Desktop Client: Access Denied with code 510

On a new nextcloud installation, I have a problem with the desktop client.

Nextcloud version: 16.0.1
Desktop OS: Manjaro 18.0.4
Nextcloud desktop client: 2.5.2git

I put files in my local nextcloud folder and the client started syncing. In the log-window I get loads of error messages like these:

The nextcloud server log doesn’t show any error messages.

The server logfile shows loads of error messages like this:

[Thu Jun 27 06:21:06.574820 2019] [:error] [pid 14512] [client 92.248.xx.xx] 
ModSecurity: Access denied with code 510 (phase 1). 
Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. 
[file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] 
[line "84"] [id "960904"] [rev "2"] 
[msg "Request Containing Content, but Missing Content-Type header"] 
[severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [hostname "mydomain.at"] 
[uri "/cloud/remote.php/dav/uploads/myusername/1832646546/00000000"] [unique_id "XRREMn8AAAEAADiwt9EAAAAB"]

After multiple attempts, the desktop client is able to sync some of the files. After one day, almost half of the files (some hundred) got uploaded.

Uploading through the web interface works without errors.

I did search for the error messages online but couldn’t find anything useful. Does someone have a hint for me?

You should review your modsecurity rules. I’d try first without modsecurity at all if the client works properly. I’m not sure if there is an official rule set, I found two links to virtual machines where it seems to be used:

https://ownyourbits.com/2017/03/23/modsecurity-web-application-firewall-for-nextcloud/

Thank you very much!

I was able to disable a specific ModSecurity Rule on my hosted server, and for now it seems to be a solution.

Apparently it is the forceRequestBodyVariable Rule with ID 960904.

It could be that my webhoster is very strict with security rules, but maybe this is also an opportunity to change the desktop client to not violate against this issue?

Usually such a rule set comes with some default settings which might or might not be suitable for a specific application. I don’t know enough of the client-server communication to tell if this behaviour is required and the rule must be disabled.