Can't logout behind NGINX reverse proxy

Henning · February 17, 2018, 12:37pm

Nextcloud version: 13.0.0
Operating system and version: Linux Mint 18.3 Sylvia
Apache or nginx version: nginx/1.10.3 (Ubuntu)
PHP version: PHP 7.0.25-0ubuntu0.16.04.1

security_check

If I visit nextcloud via the reverse proxy, I immediately get logged in with the admin account, the logout link works fine, but it redirects to /login and then back to /apps/files.
Interesting enough, if I visit nextcloud via the local IP, the logout works fine.

Steps to replicate it:

Setup nextcloud behind a NGINX reverse proxy with the given config files
Try to logout behind the reverse proxy

The nextcloud.log shows an empty String at remoteAddr:

{"reqId":"puOc3JFbLZJpXJr71n8L","level":3,"time":"2018-02-17T11:59:08+01:00","remoteAddr":"","user":"henning","app":"PHP","method":"GET","url":"\/settings\/admin","message":"unlink(\/media\/HDD1\/appdata_oczebt34cvd9\/css\/core\/a395fc1c-jquery.ocdialog.css.deps): No such file or directory at \/var\/www\/nextcloud\/lib\/private\/Files\/Storage\/Local.php#225","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0.3 Safari\/604.5.6","version":"13.0.0.14"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'instanceid' => '',
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' => 
  array (
    0 => '192.168.178.62',
    1 => '10.8.0.10',
    2 => 'domain.tld',
  ),
  'datadirectory' => '/media/HDD1',
  'dbtype' => 'mysql',
  'version' => '13.0.0.14',
  'dbname' => 'nextCloudDB',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloudDB',
  'dbpassword' => '',
  'logtimezone' => 'Europe/Berlin',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpsecure' => 'ssl',
  'mail_from_address' => 'cloud',
  'mail_domain' => '',
  'mail_smtpauth' => 1,
  'mail_smtphost' => '',
  'mail_smtpport' => '465',
  'mail_smtpname' => '',
  'mail_smtppassword' => '',
);

NGINX reverse proxy config (/etc/nginx/sites-available/cloud):

server {
   listen  80;
   server_name     domain.tld;
   return 301 https://$server_name$request_uri;
}
server {
        listen 443 ssl;
        listen [::]:443 ssl;
        include snippets/ssl-domain.tld.conf;
        include snippets/ssl-params.conf;

        server_name domain.tld;
        underscores_in_headers on;
        location / {
                auth_basic "Restricted Content";
                auth_basic_user_file /etc/nginx/.htpasswd;
                include /etc/nginx/proxy_params;
                proxy_pass http://10.8.0.10;
        }
}

/etc/nginx/proxy_params:

proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

add_header Front-End-Https on;

client_max_body_size 0;

NGINX Config on nextcloud server:

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	listen 443 ssl;

	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;
	add_header X-Content-Type-Options nosniff;

	root /var/www/nextcloud/;

	ssl_certificate /etc/nginx/ssl/nginx.crt;
	ssl_certificate_key /etc/nginx/ssl/nginx.key;

	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}
	location = /.well-known/carddav {
		return 301 $scheme://$host/remote.php/dav;
	}
	location = /.well-known/caldav {
		return 301 $scheme://$host/remote.php/dav;
	}
	client_max_body_size 50000M;
	fastcgi_buffers 64 4K;
	gzip off;
	error_page 403 /core/templates/403.php;
	error_page 404 /core/templates/404.php;
	location / {
		rewrite ^ /index.php$uri;
	}
	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
		deny all;
	}
	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	}
	location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
		include fastcgi_params;
		fastcgi_split_path_info ^(.+\.php)(/.*)$;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param modHeadersAvailable true;
		fastcgi_param front_controller_active true;
		fastcgi_pass unix:/run/php/php7.0-fpm.sock;
		fastcgi_intercept_errors on;
		fastcgi_request_buffering off;
		fastcgi_param REMOTE_ADDR $http_x_real_ip;
	}
	location ~ ^/(?:updater|ocs-provider)(?:$|/) {
		try_files $uri/ =404;
		index index.php;
	}
	location ~* \.(?:css|js|woff|svg|gif)$ {
		try_files $uri /index.php$uri$is_args$args;
		add_header Cache-Control "public, max-age=7200";
		add_header X-Content-Type-Options nosniff;
		add_header X-Frame-Options "SAMEORIGIN";
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag none;
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none;
		access_log off;
	}
	location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
		try_files $uri /index.php$uri$is_args$args;
		access_log off;
	}
}

Hope you guys can help me

Schmu · February 17, 2018, 6:56pm

Sounds like you use any kind of auto-login. Username and Password saved somewhere and it automatically logs you in, as soon as you visit the site. Might that be the case?
Are you logged in automatically at other websites?

Henning · February 17, 2018, 9:09pm

I already cleared the cache in my browser, but I also get logged in with every other device I use to open the login page.

Schmu · February 17, 2018, 9:37pm

I already understood that you cleared the cache
However from the fact that you see the same behavior on other devices, this issue seems to be linked to the proxy.
I get the impression it is sending the login credentials somehow. Or something else is broken with your server.

The first thing, that seems odd:

That should be two blocks actually, just like you have it in your proxy config:

Can you fix that and try if it changes the behavior already?

If not, please check: the passwd file (/etc/nginx/.htpasswd;) contains valid entries, right?

Henning · February 17, 2018, 9:54pm

I want to access nextcloud without any SSL in my local environment, but I already tried it with 2 separate blocks and it didn’t work either.

I added it after I spotted the bug, because not everybody should get access to my admin account

It’s worth to mention that both servers are connected via openVPN, but I don’t think this causes the problem. I thought about cookie buffering or similar on the proxy site, but the headers
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
have not changed any behavior.

Schmu · February 17, 2018, 10:37pm

I wonder if nginx doesn’t complain and stops loading your config with both ports in one block.

nginx -t
says your config is alright? Did you reload nginx after your config changes?

What do the logs say? Any hints where the login is coming from? Maybe the browser debug console tells something more.
If you suspect the cookies, did you delete the cookies for your server (in the browser)?

In this block right here, I have additional parameters:

    fastcgi_pass_header Authorization;
    fastcgi_pass_header http_oauth_token;
    fastcgi_pass_header oauth_token_secret;

I don’t know why actually You wanna try them out?

I have no further ideas unfortunately Strange issue!

Henning · February 17, 2018, 10:53pm

everything is fine here:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Yes I did, and it wouldn’t make sense because on other devices (where the cookies just can’t exists) the logout doesn’t work neither.

Tried them, still the same behavior, but I let them inside my config for good luck

Just getting these 2 errors, I don’t know how to interpret them

[Error] Unrecognized Content-Security-Policy directive 'manifest-src'.

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (files, line 0)

Yes, I am trying and tweaking the configs since yesterday to hopefully fix it one day and go in production.

rahul606 · March 2, 2018, 3:14pm

Hi, I am also having the same error problem on my server. Error says:

Unrecognized Content-Security-Policy directive ‘manifest-src’

Failed to load resource: the server responded with a status of 405 (Method Not Allowed)

My system configuration is Ubuntu 16.04, Nginx, Nextcloud 13.0.0

Rybena · February 6, 2019, 7:08pm

I also am having the same issue, has anyone been able to find the bug?