Can't share directory to external network cause of webdav

[/details]

Nextcloud version _23.0.2
Operating system and version _rhel 8.6
Apache or nginx version _Apache/2.4.37
PHP version _7.4.28

I use nextcloud from local and external networks. I’ve nginx reverse proxy for local and WAF for external connections. When I share directory link I can connect from local but can’t connect from external because the system uses webdav technology. ( I can see the blocking reasons on WAF because of using webdav ), for security reasons I can’t enable webdav on WAF.

How can I solve this problem?

<?php
$CONFIG = array (
  'instanceid' => 'ocl7fx8z9fxf',
  'passwordsalt' => 'qN9gDIvqwtNUzoY6PbRD9M',
  'secret' => 'owJObcXIsqBNqIduZ',
  'trusted_domains' =>
  array (
    0 => 'X.X.X.X',
    1 => 'X.X.X.X',
    3 => 'X.X.X.X',
    4 => 'share.domain',
    5 => 'https://domain',
    6 => 'localhost',
  ),
  'datadirectory' => '/share/',
  'dbtype' => 'mysql',
  'version' => '23.0.2.1',
  'overwrite.cli.url' => 'https://share.domain',
  'htaccess.RewriteBase' => 'https://share.domain',
  'session_lifetime' => 3600,
  'session_keepalive' => false,
  'remember_login_cookie_lifetime' => 0,
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'ncloud',
  'dbpassword' => 'pass',
  'installed' => true,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_domain' => 'share.domain',
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'X.X.X.X',
  'mail_smtpauthtype' => 'NTLM',
  'mail_smtpport' => '25',
  'mail_sendmailmode' => 'smtp',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
);

X.X.X.X - - [12/Jul/2022:12:01:43 +0400] “GET /s/HF74XWk7qCfRqLK HTTP/1.1” 200 7816 “-” “Mozilla/5.0 (Linux; Android 12; SM-A525F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
X.X.X.X - - [12/Jul/2022:12:01:43 +0400] “GET /cron.php HTTP/1.1” 200 20 “-” “Mozilla/5.0 (Linux; Android 12; SM-A525F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
X.X.X.X - - [12/Jul/2022:12:01:44 +0400] “GET /ocs/v2.php/apps/text/public/workspace?path=%2F&shareToken=HF74XWk7qCfRqLK HTTP/1.1” 404 114 “-” “Mozilla/5.0 (Linux; Android 12; SM-A525F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”



There are no logs in nextcloud.log and web logs.

Which web application firewall? Can you post the logs? The above logs are not useful. 404 is file not found.

Are you a proffessional provider? If not WAF is not useful. Uninstall WAF or have your Nextcloud hosted where there is no useless WAF. Nobody needs it. What should the firewall find? Viruses in exe-files that a normal virescanner should find on the client?

Maybe it’s fortinet WAF. The network administrator helps me with that. We need WAF because of security policies.

But my question is about webdav, can I disable it somehow?

You can read this thread. But it makes no sense. Nextcloud does not only use WebDAV features for data transfer. It uses also normal HTTPS-requests. If you want to deny WebDAV or your WAF wants to deny it, it is incomplete and stupid. What is the function of your WAF? Security? Hopefully not. Probably more the management and any unnecessary requests.

How can I connect to nextcloud from browser with normal https request?
(cause when I try to connect the session is perceived as webdav session)

I think there are a lot of HTTP-requests. You can use in your browser the developer tools (e.g. F12 in Firefox, Edge) and then network analysis. Post screenshots.

Where does it say that? Your WAF? For every request? Compare logs with browser network analysis screenshots.

The problem here is that WebDAV, CardDAV etc is all HTTPS traffic. So the Fortigate will probably have issues to detect everything correctly.

Maybe this is of any help: Specifying allowed HTTP methods But be aware that tuning all this will most likely be a tedious process with a lot of trial and error. But together with the browser network analysis, as suggested by @devnull you might be able to figure out which requests you can block on the Fortigate, without breaking anything that still needs to work.

1 Like

No, I don’t think so. WebDAV is essential to many Nextcloud functions.

In that case, I would say your security policy is probably incompatible with Nextcloud and needs to be revised.

1 Like

But I don’t use sync functions, I only need to share files (directories) with web browsers.

For testing you can rename remote.php to remote-no-function.php. I think it is the option to deactivate WebDAV but i think Nextcloud would not work correctly.

I don’t know why WebDAV is seen as a security risk. That is complete nonsense. If the data exchange is to be the problem, than HTTP(S) would have to be completely prevented. If you have problem with the WebDAV security issues ask the Nextcloud communiyt why there is no security issue for Nextcloud and WebDAV is used at Nextcloud. Thousands of developers are wrong? I think not.

1 Like

I see it more or less the same way. I don’t think that blocking or disabling WebDAV will significantly increase the overall security of your Nextcloud instance. I mean you can’t really do anything via WebDAV that you couldn’t do via the web interface.

If security really is such a big concern, you might want to think about not making Nextcloud accessible from outside your network at all, or only via a VPN connection, which would actually decrease potential attack vectors significantly.

1 Like

Maybe you can better use small tools like https://tinyfilemanager.github.io/.

For security reason do in Tiny File Manager:

disable online viewer: $is_onlineViewer = false;
disable user authentication: $use_auth = false;
set .htaccess for good user authentication
use HTTPS
implement .htaccess and php-script outside the data dir
allow only upload of positive suffix-list e.g. .txt, .jpg, …
disallow executing of scripts e.g. php in datadirectory

I think the more likely scenario is just that the network admin is unwilling or unable to configure the filter as needed for Nextcloud to work.

If all you need to do is share files in the browser, and that feature doesn’t use WebDAV, then you should currently have no issue. Right?