Can't login without SSL (using just http)

nicrame · September 28, 2021, 10:48pm

Hello.
I’ve got strange problem. I’ve seen it on Nextcloud 21.0.4, so i upgraded to 22.1.1.2 but it didn’t help.
I can login correctly using HTTPS. My Nextcloud Windows client, and Android client are logged in correctly and working fine.
But when i try to login without SSL (using HTTP://) Then it always come back to login page. Just like i would refresh login page. Same time https:// is working correctly.

Nextcloud version (eg, 20.0.5): 22.1.1 - 22.1.1.2
Operating system and version (eg, Ubuntu 20.04): Linux 4.18.0-305.19.1.el8_4.x86_64 #1 SMP Tue Sep 7 07:07:31 EDT 2021 x86_64 - RHEL8
Apache or nginx version (eg, Apache 2.4.25): nginx/1.14.1 (fpm-fcgi)
PHP version (eg, 7.4): 7.4.24

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, cgi-fcgi, bcmath, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, imap, intl, json, exif, mysqlnd, PDO, Phar, posix, shmop, SimpleXML, sockets, sodium, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlwriter, xsl, mcrypt, mysqli, pdo_mysql, pdo_sqlite, recode, xmlreader, xmlrpc, zip, apcu, geos, igbinary, imagick, lzf, msgpack, phpiredis, smbclient, zstd, mysql, redis, libsmbclient, Zend OPcache

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

Load main login page using HTTP (without SSL, on port 80).
Enter correct login details.
After click on Login button Login page is loaded again and again.

The output of your Nextcloud log in Admin > Logging:

{"reqId":"ZP7H0eHsFkD6bLogfNne","level":0,"time":"2021-09-28T22:18:09+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"GET","url":"/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"}
{"reqId":"7KVDqaLvBM3rKe2UjaBU","level":0,"time":"2021-09-28T22:18:09+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"GET","url":"/login","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"}
{"reqId":"fWQTDHkA940qTQRpHaRe","level":0,"time":"2021-09-28T22:18:12+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"POST","url":"/login","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"}
{"reqId":"0OwCYPqjZd8Lv9D7tO2A","level":0,"time":"2021-09-28T22:18:12+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"GET","url":"/apps/dashboard/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"}
{"reqId":"0OwCYPqjZd8Lv9D7tO2A","level":0,"time":"2021-09-28T22:18:12+00:00","remoteAddr":"192.168.50.1","user":"--","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Current user is not logged in","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException","Message":"Current user is not logged in","Code":401,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":97,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":118,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":156,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":301,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1000,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":141,"CustomMessage":"Current user is not logged in"}}
{"reqId":"rcDcazSRWMvFUz8DwsCX","level":0,"time":"2021-09-28T22:18:13+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"GET","url":"/login?redirect_url=/apps/dashboard/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

{
    "blacklisted_files": [],
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "127.0.0.1",
        "***REMOVED SENSITIVE VALUE***",
        "***REMOVED SENSITIVE VALUE***",
        "***REMOVED SENSITIVE VALUE***"
    ],
    "enable_previews": true,
    "enabledPreviewProviders": [
        "OC\\Preview\\TXT",
        "OC\\Preview\\MarkDown",
        "OC\\Preview\\PDF",
        "OC\\Preview\\Image",
        "OC\\Preview\\Photoshop",
        "OC\\Preview\\TIFF",
        "OC\\Preview\\SVG",
        "OC\\Preview\\Font",
        "OC\\Preview\\MP3",
        "OC\\Preview\\Movie",
        "OC\\Preview\\MKV",
        "OC\\Preview\\MP4",
        "OC\\Preview\\AVI"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "22.1.1.2",
    "overwrite.cli.url": "http:\/\/mynas.url.addrs",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "xf_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "default_language": "pl",
    "default_locale": "pl",
    "simpleSignUpLink.shown": false,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "skeletondirectory": "core\/my-default",
    "maintenance": false,
    "app_install_overwrite": [
        "bruteforcesettings",
        "dicomviewer",
        "files_photospheres"
    ],
    "mail_smtpmode": "smtp",
    "mail_smtpsecure": "tls",
    "mail_sendmailmode": "smtp",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpauth": 1,
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "25",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "default_phone_region": "PL",
    "theme": "",
    "loglevel": 0,
    "updater.release.channel": "stable"
}

The output of your Apache/nginx/system log in /var/log/____:
nginx access.log:

192.168.50.1 - - [29/Sep/2021:00:18:09 +0200] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-"
192.168.50.1 - - [29/Sep/2021:00:18:09 +0200] "GET /login HTTP/1.1" 200 6540 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-"
192.168.50.1 - - [29/Sep/2021:00:18:12 +0200] "POST /login HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-"
192.168.50.1 - - [29/Sep/2021:00:18:12 +0200] "GET /apps/dashboard/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-"
192.168.50.1 - - [29/Sep/2021:00:18:13 +0200] "GET /login?redirect_url=/apps/dashboard/ HTTP/1.1" 200 6563 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-"

nginx error.log:

this file is empty

php-fpm error.log:

[29-Sep-2021 00:18:00] NOTICE: fpm is running, pid 136342
[29-Sep-2021 00:18:00] NOTICE: ready to handle connections
[29-Sep-2021 00:18:00] NOTICE: systemd monitor interval set to 10000ms

Encryption is disabled and not used.

EDIT1:
I’ve installed Nextcloud 22.1.1.2 on creal VM with similar config to what i use and logging in over http is working fine, until the moment when i login thru httpS. Even if i do that with 1 user, all other users (created using http earlier) can’t login using http anymore (they must use httpS). I will try to investigate that more.
Removing PHP session files and restarting php-fpm and nginx service didn’t help.

bb77 · September 29, 2021, 7:46am

Hi @nicrame

Why would you wanna do that in the first place…? Usually people want to achieve exactly the opposite. On my instance all http requests are permanently redirected to https. However, this does not seem to work correctly on your installation. That’s why you are getting these 302 and 303 errors.

Please post your nginx config, so that maybe someone can help you with that. I personally do not know nginx very well and will probably not be of much help…

devnull · September 29, 2021, 9:29am

Sorry. I do not know your operating system and i do not use nginx.

But in this installation guide you find an installation for Nextcloud, Ubuntu 20.04 LTS and nginx.

I think you must configure nginx in the way that always http is redirected to https. Perhaps you find it in the configuration guide. I think it is a nginx problem.

nicrame · September 29, 2021, 11:28am

Ohh it’s simple. While HTTPS is working fine for me and my family that use it from outside (Internet), i also got VPN (ZeroTier actually) that is encrypting everything. I use MountainDuck (to show my Nextcloud files as drive letter (in the past Nextcloud client didn’t have such option). Since ZeroTier solution already encrypts everything - there is no need to use another layer of encryption.

My nginx.conf looks like that:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   365;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    fastcgi_read_timeout 300;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

   # Setup listening port to 90 for testing purposes
    server {
        listen       90 default_server;
        listen       [::]:90 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

My Nextcloud nginx config file (/etc/nginx/conf.d/nextcloud.conf):

upstream php-handler {
        server unix:/var/opt/remi/php74/run/php-fpm/www.sock;
        }

server {
        server_name mydomain.dot.com;
        listen 80 default_server;
        listen 85 default_server;
        listen 443 ssl default_server;
        listen [::]:80 default_server;
        listen [::]:85 default_server;
        listen [::]:443 ssl default_server;
    server_name _;

        ssl_certificate /etc/letsencrypt/live/mydomain.dot.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/lmydomain.dot.com/privkey.pem;

        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
        fastcgi_hide_header X-Powered-By;
        fastcgi_read_timeout 300;

        # Path to the root of your installation
        root /var/www/nextcloud/;

                location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
        location ^~ /.well-known {
        # The following 6 rules are borrowed from `.htaccess`

        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }

        try_files $uri $uri/ =404;
    }

        # set max upload size

        client_max_body_size 16884M;
        fastcgi_buffers 64 4K;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x

        fastcgi_hide_header X-Powered-By;

        location / {
                rewrite ^ /index.php;
        }

        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {

                deny all;
        }
        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
                deny all;
        }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    # fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    # Enable pretty urls
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
    }

        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
                try_files $uri/ =404;
                index index.php;
        }

# Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;
                add_header Referrer-Policy no-referrer;

        # Optional: Don't log access to assets
        access_log off;
    }

location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

And my /etc/nginx/conf.d/php-fpm.conf:

upstream php-fpm {
        server unix:/var/opt/remi/php74/run/php-fpm/www.sock;
}

Forcing to use httpS will do not give me any benefit. It will make higher CPU load, but as i’m using already encrypted connection with ZeroTier i completely do not need that. Also Ubuntu is quiet different than RHEL (different packages, and some config files) and i really like that ecosystem. For me much better documented and more corporate style. But i will check that tutorial, maybe i will find something.

PS. I know that on RHEL/CentOS/Rocky Linux there is problem with nginx and PHP with directories owner, and i’ve got this under control with:
chown -R nginx:nginx /var/opt/remi/php74/lib/php/session/
chown -R nginx:nginx /var/opt/remi/php74/lib/php

bb77 · September 29, 2021, 11:42am

Why are you using ZeroTier, when your Nextcloud is publicly availiable anyways? MountainDuck can use WebDAV and WebDAV itself uses HTTPS. So if you ask me, there is no need for an additional layer like Zerotier.

nicrame · September 29, 2021, 11:48am

Because Nextcloud is not the only service i use from my server outside. It’s just one of the puzzles i use to work. The rest are not available from outside. I use special config(from the authors) with MountainDuck that do not use httpS with Nextcloud. In my case SSL is just more CPU load, that i do not need.

bb77 · September 29, 2021, 11:55am

Then you should maybe use ZeroTier only for these other services. Or do you route all the traffic through zerotier on this client?

Anyways. You could maintain two nginx configs. One for port 80 and one for port 443. But then the regular clients would have to specify HTTPS explicitly and you would have to block Port 80 from the outside world, which would probably make autorenewal for Let’s Encrypt Certificates more dificult.

A better way would be using a reverse proxy, which handels the certificates and all the traffic for the regular clients. You could then connect your MountainDuck client directly to local IP address of the server via Zerotier, bypassing the Reverse Proxy. But to be honest, I find this is way too complicated, just to save a few CPU cycles

devnull · September 29, 2021, 12:02pm

Sorry. Than i can not help you. I see no need for Zerotier and move TLS overhead to a service provider.

nicrame · September 29, 2021, 12:22pm

But the ZeroTier and my configuration is not so important. The question is, why it stopped to work. Because it did few versions ago (but i didn’t notice it fast enough). I would just want to make it work, like in the past. The reverse proxy idea is good in some scenarios, but i do not need it.

But maybe this is the reason, maybe nginx were updated and started to working incorrectly when HTTP and HTTPS is in one config file. I will check that out.

It is just not smart idea, to exclude some service from ZT because id do not work like it should.

nicrame · September 29, 2021, 3:57pm

Ok. What i find out, is that - removing cookies for Nextcloud site make possible to login with http protocol. Everything is working fine, until i login with httpS protocol. Then it is impossible to login using http only. So maybe this is just web browser problem (I have tested on Firefox 92.0.1 and Google Chrome Version 94.0.4606.61 (Official Build) (64-bit) with same result). Or maybe this is settings handling by Nextcloud itself. I’m happy that it is not problem of my configuration (of web server/PHP/Nextcloud).

I’ll report that on GitHub.