Nextcloud version (eg, 12.0.2): 12.0.4
Operating system and version (eg, Ubuntu 17.04): Debian 9.3.0
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.25
PHP version (eg, 7.1): FPM 7.0.27
The issue you are facing:
On my Apache I generally use Basic Auth. So if you browse to https://myserver you will be challenged by an Basic Auth request. I run Nextcloud on ://myserver/cloud. For this directory i disabled Basic Auth by using “Satisfy any” + “Allow from all” as recommended. Generally this is working. If I browse (in a fresh browser) to ://myserver/cloud I get no Basic Auth request and can login normaly to Nextcloud. The login is fast and nice. BUT if I first browse to ://myserver and type in my Basic Auth login and after THAT navigate to ://myserver/cloud the login is very slow. This is because Nextcloud is trying to use the Basic Auth data I typed in before on the website root. I also enabled logging vor nextcloud to a file (log level 2). there I can see that on refresh of the login-page it tries to login with my basic auth user.
This is problematic in many ways. At first it makes the login very slow and uncomfortable. But also I want to use fail2ban to secure nextcloud. But if the log is beeing spammed by this failed login attempts from the basic auth info this don’t really works.
Also this means if i create the same user as used for Basic Auth with the same password in nextcloud that i can’t logout and login to another user if I authed before to basic auth on the root page. As soon as i do I’m logged in again because of the basic auth data.
My question ist: How can I tell nextcloud to stop trying to use my basic-Auth-Data from other directories on my apache?
I use PHP-FPM and therefore mod_proxy_fcgi, not mod_php. Also I use fail2ban for security for apache-auth and nextcloud. Here are my Apache-Sites:
01_redirect_https.conf
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyVia On
<Proxy *>
AddDefaultCharset off
Allow from all
</Proxy>
</IfModule>
ServerAdmin myserver@mydomain.de
Listen 80
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} !^/server-status
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
<Location /server-status/>
SetHandler server-status
Order Deny,Allow
Deny from all
Satisfy Any
Allow from 127.0.0.1
</Location>
</VirtualHost>
02_https.conf
<IfModule ssl_module>
Alias "/cloud" "/var/www/html/cloud/"
Alias "/" "/var/www/html/"
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName my.server.com
ServerAlias myserver
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/ssl/apache2/my.server.com.crt
SSLCertificateKeyFile /etc/ssl/apache2/my.server.com.key
SSLOptions StrictRequire
SSLProtocol all -SSLv2
FilterProvider gzdeflate DEFLATE "%{Content_Type} = 'text'"
<IfModule mod_proxy_fcgi.c>
<Proxy "unix:/var/run/php/php7.0-fpm.sock|fcgi://php7.0-fpm">
# we must declare a (any) parameter in here
# or it won't register the proxy ahead of time
ProxySet disablereuse=off
</Proxy>
<FilesMatch "^/(.*\.php(/.*)?)$">
SetHandler proxy:fcgi://php7.0-fpm
</FilesMatch>
</IfModule>
<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/sbin/unixgroup
SetExternalGroupMethod unixgroup environment
</IfModule>
<Directory /var/www/html>
SSLRequireSSL
Options Indexes FollowSymLinks
Order deny,allow
Allow from all
AuthType Basic
AuthName "This is private"
AuthBasicProvider external
AuthExternal pwauth
GroupExternal unixgroup
Require user daily
</Directory>
Include sites-available/05_cloud.include
</VirtualHost>
</IfModule>
05_cloud.include
<Location /cloud>
SSLRequireSSL
SetEnvIf REQUEST_URI ^/cloud/* noauth =1
Satisfy any
</Location>
<Directory /var/www/html/cloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/html/cloud
SetEnv HTTP_HOME /var/www/html/cloud
Satisfy Any
</Directory>
Is this the first time you’ve seen this error? (Y/N): Y (but I’m new to nextcoud so…)
Steps to replicate it:
- Use Basic Auth on /
- Disable Basic Auth on /cloud/
- Login on /
- browse to /cloud/
The output of your Nextcloud log in Admin > Logging:
I see the failed login attempts
The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => '*****',
'passwordsalt' => '****',
'secret' => '****',
'trusted_domains' =>
array (
0 => 'myserver',
),
'datadirectory' => '/mnt/raid1/cloud/data',
'overwrite.cli.url' => 'https://myserver/cloud',
'dbtype' => 'mysql',
'version' => '12.0.4.3',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'cloud',
'dbpassword' => '*****',
'installed' => true,
'memcache.local' => '\\OC\\Memcache\\APCu',
'log_type' => 'file',
'logtimezone' => 'Europe/Berlin',
'logfile' => '/var/log/nextcloud/cloud.log',
'loglevel' => 2,
);
The output of your Apache/nginx/system log in /var/log/____:
Nothing