Login page broken

sefa0888 · May 3, 2018, 4:02pm

EDIT: problem solved

had a line break in the sts header because i uncommented without thinking and being a newbie.

#####################################################
New install
NC 13.0.2.1
Ubuntu 18.04 server
nginx 1.14.0
php 7.2

Older discarded server
NC 12.?
Xubuntu 16.04
nginx ?
php 7.0

NOTE: IT WORKED PERFECTLY FOR A FEW HOURS.

with firefox console:

“loading of the < script > with source … has failed.”

Did a fresh setup of my media server but the login screen broke. I used NC12 before which also broke unfortunately in the same manner which i then completely discarded. It broke after a reboot but nginx had been restarted many times before that and last reboot was only hour off or something like that. The permissions and ownership are set correctly with www-data:www-data 775 for /var/www/* and nextcloud data folder. Nginx uses default www-data. The nextcloud.log is empty and the nginx error.log doesn’t report anything either on this issue. The mobile app and desktop client stay operational. Aside from the less flattering appearance the login button doesn’t work.

nginx.conf has been modified to disable server tokens, enable multi accept and workers from auto to 4.

/7.2/fpm/php.ini has been modified to enable opcache according to what nextcloud recommends.

No caching server as i was uncertain of what might had broken my last server setup.

Can also remember uncommenting an env[PATH] somewhere because nextcloud returned an error under basic settings.

nginx configuration is made up from an enabled main config which then includes some snippets. the nextcloud snip is ripped from nc13 admin manual nginx configuration but simply misses the head.

main:

server {
  listen 80;
  listen [::]:80;
  server_name XXX;
  
  if ($host = XXX) {
    return 301 https://$host$request_uri;
  }
  if ($host = XXX) {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 default_server ssl http2;
  listen [::]:443 default_server ssl http2;
  server_name XXX;
  ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem; # managed by Certbot
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  
  ssl_protocols TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
  
  root /var/www;
  
  location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }
  
    fastcgi_param HTTP_PROXY "";
    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
  }
  
  location ~ /\.ht {
    deny all;
  }
  
  location ^~ /info.php {
    return 403;
  }

  location ^~ /test.php {
    return 403;
  }

  #include /etc/nginx/sites-available/emby;
  include /etc/nginx/sites-available/nextcloud;
  #include /etc/nginx/sites-available/transmission;
}

nextcloud:

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location = /.well-known/carddav {
      return 301 $scheme://$host/nextcloud/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    location /.well-known/acme-challenge { }

    location ^~ /nextcloud {

        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        location /nextcloud {
            rewrite ^ /nextcloud/index.php$uri;
        }

        location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
        location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }

        location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi.conf;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            #Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }

        location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }

        location ~ \.(?:css|js|woff|svg|gif)$ {
            try_files $uri /nextcloud/index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=15778463";
            add_header Strict-Transport-Security "max-age=15768000;
            includeSubDomains; preload;";
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            access_log off;
        }

        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /nextcloud/index.php$uri$is_args$args;
            access_log off;
        }
    }

small edit on fastcgi include param and proxypass

nextcloud config:

&lt;?php
$CONFIG = array (
'instanceid' =&gt; 'ocp8zmeygme4',
'passwordsalt' =&gt; XXX,
'secret' =&gt; XXX,
'trusted_domains' =&gt;
array (
0 =&gt; XXX,
1 =&gt; XXX,
),
'datadirectory' =&gt; '/srv/nextcloud-data',
'overwrite.cli.url' =&gt; XXX,
'dbtype' =&gt; 'mysql',
'version' =&gt; '13.0.2.1',
'dbname' =&gt; 'nextcloud',
'dbhost' =&gt; 'localhost',
'dbport' =&gt; '',
'dbtableprefix' =&gt; 'oc_',
'dbuser' =&gt; 'nextclouduser',
'dbpassword' =&gt; XXX,
'installed' =&gt; true,
'auth.bruteforce.protection.enabled’ =&gt; false',
);

“&gt” is just copy paste issue.

I had issues with slow login but with disable brute force protection it became fast again until it straight up broke.

Bernie_O · May 5, 2018, 4:17am

There is a line break which must not be there.
Also you give a different max-age for hsts in that block than in your main nginx part. I am not sure whether that is a problem, but it doesn’t make any sense.

sefa0888 · May 5, 2018, 5:49am

ok fixed that, mistake made while uncommenting. the documentation has it also on two lines. AND I BE DAMND IT WORKED! made single line and hsts the same. thank you.