17.0.2
Operating system and version (eg, Ubuntu 17.04): Ubuntu 18.04.
Apache or nginx version (eg, Apache 2.4.25): nginX 1.16.1
PHP version (eg, 7.1): 7.2/7.3

The issue you are facing:
I can not upload any file through the webinterface. Basicly the same as in https://github.com/nextcloud/server/issues/15865 happens to me. So the value of the hidden input “free_space” is not set, which seems to be due to the problem that the request https://mydomain.de/index.php/apps/files/ajax/getstoragestats.php?dir=%2F results in a 404. I’ve tried the solution posted in the github ticket, but with no success. When I set the value of free_space manually it works fine.
Important to know: I use ISPConfig to do most of the nginX-related stuff, so my first idea was to check whereas there is a problem within my vhost-config, but I can’t figure it out… I don’t know how many times i’ve compared my config to the
suggested on in the docs but can’t figure out any errors… Does anyone has an idea on how to fix this issue? The dude at github “friendly suggested” that the problem lies within my nginX conf, so I would kindly ask for help before getting emotional on github… To clarify what ISPConfig does and what I added, I’ve placed a marker in the dump of the vhost-file.
Thanks.

Is this the first time you’ve seen this error? (Y/N): Y

The output of your Nextcloud log in Admin > Logging:

No Logs

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'MYID',
  'passwordsalt' => 'SOMECOOLSALT',
  'secret' => 'UBERSECRET',
  'trusted_domains' => 
  array (
    0 => 'mydomain.de',
  ),
  'datadirectory' => '/var/www/clients/client5/web32/web/data-SOMEHASHATTHEEND',
  'dbtype' => 'mysql',
  'version' => '17.0.2.1',
  'overwrite.cli.url' => 'https://mydomain.de',
  'dbname' => 'c5nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'c5nextcloud',
  'dbpassword' => 'MYSUPERSECUREPW',
  'installed' => true,
);

The output of your Apache/nginx/system log in /var/log/____:

nothing here

The vhost-File:

server {
        listen MYIP:80;
        listen [MYIP]:80;
        listen MYIP:443 ssl;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        listen [MYIP]:443 ssl;
        ssl_certificate /var/www/clients/client5/web32/ssl/mydomain.de-le.crt;
        ssl_certificate_key /var/www/clients/client5/web32/ssl/mydomain.de-le.key;

        server_name mydomain.de ;

        root   /var/www/mydomain.de/web/;

        if ($scheme != "https") {
            rewrite ^ https://$http_host$request_uri? permanent;
        }


        index index.html index.htm index.php index.cgi index.pl index.xhtml;



        error_log /var/log/ispconfig/httpd/mydomain.de/error.log;
        access_log /var/log/ispconfig/httpd/mydomain.de/access.log combined;

        location ~ /\. {
			deny all;
        }

        location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			auth_basic off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
        }

        location = /favicon.ico {
            log_not_found off;
            access_log off;
            expires max;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

        location /stats/ {

            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file /var/www/clients/client5/web32/web//stats/.htpasswd_stats;
        }

        location ^~ /awstats-icon {
            alias /usr/share/awstats/icon;
        }

        location ~ \.php$ {
            try_files /e058ab8950a416e47a1c58aa82949134.htm @php;
        }

        location @php {
            try_files $uri =404;
            include /etc/nginx/fastcgi_params;
            fastcgi_pass unix:/var/lib/php7.2-fpm/web32.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_intercept_errors on;
        }
		
		# --- All of the above is from ISPConfig, All below this mark is added by me ---

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }


            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

            rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

        location = /.well-known/carddav {
              return 301 $scheme://$host:$server_port/remote.php/dav;
        }
        location = /.well-known/caldav {
              return 301 $scheme://$host:$server_port/remote.php/dav;
        }

            client_max_body_size 1024M;
            fastcgi_buffers 64 4K;

            gzip on;
            gzip_vary on;
            gzip_comp_level 4;
            gzip_min_length 256;
            gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
            gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;


        location / {
                rewrite ^ /index.php;
        }

        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
                deny all;
        }
        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
                deny all;
        }

        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                set $path_info $fastcgi_path_info;
                try_files $fastcgi_script_name =404;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                fastcgi_param modHeadersAvailable true;
                fastcgi_param front_controller_active true;
                fastcgi_pass unix:/var/lib/php7.2-fpm/web32.sock;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
        }

        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
                try_files $uri/ =404;
                index index.php;
        }

        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
                try_files $uri /index.php$request_uri;
                add_header Cache-Control "public, max-age=15778463";
                add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;


                access_log off;
        }

        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
                try_files $uri /index.php$request_uri;
                access_log off;
        }



}

Husky110 · December 25, 2019, 3:58pm

Can I push this?

mrflos · December 30, 2019, 3:57pm

I had the same problem, I copied the recommanded nginx config in the Ispconfig > Sites > my-site.com > options > nginx directives part and just used the {FASTCGIPASS} snippet and remove the document root and cert handling:

# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

location = /.well-known/carddav {
    return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
    return 301 $scheme://$host:$server_port/remote.php/dav;
}
location ~ /.well-known/acme-challenge {
    allow all;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

location / {
    rewrite ^ /index.php;
}

location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
    deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    # Enable pretty urls
    fastcgi_param front_controller_active true;
{FASTCGIPASS}  
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
    try_files $uri/ =404;
    index index.php;
}

# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read into
    # this topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Optional: Don't log access to assets
    access_log off;
}

location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
    try_files $uri /index.php$request_uri;
    # Optional: Don't log access to other assets
    access_log off;
}

After this, I had to comment this part in the generated /etc/nginx/sites-available/my-site.com.vhost:

# ~ \.php$ {
#    try_files /e058ab8950a416e47a1c58aa82949134.htm @php;
# }

Husky110 · December 30, 2019, 5:13pm

thank you very much! that solved my issue! so the problem was the last part with the

try_files /e058ab8950a416e47a1c58aa82949134.htm @php;

or what?

mrflos · December 30, 2019, 5:23pm

yes, nextcloud is making lots of rules according to folder names, with rewriting to .php files, and the ispconfig php configuration would bypass them.

Husky110 · December 31, 2019, 2:31pm

For anyone who arrives here with google and has problems syncronizing the contacts:
ISP-Config adds the following condition, which has to be commented out aswell:

location ~ /. {
deny all;
}