Nginx/php-fpm - Requested URI cannot be (...)

Kaltenstein · December 22, 2019, 9:50pm

Nextcloud version (eg, 12.0.2): 17.0.2.1
Operating system and version (eg, Ubuntu 17.04): Manjaro Linux (Rolling Release)
Apache or nginx version: nginx / 1.16.1
PHP version: php-fpm 7.3.12

The issue you are facing:

I’ve been fighting this error for a while now, and start to give up, as I am at my wit’s end.

Ever since I applied the mitigations in the security advisory, I keep getting an internal server error. Looking up the reqID in data/nextcloud.log shows me this error. Investigation via Google show similiar, while non-helpful (because different origin) messages all over the years, even before NC came to be.

nginx error logs are empty, the only thing I can go by is the nextcloud.log - Contents of which I slapped into a pastebin below. I am suspecting the culprit being somewhere in my nginx config (which can be seen here, please assume a valid SSL cert plus redirects).

I even updated to 17.0.2 via CLI, just to see if this fixes the issue.

Is this the first time you’ve seen this error? : Y

Steps to replicate it:

Install nextcloud with nginx/php-fpm
Apply fixes as mentioned here
restart nginx

The output of your Nextcloud log in Admin > Logging:

Not accessible, see nextcloud.log-excerpt

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '-REDACTED-',
  'passwordsalt' => '-REDACTED-,
  'secret' => '-REDACTED-',
  'trusted_domains' =>
  array (
    0 => 'sub.doma.in',
  ),
  'datadirectory' => '/opt/www/cloud/data',
  'dbtype' => 'pgsql',
  'version' => '17.0.2.1',
  'overwrite.cli.url' => 'https://sub.doma.in',
  'dbname' => 'orly?',
  'dbhost' => '/run/away',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'yarly',
  'dbpassword' => '',
  'installed' => true,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 0,
  'app_install_overwrite' =>
  array (
    0 => 'files_reader',
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

Actually EMPTY

trendzetter · December 23, 2019, 9:27am

You should probably enable logging in your php-fpm pool file (eg /etc/php/7.3/fpm/pool.d/www.conf)
The uncomment this line:
php_admin_value[error_log] = /var/log/fpm-php.www.log
Make sure it points to an existing file that can be written by the php-fpm user.

Kaltenstein · December 24, 2019, 10:01pm

Did as you said. Restarted php-fpm, and to be safe, nginx. Still no logs on the PHP side.

Figured I messed up on the file permissions. Checked. Rechecked. And Rechecked.

As I said, I’m at my wit’s end… This |_| close to redoing the whole setup with a fresh install.

-EDIT- Hm, rebooted the server… now I’m getting something else

Kaltenstein · December 29, 2019, 12:33pm

So I did some initial debugging… (or whatever print_r at the right place is looked at as…)

So far it seems, that my configuration (which basically is the standard nginx config recommended by NC) duplicates the $request_uri parameter. At least printing $requestUri in OC\AppFramework\Http\Request->getRawPathInfo() to console shows the value being fed into it duplicated… Which seems to cause weird behaviour…

Kaltenstein · January 2, 2020, 1:03pm

Still stumped with this issue. I redid the setup completely. Starting over with a fresh config, a test vHost and clean database.

It all boils down to getRawPathInfo having an issue with parsing out the script path from what nginx passes it. It worked before this “urgent fix”. And stopped right after addapting the fix.

Reverting to the original config, it works again. So it must either be some weird corner case, or I’m doing something wrong with applying the “fix”…

I am starting entertaining the thought of just reverting the config and having a security risk sitting in my home office.

SmallOne · January 2, 2020, 1:22pm

So how are the rest of your nginx config? For me it works as it should.

Kaltenstein · January 2, 2020, 1:25pm

I’ve linked the vHost config above, the nginx config itself is as shipped by Manjaro, just X-Clacks-Overhead added.

SmallOne · January 2, 2020, 1:26pm

That paste seens to have timed out

I use large parts of this (i started using these ansible scripts but has since then made loads of modifications but these works.

github.com

ReinerNippes/nextcloud/blob/master/roles/prep_nginx/templates/nextcloud.conf.j2

server {
	listen {{ nc_web_port }} default_server;
	{% if ansible_default_ipv6.address is defined %}listen [::]:{{ nc_web_port }};{% endif %}
	server_name {{ fqdn }};
	#Your DDNS adress, (e.g. from desec.io or no-ip.com)
	location ^~ /.well-known/acme-challenge {
		proxy_pass http://127.0.0.1:81;
	}
	location / {
		return 301 https://$server_name:{{ nc_ssl_port }};
	}
}
server {
	listen {{ nc_ssl_port }} ssl http2 default_server;
	{% if ansible_default_ipv6.address is defined %}listen [::]:{{ nc_ssl_port }} ssl http2;{% endif %}
	server_name {{ fqdn }};
	root /var/www/nextcloud/;
	access_log /var/log/nginx/nextcloud.access.log main;
	error_log /var/log/nginx/nextcloud.error.log warn;

This file has been truncated. show original

Kaltenstein · January 2, 2020, 1:54pm

Hm,I really need to dip my toes into something like ansible.

I think I mentioned as well, that it’s the config from the manual, only extended with a valid LE certificate and my subdomain.

I redid the setup yet again, with the result of my attempts turning my setup even more in a mush XD

Now I keep getting the doc root mixed into the URLs for assets x_X

-EDIT 2- Clarification:
Now I keep seeing errors like

Refused to execute script from ‘https://sub.doma.in/path/to/webroot/core/js/dist/main.js?v=ba222ded25d957b900c03bef914333cd’ because its MIME type (‘text/html’) is not executable, and strict MIME type checking is enabled.

(Heck I had this one before, but I can’t for the life of me remember WHAT I did to fix it.)

-EDIT-

vHost - > https://pastebin.com/2PACKNHZ
fastcgi_params → https://pastebin.com/n0f1kYfg
nginx.conf → https://pastebin.com/msPyEJvQ