Nextcloud version (eg, 12.0.2): 12.0.4
Operating system and version (eg, Ubuntu 17.04): Debian 9.3.0
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.25
PHP version (eg, 7.1): PHP-FPM 7.0.27
The issue you are facing:
Hi there,
I’m new to Nextcloud and just set it up this week. My problem is, if I use the web-client of Nextcloud I have no issues, besides the Problem mentioned in my other thread: Issues with Basic Auth on Parent-Directory, but I have serious Problems with the Android App. My Apache Webserver is structured this way:
h****://my.server.com (serves a basic index.html with some info. Auth by Basic Auth)
h****://my.server.com/cloud (nextcloud. No Basic Auth)
h****://my.server.com/otherservice (other services. Auth by Basic Auth - not yet implemented for reduced complexity at this moment)
I use PHP-FPM and therefore mod_proxy_fcgi, not mod_php. Also I use fail2ban for security for apache-auth and nextcloud. Here are my Apache-Sites:
01_redirect_https.conf
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyVia On
<Proxy *>
AddDefaultCharset off
Allow from all
</Proxy>
</IfModule>
ServerAdmin myserver@mydomain.de
Listen 80
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} !^/server-status
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
<Location /server-status/>
SetHandler server-status
Order Deny,Allow
Deny from all
Satisfy Any
Allow from 127.0.0.1
</Location>
</VirtualHost>
02_https.conf
<IfModule ssl_module>
Alias "/cloud" "/var/www/html/cloud/"
Alias "/" "/var/www/html/"
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName my.server.com
ServerAlias myserver
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/ssl/apache2/my.server.com.crt
SSLCertificateKeyFile /etc/ssl/apache2/my.server.com.key
SSLOptions StrictRequire
SSLProtocol all -SSLv2
FilterProvider gzdeflate DEFLATE "%{Content_Type} = 'text'"
<IfModule mod_proxy_fcgi.c>
<Proxy "unix:/var/run/php/php7.0-fpm.sock|fcgi://php7.0-fpm">
# we must declare a (any) parameter in here
# or it won't register the proxy ahead of time
ProxySet disablereuse=off
</Proxy>
<FilesMatch "^/(.*\.php(/.*)?)$">
SetHandler proxy:fcgi://php7.0-fpm
</FilesMatch>
</IfModule>
<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/sbin/unixgroup
SetExternalGroupMethod unixgroup environment
</IfModule>
<Directory /var/www/html>
SSLRequireSSL
Options Indexes FollowSymLinks
Order deny,allow
Allow from all
AuthType Basic
AuthName "This is private"
AuthBasicProvider external
AuthExternal pwauth
GroupExternal unixgroup
Require user daily
</Directory>
Include sites-available/05_cloud.include
</VirtualHost>
</IfModule>
05_cloud.include
<Location /cloud>
SSLRequireSSL
SetEnvIf REQUEST_URI ^/cloud/* noauth =1
Satisfy any
</Location>
<Directory /var/www/html/cloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/html/cloud
SetEnv HTTP_HOME /var/www/html/cloud
Satisfy Any
</Directory>
And here my config.php:
<?php
$CONFIG = array (
'instanceid' => 'xxx',
'passwordsalt' => 'xxx',
'secret' => 'xxx',
'trusted_domains' =>
array (
0 => 'myserver',
1 => 'my.server.com',
),
'datadirectory' => '/mnt/raid1/cloud/data',
'overwrite.cli.url' => 'https://my.server.com/cloud/',
'dbtype' => 'mysql',
'version' => '12.0.4.3',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'cloud',
'dbpassword' => 'xxx',
'installed' => true,
'memcache.local' => '\\OC\\Memcache\\APCu',
'log_type' => 'file',
'logtimezone' => 'Europe/Berlin',
'logfile' => '/var/log/nextcloud/cloud.log',
'loglevel' => 2,
'mail_from_address' => 'test',
'mail_smtpmode' => 'php',
'mail_smtpauthtype' => 'LOGIN',
'mail_domain' => 'mydomain.de',
'auth.bruteforce.protection.enabled' => true,
);
Now, if I use the Android-Client my Apache is logging the following:
[Sun Jan 21 13:56:40.283602 2018] [authnz_external:error] [pid 16203] [client 43.127.14.250:41030] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (1) for user daily
[Sun Jan 21 13:56:40.283685 2018] [auth_basic:error] [pid 16203] [client 43.127.14.250:41030] AH01617: user daily: authentication failure for "/avatar/daily/512": Password Mismatch
[Sun Jan 21 13:56:40.739121 2018] [authnz_external:error] [pid 16204] [client 43.127.14.250:57059] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (1) for user daily
[Sun Jan 21 13:56:40.739187 2018] [auth_basic:error] [pid 16204] [client 43.127.14.250:57059] AH01617: user daily: authentication failure for "/webdav/": Password Mismatch
[Sun Jan 21 13:56:42.046211 2018] [authnz_external:error] [pid 16203] [client 43.127.14.250:41030] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (1) for user daily
[Sun Jan 21 13:56:42.046282 2018] [auth_basic:error] [pid 16203] [client 43.127.14.250:41030] AH01617: user daily: authentication failure for "/avatar/daily/512": Password Mismatch
[Sun Jan 21 13:56:43.063472 2018] [authnz_external:error] [pid 16204] [client 43.127.14.250:57059] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (1) for user daily
[Sun Jan 21 13:56:43.063526 2018] [auth_basic:error] [pid 16204] [client 43.127.14.250:57059] AH01617: user daily: authentication failure for "/apps/files_sharing/api/v1/shares": Password Mismatch
[Sun Jan 21 13:56:43.970425 2018] [authnz_external:error] [pid 16203] [client 43.127.14.250:41030] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (1) for user daily
[Sun Jan 21 13:56:43.970498 2018] [auth_basic:error] [pid 16203] [client 43.127.14.250:41030] AH01617: user daily: authentication failure for "/apps/files/api/v1/thumbnail/512/512/Nextcloud.mp4": Password Mismatch
As you can see the Android App tries to access these pathes directly on my.server.com/ and not on my.server.com/cloud/. I used the url h****://my.server.com/cloud/ for configuration of the app. And in general I see my folders in the app. But those wrong access-paths cause my fail2ban to block my ip and then… well, I’m being blocked…
This is driving me nuts. Because besides the Problem mentioned in my other posts everything is working. I don’t know what to do. And I don’t know if this is simply an issue of the Android App?
Any help would be much appreciated.
EDIT
I recently found out that the DavDroid App also has this Problem. So maybe it isn’t necessary App-Related. Currently my Nextcloud user has the same user-name and password as used for basic auth. So davdroid din’t run into this issue. But my girlfriend only has access to nextcloud, not the other sites. Now, when I installed davdroid on her mobile, I also got auth errors like stated as above. This stoped when I created a unix user with the same credentials and gave it basic auth access. So maybe it is more config related than app related. A question is still why I et the access-errors in the nextcloud app, when I use the same credentials like for nextcloud as for basic auth, but may it doesn’t hand over the credentials to to other paths like davdroid does. Anyways, this isn’t a real solution because I don’t want to give every nextcloud user access to the basic auth pages. I also added these settings to config.php with no success:
'overwritehost' => 'my.server.com',
'overwritewebroot' => '/cloud',
'htaccess.RewriteBase' => '/cloud/',
EDIT2
I enhanced my Apache Logs a little and have seen the following:
access.log
80.187.97.128 - - [21/Jan/2018:16:01:10 +0100] "GET /cloud/index.php/avatar/daily/512 HTTP/1.1" 200 1380
error.log
[Sun Jan 21 16:01:12.727830 2018] [auth_basic:error] [pid 19050] [client 80.187.97.128:30481] AH01617: user daily: authentication failure for "/avatar/daily/512": Password Mismatch
Looks like there has been asked for the correct Url, but it has been interpreted the wrong way. Any clues?
Is this the first time you’ve seen this error? (Y/N): Y, Initial Setup of Nextcloud