Issues with Basic Auth on Parent-Directory

Nextcloud version (eg, 12.0.2): 12.0.4
Operating system and version (eg, Ubuntu 17.04): Debian 9.3.0
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.25
PHP version (eg, 7.1): FPM 7.0.27

The issue you are facing:
On my Apache I generally use Basic Auth. So if you browse to https://myserver you will be challenged by an Basic Auth request. I run Nextcloud on ://myserver/cloud. For this directory i disabled Basic Auth by using “Satisfy any” + “Allow from all” as recommended. Generally this is working. If I browse (in a fresh browser) to ://myserver/cloud I get no Basic Auth request and can login normaly to Nextcloud. The login is fast and nice. BUT if I first browse to ://myserver and type in my Basic Auth login and after THAT navigate to ://myserver/cloud the login is very slow. This is because Nextcloud is trying to use the Basic Auth data I typed in before on the website root. I also enabled logging vor nextcloud to a file (log level 2). there I can see that on refresh of the login-page it tries to login with my basic auth user.

This is problematic in many ways. At first it makes the login very slow and uncomfortable. But also I want to use fail2ban to secure nextcloud. But if the log is beeing spammed by this failed login attempts from the basic auth info this don’t really works.

Also this means if i create the same user as used for Basic Auth with the same password in nextcloud that i can’t logout and login to another user if I authed before to basic auth on the root page. As soon as i do I’m logged in again because of the basic auth data.

My question ist: How can I tell nextcloud to stop trying to use my basic-Auth-Data from other directories on my apache?

I use PHP-FPM and therefore mod_proxy_fcgi, not mod_php. Also I use fail2ban for security for apache-auth and nextcloud. Here are my Apache-Sites:

01_redirect_https.conf

<IfModule mod_proxy.c>
        ProxyRequests Off
        ProxyVia On
        
        <Proxy *>
                AddDefaultCharset off
                Allow from all
        </Proxy>
</IfModule>

ServerAdmin myserver@mydomain.de
Listen 80

<VirtualHost *:80>
        RewriteEngine On
        RewriteCond %{HTTPS} !on
        RewriteCond %{REQUEST_URI} !^/server-status
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

        <Location /server-status/>
                 SetHandler server-status
                 Order Deny,Allow
                 Deny from all
                 Satisfy Any
                 Allow from 127.0.0.1
        </Location>

</VirtualHost>

02_https.conf

<IfModule ssl_module>

Alias "/cloud" "/var/www/html/cloud/"
Alias "/" "/var/www/html/"

<VirtualHost *:443>
        DocumentRoot "/var/www/html"
        ServerName my.server.com
        ServerAlias myserver

        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/ssl/apache2/my.server.com.crt
        SSLCertificateKeyFile /etc/ssl/apache2/my.server.com.key
        SSLOptions StrictRequire
        SSLProtocol all -SSLv2
        FilterProvider gzdeflate DEFLATE "%{Content_Type} = 'text'"

        <IfModule mod_proxy_fcgi.c>
                <Proxy "unix:/var/run/php/php7.0-fpm.sock|fcgi://php7.0-fpm">
                        # we must declare a (any) parameter in here
                        # or it won't register the proxy ahead of time
                        ProxySet disablereuse=off
                </Proxy>

                <FilesMatch "^/(.*\.php(/.*)?)$">
                        SetHandler proxy:fcgi://php7.0-fpm
                </FilesMatch>
        </IfModule>

        <IfModule mod_authnz_external.c>
                AddExternalAuth pwauth /usr/sbin/pwauth
                SetExternalAuthMethod pwauth pipe
                AddExternalGroup unixgroup /usr/sbin/unixgroup
                SetExternalGroupMethod unixgroup environment
        </IfModule>

        <Directory /var/www/html>
                SSLRequireSSL
                Options Indexes FollowSymLinks
                Order deny,allow
                Allow from all
                AuthType Basic
                AuthName "This is private"
                AuthBasicProvider external
                AuthExternal pwauth
                GroupExternal unixgroup
                Require user daily
        </Directory>

        Include sites-available/05_cloud.include

</VirtualHost>

</IfModule>

05_cloud.include

<Location /cloud>
        SSLRequireSSL
        SetEnvIf REQUEST_URI ^/cloud/* noauth =1
        Satisfy any
</Location>

<Directory /var/www/html/cloud/>

        Options +FollowSymlinks
        AllowOverride All

        <IfModule mod_dav.c>
                Dav off
        </IfModule>

        SetEnv HOME /var/www/html/cloud
        SetEnv HTTP_HOME /var/www/html/cloud

        Satisfy Any

</Directory>

Is this the first time you’ve seen this error? (Y/N): Y (but I’m new to nextcoud so…)

Steps to replicate it:

  1. Use Basic Auth on /
  2. Disable Basic Auth on /cloud/
  3. Login on /
  4. browse to /cloud/

The output of your Nextcloud log in Admin > Logging:
I see the failed login attempts

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '*****',
  'passwordsalt' => '****',
  'secret' => '****',
  'trusted_domains' =>
  array (
    0 => 'myserver',
  ),
  'datadirectory' => '/mnt/raid1/cloud/data',
  'overwrite.cli.url' => 'https://myserver/cloud',
  'dbtype' => 'mysql',
  'version' => '12.0.4.3',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'cloud',
  'dbpassword' => '*****',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'log_type' => 'file',
  'logtimezone' => 'Europe/Berlin',
  'logfile' => '/var/log/nextcloud/cloud.log',
  'loglevel' => 2,
);

The output of your Apache/nginx/system log in /var/log/____:

Nothing

Hello,
is there any solution for this?
I have the same problem using Nextcloud 19.0.1

@tuxathome
Why do you not use a virtual webserver cloud.domain.tld?
Then you get no problems.

Not tested.

AuthType Basic
AuthName "NO PUBLIC ACCESS"
AuthUserFile /xxx/.htpasswd

SetEnvIf REQUEST_URI "(var/www/html/nextcloud/)$" ALLOW

<RequireAny>
  Require env ALLOW
  Require valid-user
</RequireAny>

https://stackoverflow.com/questions/8697706/exclude-one-folder-in-htaccess-protected-directory

Hello devnull,

I am just a noobie to apache and I don’t really know what you mean with “virtual webserver”, sorry.

I still think that there is a problem with the nextcloud app, because I don’t have such issues with owncloud and same apache config.

In Apache2 you can configure name-bases-subdomains like www.domain.tld or cloud.domain.tld. This could solve your problem.

Ok. Then compare the configs. Perhapy you can upload them to PasteBin or your Owncloud/Nextcloud and post the links.

Thanks for your suggestions.

I’ve read an article about “name-based…” and tried that.
This works very well and I also find this way very charming for me.

So I will use it that way.

Thanks again and have a nice day.