NC12/NGinX: too many redirects

husky · September 29, 2017, 7:20am

Hi,
I’m a bit lost here - my Nextcloud stopped working, and I can’t find the error…
When I try to open the NC site the browser reports too many redirects - tried Chrome, Opera, Firefox, but all show the same

The error log has this:
2017/09/29 08:54:23 [error] 3992#3992: *528 FastCGI sent in stderr: “PHP message: PHP Notice: Undefined index: SCRIPT_NAME in /var/www/nextcloud/lib/base.php on line 140” while reading response header from upstream, client: 109.45.0.148, server: cloud.example.com, request: “GET /status.php HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php/php7.0-fpm.sock:”, host: "cloud.example.com"
2017/09/29 08:54:24 [error] 3992#3992: *528 FastCGI sent in stderr: “PHP message: PHP Notice: Undefined index: SCRIPT_NAME in /var/www/nextcloud/lib/base.php on line 140” while reading response header from upstream, client: 109.45.0.148, server: cloud.example.com, request: “PROPFIND /remote.php/webdav/ HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php/php7.0-fpm.sock:”, host: “cloud.example.com”

Now this hints at the PHP fastcgi config parameters:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

#fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

My server config is copied from the original NC 12 ducomentation and slightly adapted to my setup, e.g. collabora, Let’s Encrypt, etc.:
server {
listen 443;
server_name cloud.example.com;

access_log  /var/log/nginx/cloud.example.com-access.log;
error_log   /var/log/nginx/cloud.example.com-error.log info;

ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem;

# include ssl settings from snippet
include /etc/nginx/snippets/ssl-settings.conf;

# include certbot-snippet
include /etc/nginx/snippets/certbot.conf;

# Add headers to serve security related headers
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
more_clear_headers 'X-Frame-Options';
add_header X-Frame-Options "ALLOW-FROM https://office.example.com/";
add_header Content-Security-Policy "frame-ancestors office.example.com cloud.example.com";

# Path to the root of your installation
root /var/www/nextcloud/;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
  return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}

# set max upload size
client_max_body_size 4100M;
fastcgi_buffers 64 4K;
fastcgi_read_timeout 600;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
    rewrite ^ /index.php$uri;

}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    include fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    #Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files $uri/ =404;
    index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js|woff|svg|gif)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read into
    # this topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    #  includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;
}

location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
    try_files $uri /index.php$uri$is_args$args;
    # Optional: Don't log access to other assets
    access_log off;
}

}

Any hints?

Schmu · September 29, 2017, 9:19am

Hi,

Did you make any (config) changes to the server the last few days?
Could system updates could have interfered somehow? Did you try to restart the whole system or was it restarted just before NC stopped working?

I don’t see the “upstream php-handler” in your pasted web-server config. Did you only forget to copy it or is it really missing?

husky · September 29, 2017, 10:12am

Thanks für replying .-)
As far as I remember i didn’t change a thing, but it has been broken for quite a few days now and I’ve just been too busy to look into the problem. And me getting older doesn’t help remembering

I restarted the whole stack numerous times (last kernel update was 25 ago), and the other vhosts run smoothly - kolab, colabora, wordpress, mailman, …
My web server is running Debian Linux stable/stretch), PHP-fpm 7.0.23, PHP-fpm 5.6.30 (because of kolab), MariaDB 10.126, NginX 1.13.3.1, Redis 3.2.6

Upstream config: (forgot pasting)

upstream php-handler {
    server unix:/var/run/php/php7.0-fpm.sock;
}

permissions:
srw-rw---- 1 www-data www-data 0 Sep 20 00:40 /var/run/php/php7.0-fpm.sock