No 'Authorization: Basic' header found behind SSLProxy

drohhyn · March 28, 2020, 10:54am

Nextcloud version: 17.0.5
Operating system and version: Debian Stretch 9.12
Apache or nginx version: Apache 2.4.25
PHP version: 7.3.16

The issue you are facing:
When trying to connect from the android app (installed via f-droid.org) on a new amazon fire tablet, the authorization process with QR-code, manually typed in app-password or TOTP password is finished. Afterwards the app goes back to the start screen for entering the account information. I already know, it is because of the following error stated in the logs “Message":"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured” but I can’t figure out, how to configure my server correctly.
As you can see from the apache config, I already added some rewrite rule suggested in another thread and restarted, but it did not help. I don’t have problems with other clients (desktop on windows/linux, mobile on android/iOS or even thunderbird and DAVx5) but all of them have access since several months. I’ve upgraded from 17.0.2 to 17.04 as always with the 2fa app included some days ago and today to 17.0.5 (in hope to fix the error). The fire tablet is the first new client, so I am unsure when my setup was working properly.

Is this the first time you’ve seen this error? (Y/N): Yes

Steps to replicate it:

See text above: providing credentials in android app => error

The output of your Nextcloud log in Admin > Logging:

{"reqId":"VALIDREQID","level":0,"time":"2020-03-28T10:25:45+00:00","remoteAddr":"IP_OF_REAL_HOST","user":"--","app":"webdav","method":"HEAD","url":"/remote.php/webdav/","message":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured","Code":0,"Trace":[{"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->","args":[{"absoluteUrl":"https://IP_OF_REAL_HOST:PORT/remote.php/webdav/","__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php","line":105,"function":"call_user_func_array","args":[[{"autoRequireLogin":true,"__class__":"Sabre\\DAV\\Auth\\Plugin"},"beforeMethod"],[{"absoluteUrl":"https://IP_OF_REAL_HOST:PORT/remote.php/webdav/","__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]]},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":466,"function":"emit","class":"Sabre\\Event\\EventEmitter","type":"->","args":["beforeMethod",[{"absoluteUrl":"https://IP_OF_REAL_HOST:PORT/remote.php/webdav/","__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]]},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":254,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":[{"absoluteUrl":"https://IP_OF_REAL_HOST:PORT/remote.php/webdav/","__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":80,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"/var/www/nextcloud/remote.php","line":163,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":168,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.11.0","version":"17.0.5.0","id":"asdfID1234"}

Apache Configuration on the proxy

<VirtualHost *:443>
        ServerName c.MYDOMAIN.eu
        ProxyPass / https://IP_OF_REAL_HOST:PORT/
        ProxyPassReverse / https://IP_OF_REAL_HOST:PORT/

        SSLCertificateFile /etc/letsencrypt/live/c.MYDOMAIN.eu/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/c.MYDOMAIN.eu/privkey.pem

        Include /etc/letsencrypt/options-ssl-apache.conf

        SSLProxyEngine on
        SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerName Off
        SSLProxyCheckPeerExpire On

</VirtualHost>

Apache Configuration on the real host:

<VirtualHost *:8443>
        ServerName c.MYDOMAIN.eu
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/nextcloud
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <IfModule mod_headers.c>
           Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        </IfModule>
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/c.MYDOMAIN.eu/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/c.MYDOMAIN.eu/privkey.pem

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

<Directory /var/www/nextcloud/>
  Require all granted
  Options +FollowSymlinks MultiViews
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud

</Directory>

</VirtualHost>

Modules env, rewrite and headers are enabled on the real host.

drohhyn · April 5, 2020, 8:03pm

Nobody any idea yet?

Steel_PC · April 5, 2020, 9:19pm

I don’t know about apache but in nginx I had to add lines for header configurations I think you should look that way.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

drohhyn · April 24, 2020, 9:30am

I am starting to get confused…

I add the following lines in proxy vhost configs:

Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options "nosniff"
Header set X-Download-Options "noopen"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set X-Robots-Tag "none"
Header set X-XSS-Protection "1; mode=block"

Which did not change anything. And in addition, I added logforensic to see the headers I get on the real host, e.g. from trying to login with the nextcloud app QR scan

+11420:5ea2ae8f:8|HEAD /remote.php/webdav/ HTTP/1.1|Host:IP_OF_REAL_HOST%3a9443|Authorization:Basic SomeVeryLongTokenWithNumbesAndChars==|User-Agent:Mozilla/5.0 (Android) Nextcloud-android/3.11.0|X-Forwarded-For:IP_OF_REAL_HOST|X-Forwarded-Host:c.MYDOMAIN.eu|X-Forwarded-Server:c.MYDOMAIN.eu|Connection:Keep-Alive
-11420:5ea2ae8f:8

So I DO get Authorization:Basic Headers on the real host’s apache (even before adding the additional headers mentioned above) but the error still occurs and linking the nextcloud app does not work.
Maybe there are some problems with the vhost config of the proxy interfering with the .htaccess file on the real host? Because this file includes stuff like:

SetEnvIfNoCase ^Authorization$ “(.+)” XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION

SetEnvIfNoCase Authorization “(.+)” HTTP_AUTHORIZATION=$1

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Download-Options "noopen"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Robots-Tag "none"
    Header always set X-XSS-Protection "1; mode=block"
    SetEnv modHeadersAvailable true
  </IfModule>

drohhyn · April 24, 2020, 11:11am

I am starting to believe, the server config is not the problem:

I’ve installed a fresh 18.0.4 on another host, configured an additional vhost on the proxy by copying the .conf-file and modifying the domain name. The fresh nextcloud installation is also configured with the modified vhost copy from the original real host. Setup finished, logging in works and scanning the QR code is successful.
So I updated my original installation to Nextcloud 18.0.4 but still got the same error. Finally I added another user, did NOT ENABLE 2FA and tried the QR code again - it works!

So it seems like something with my 2FA and the App Auth is broken.

Edit: disabling 2FA for my original account did not help…
Edit2: And using the same app with another user on the same server throws the same errors - but everything is working fine!

drohhyn · April 27, 2020, 10:08am

For future reference for all those who find this thread which should not end with “nevermind, I’ve fixed it” but no solution.
I still dont know what caused the problem, but I deactivated 2FA for the whole server, reinstalled the addon, activated 2FA for the server and on my account again and finally was able to connect the android app as always.

So all the apache header settings were correct but already active via htaccess and the real problem was somewhere in the 2FA addon. I am running this server since Nextcloud 10…