Login Flow Issue behind Reverse Proxy

Hello,

i got a weird Login error that affects only Login Flow V1 it seems. I can login on the Desktop on Nexcloud 16 and onwards (tested 14 and up) through Flow V2. The Owncloud Client also works, it seems to use a legacy URL insteed of App-Tokens.

It seems to be a redirection Problem, if i logon via a Client i can enter Credentials to authenticate. There is also created a App Token for each Login attempt but the Client doesnt get the Information that the Login succedeed. After a Login attempt iam back at the main Nextcloud Login, can Login and browse through nextcloud in the Webview like in a normal Browser.

It seems that the URL is invalid and i am redirected to the login page.

The Login Flow Documentation wants this URL style:
nc://login/server:&user:&password:

but the URL (httpd log) is following:
GET /testcloud&user:admin&password:3pLqM1VTSEq6Gn1C96UXrQldQlUQYg3PvhXReingeJCPhZ26k5DeGarJEzrQ0efv6E9jRyww HTTP/1.1" 302 - “-”

Server Configuration:
Client Android (uses flow v1) -> Pound Reverse Proxy for https -> Nextcloud on FreeBSD (FAMP)

My Config.php:
<?php
$CONFIG = array (
‘apps_paths’ =>
array (
0 =>
array (
‘path’ => ‘/usr/local/www/nextcloud/apps’,
‘url’ => ‘/apps’,
‘writable’ => true,
),
1 =>
array (
‘path’ => ‘/usr/local/www/nextcloud/apps-pkg’,
‘url’ => ‘/apps-pkg’,
‘writable’ => false,
),
),
‘logfile’ => ‘/var/log/nextcloud/nextcloud.log’,
‘memcache.local’ => ‘\OC\Memcache\APCu’,
‘passwordsalt’ =>
‘secret’ =>
‘trusted_domains’ =>
array (
0 => ‘secure.host.de’,
),
‘datadirectory’ => ‘/home/www/nextcloud_data’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘18.0.3.0’,
‘overwrite.cli.url’ => ‘https://secure.host.de’,
‘dbname’ => ‘NextcloudDB’,
‘dbhost’ => ‘localhost:/tmp/mysql.sock’,
‘dbport’ => ‘’,
‘dbtableprefix’ => ‘oc_’,
‘mysql.utf8mb4’ => true,
‘dbuser’ => ‘nextclouduser’,
‘dbpassword’ =>
‘installed’ => true,
‘instanceid’ =>
‘logtimezone’ => ‘Europe/Berlin’,
‘log_type’ => ‘file’,
‘loglevel’ => ‘2’,
‘logrotate_size’ => ‘104847600’,
# ‘htaccess.RewriteBase’ => ‘/testcloud’, results on Error 403
‘overwriteprotocol’ => ‘https’,
‘overwritehost’ => ‘secure.host.de’,
‘overwritewebroot’ => ‘/testcloud’,
‘forwarded_for_headers’ =>
array (
0 => ‘HTTP_X_FORWARDED’,
1 => ‘HTTP_FORWARDED_FOR’,
),
‘updater.secret’ => ‘$2y$10$AMGG2FG4qSGQ4BD1pXDRsuJDirlyE3VNoi.JkpGAz80HwsNIEwTOy’,
‘maintenance’ => false,
);

Maybe anyone get a Idea for this, thanks in Advance :slight_smile:

Hello,

we are facing the same issue with a similar setup using Nextcloud 18.0.3:

/var/log/apache2/access.log:8.8.8.8 - - [20/Apr/2020:20:13:07 +0200] “GET /nextcloud&user:username1&password:9aD2x7vAgXbY0lmU2eGOTX HTTP/1.1” 404 276 “-” “Oneplus A0001 (Android)”
/var/log/apache2/access.log:8.8.8.8 - - [20/Apr/2020:20:13:11 +0200] “GET /nextcloud&user:username2&password:qMyBIDIcAZOuNdIzJg6X1zdY5 HTTP/1.1” 404 276 “-” “Oneplus ONE A2003 (Nextcloud Talk)”

I can only second the OP … any ideas?
Best,
Chris

Hello Pilzi,

can you post your pound config and a complete apache-access log from the login?
It seems that my http basic authentication header is missing:
10.3.0.5 - - [04/Jun/2020:09:40:25 +0200] “HEAD /testcloud/remote.php/webdav/ HTTP/1.1” 401 - “-” “Mozilla/5.0 (Android) Nextcloud-android/3.12.0 RC2”

versus

89.20.21.45 - test [04/Jun/2020:07:56:56 +0000] “HEAD /remote.php/webdav/ HTTP/1.1” 200 1173 “-” “Mozilla/5.0 (Android) Nextcloud-android/3.12.0 RC2”

i suspect that this is a problem in pound

is also get this message in my nextcloud.log:
“Message”:“No ‘Authorization: Basic’ header found. Either the client didn’t send one, or the server is misconfigured, No ‘Authorization: Bearer’ header found. Either the client didn’t send one, or the server is mis-configured”

add this to http/https listener in pound

#Disable rewriting location headers from backend for nextcloud
RewriteLocation 0

Thank you very much, this setting was misconfigured!

For anyone interested: RewriteLocation 0 and 2 works.
This Problem is caused by Nextcloud sending an outgoing request with nc://
With RewriteLocation 1 this is going to be edited. Thats also the cause why its working with Login Flow v2 flawlessly.

Hello. Can You write exactly in which file to change this parameter?