Lost my data - Access denied with code 403

josaladino2 · December 16, 2020, 2:37am

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 19.0.6):
Operating system and version (eg, Centos 7):
Apache or nginx version (eg, Apache 2.4.52):
PHP version (eg, 7.4):

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

login into nextcloud
Access Files

The output of your Nextcloud log in Admin > Logging:

There was nothing there.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cl.d4x.biz"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "dbtype": "mysql",
        "version": "19.0.6.2",
        "overwrite.cli.url": "https:\/\/cl.d4x.biz",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "loglevel": 3,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "trashbin_retention_obligation": "auto",
        "versions_retention_obligation": "30, auto",
        "updatechecker": true,
        "theme": "",
        "app_install_overwrite": [
            "admin_notifications",
            "files_readmemd",
            "dashboard",
            "joplin",
            "files_external_gdrive",
            "files_external_dropbox"
        ]
    },

The output of your Apache/nginx/system log in /var/log/____:

Error_log
[Tue Dec 15 19:28:14.223489 2020] [:error] [pid 15987:tid 47366492501760] [client 67.60.168.59:62328] [client 67.60.168.59] ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "cl.d4x.biz"] [uri "/remote.php/dav/files/joe/"] [unique_id "X9lwvuqswoJmV4OkecvnoQAAAIU"]
[Tue Dec 15 19:28:14.447785 2020] [:error] [pid 15987:tid 47366492501760] [client 67.60.168.59:62328] [client 67.60.168.59] ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "cl.d4x.biz"] [uri "/index.php/apps/files/"] [unique_id "X9lwvuqswoJmV4OkecvnogAAAIU"]

JimmyKater · December 16, 2020, 5:56pm

3 posts were split to a new topic: [desktop client] Kann nicht mehr an meine Schulcloud verbinden

josaladino2 · December 16, 2020, 5:35pm

anyway I can get these in English?

peteman52 · December 16, 2020, 9:18pm

I’m sorry, I didn’t read your post. But my answer would only be relevant to you if you are using “fail2ban” or a similiar tool. Then you should check if your IP is banned und if so unban it.

josaladino2 · December 16, 2020, 10:08pm

Thanks for your response. I don’t use fail2ban.

peteman52 · December 17, 2020, 10:34am

Did you try a Google-Search with

and did you find sth. similiar? It seems to be a problem with mod_security, did you newly enable it?

gas85 · December 17, 2020, 12:53pm

It looks like mode security and it is even saying where it is configured to not allow this request.

josaladino2 · December 17, 2020, 5:46pm

I use cpanel and I wonder if it was enabled by them. I wonder if I can just uninstall it?

josaladino2 · December 17, 2020, 6:01pm

I added this to conf.d/nextcloud.conf to turn off mod_security

josaladino2 · December 17, 2020, 6:25pm

I did a workaround by moving /conf.modules.d/800-mod_security2.conf to .800-mod_security2.conf

Fixed the files not showing up problem but this is no permanent solution.

Any ideas? Can I uninstall modsecurity? Does Nextcloud have a better solution?

Thanks so much for your help.

peteman52 · December 17, 2020, 9:48pm

Maybe this will help you:

Your error-message says:

[Tue Dec 15 19:28:14.223489 2020] [:error] [pid 15987:tid 47366492501760] [client 67.60.168.59:62328] [client 67.60.168.59] ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "cl.d4x.biz"] [uri "/remote.php/dav/files/joe/"] [unique_id "X9lwvuqswoJmV4OkecvnoQAAAIU"]

So in file
/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
I would try to disable line 43 [id 911100]
and see what happens.
Also you should of course get in touch with your service provider (cpanel?) . They should be able to help you.