Can't share directory to external network cause of webdav

fropa · July 12, 2022, 8:04am

[/details]

Nextcloud version _23.0.2
Operating system and version _rhel 8.6
Apache or nginx version _Apache/2.4.37
PHP version _7.4.28

I use nextcloud from local and external networks. I’ve nginx reverse proxy for local and WAF for external connections. When I share directory link I can connect from local but can’t connect from external because the system uses webdav technology. ( I can see the blocking reasons on WAF because of using webdav ), for security reasons I can’t enable webdav on WAF.

How can I solve this problem?

<?php
$CONFIG = array (
  'instanceid' => 'ocl7fx8z9fxf',
  'passwordsalt' => 'qN9gDIvqwtNUzoY6PbRD9M',
  'secret' => 'owJObcXIsqBNqIduZ',
  'trusted_domains' =>
  array (
    0 => 'X.X.X.X',
    1 => 'X.X.X.X',
    3 => 'X.X.X.X',
    4 => 'share.domain',
    5 => 'https://domain',
    6 => 'localhost',
  ),
  'datadirectory' => '/share/',
  'dbtype' => 'mysql',
  'version' => '23.0.2.1',
  'overwrite.cli.url' => 'https://share.domain',
  'htaccess.RewriteBase' => 'https://share.domain',
  'session_lifetime' => 3600,
  'session_keepalive' => false,
  'remember_login_cookie_lifetime' => 0,
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'ncloud',
  'dbpassword' => 'pass',
  'installed' => true,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_domain' => 'share.domain',
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'X.X.X.X',
  'mail_smtpauthtype' => 'NTLM',
  'mail_smtpport' => '25',
  'mail_sendmailmode' => 'smtp',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
);

X.X.X.X - - [12/Jul/2022:12:01:43 +0400] “GET /s/HF74XWk7qCfRqLK HTTP/1.1” 200 7816 “-” “Mozilla/5.0 (Linux; Android 12; SM-A525F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
X.X.X.X - - [12/Jul/2022:12:01:43 +0400] “GET /cron.php HTTP/1.1” 200 20 “-” “Mozilla/5.0 (Linux; Android 12; SM-A525F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”
X.X.X.X - - [12/Jul/2022:12:01:44 +0400] “GET /ocs/v2.php/apps/text/public/workspace?path=%2F&shareToken=HF74XWk7qCfRqLK HTTP/1.1” 404 114 “-” “Mozilla/5.0 (Linux; Android 12; SM-A525F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Mobile Safari/537.36”



There are no logs in nextcloud.log and web logs.

devnull · July 12, 2022, 8:19am

Which web application firewall? Can you post the logs? The above logs are not useful. 404 is file not found.

Are you a proffessional provider? If not WAF is not useful. Uninstall WAF or have your Nextcloud hosted where there is no useless WAF. Nobody needs it. What should the firewall find? Viruses in exe-files that a normal virescanner should find on the client?

fropa · July 12, 2022, 8:38am

Maybe it’s fortinet WAF. The network administrator helps me with that. We need WAF because of security policies.

But my question is about webdav, can I disable it somehow?

devnull · July 12, 2022, 8:49am

You can read this thread. But it makes no sense. Nextcloud does not only use WebDAV features for data transfer. It uses also normal HTTPS-requests. If you want to deny WebDAV or your WAF wants to deny it, it is incomplete and stupid. What is the function of your WAF? Security? Hopefully not. Probably more the management and any unnecessary requests.

fropa · July 12, 2022, 9:04am

How can I connect to nextcloud from browser with normal https request?
(cause when I try to connect the session is perceived as webdav session)

devnull · July 12, 2022, 9:12am

I think there are a lot of HTTP-requests. You can use in your browser the developer tools (e.g. F12 in Firefox, Edge) and then network analysis. Post screenshots.

Where does it say that? Your WAF? For every request? Compare logs with browser network analysis screenshots.

bb77 · July 12, 2022, 9:26am

The problem here is that WebDAV, CardDAV etc is all HTTPS traffic. So the Fortigate will probably have issues to detect everything correctly.

Maybe this is of any help: https://help.fortinet.com/fweb/571/Content/FortiWeb/fortiweb-admin/specify_allowed_methods.htm But be aware that tuning all this will most likely be a tedious process with a lot of trial and error. But together with the browser network analysis, as suggested by @devnull you might be able to figure out which requests you can block on the Fortigate, without breaking anything that still needs to work.

KarlF12 · July 12, 2022, 9:50am

No, I don’t think so. WebDAV is essential to many Nextcloud functions.

In that case, I would say your security policy is probably incompatible with Nextcloud and needs to be revised.

fropa · July 12, 2022, 10:00am

But I don’t use sync functions, I only need to share files (directories) with web browsers.

devnull · July 12, 2022, 10:55am

For testing you can rename remote.php to remote-no-function.php. I think it is the option to deactivate WebDAV but i think Nextcloud would not work correctly.

I don’t know why WebDAV is seen as a security risk. That is complete nonsense. If the data exchange is to be the problem, than HTTP(S) would have to be completely prevented. If you have problem with the WebDAV security issues ask the Nextcloud communiyt why there is no security issue for Nextcloud and WebDAV is used at Nextcloud. Thousands of developers are wrong? I think not.

bb77 · July 12, 2022, 11:31am

I see it more or less the same way. I don’t think that blocking or disabling WebDAV will significantly increase the overall security of your Nextcloud instance. I mean you can’t really do anything via WebDAV that you couldn’t do via the web interface.

If security really is such a big concern, you might want to think about not making Nextcloud accessible from outside your network at all, or only via a VPN connection, which would actually decrease potential attack vectors significantly.

devnull · July 12, 2022, 11:59am

Maybe you can better use small tools like https://tinyfilemanager.github.io/.

For security reason do in Tiny File Manager:

disable online viewer: $is_onlineViewer = false;
disable user authentication: $use_auth = false;
set .htaccess for good user authentication
use HTTPS
implement .htaccess and php-script outside the data dir
allow only upload of positive suffix-list e.g. .txt, .jpg, …
disallow executing of scripts e.g. php in datadirectory

KarlF12 · July 12, 2022, 1:07pm

I think the more likely scenario is just that the network admin is unwilling or unable to configure the filter as needed for Nextcloud to work.

If all you need to do is share files in the browser, and that feature doesn’t use WebDAV, then you should currently have no issue. Right?