Operation is blocked by access control NGINX Proxy Pass

ℹ️ Support
1
Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 24.0.4
Operating system and version (eg, Ubuntu 20.04): Debian 11
Apache or nginx version (eg, Apache 2.4.25): nginx 1.23.1 on server 2, nginx 1.22.0 on Raspberry Pi
PHP version (eg, 7.4): 8.1.9

The issue you are facing:
After I installed the Nextcloud on a new server based on Debian 11, behind a proxy-pass (A Raspberry Pi 4 as proxy-pass and the purpose for proxy-pass is to redirect some services from Raspberry Pi to the new server, as a lack of time to move all of the services to the new server), i can’t upload file larger than about 10 mb/file. I get only Operation is blocked by access control, notification and this issue is very annoying.
Both the server and Proxy-Pass are based on NGiNX.
If I’m using an ipv6 connection that is directly connected to the server2 on which is nextcloud installed, I don’t have this problem.

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

  1. Configure proxy-pass on Raspberry Pi
  2. Configure NGINX on the second server.
  3. Configure Nextcloud on the second server.

The output of your Nextcloud log in Admin > Logging:

https://pastebin.com/5ZgD4vLX

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'instanceid',
  'passwordsalt' => 'passwordsalt',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'subdomain,
    1 => 'ipv6.subdomain',
    2 => '10.10.10.9',
  ),
  'datadirectory' => '/data/subdomainurl/data',
  'dbtype' => 'mysql',
  'version' => '24.0.4.1',
  'overwrite.cli.url' => 'https://subdomain',
  'dbname' => 'cdn',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'dbuser',
  'dbpassword' => 'dbpass',
  'installed' => true,
  'updater.release.channel' => 'stable',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 1,
  'default_phone_region' => 'RO',
  'mail_from_address' => 'no-reply',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'domain',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp,
  'mail_smtpname' =>'mail',
  'mail_smtppassword' => 'pass',
  'mail_smtpport' => 'port',
  'mail_smtpsecure' => 'ssl',
  'defaultapp' => '“files”',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'trusted_proxies' =>
  array (
    0 => '10.10.10.8',
  ),
  'app_install_overwrite' =>
  array (
    0 => 'registration',
    1 => 'sensorlogger',
  ),
  'updater.secret' => 'secret',
);

The output of your Apache/nginx/system log in /var/log/____:
Server 2:

2022/09/05 01:54:11 [notice] 366204#366204: *3 "^" matches "/csrftoken", client: 10.10.10.8, server: subdomainserver, request: "GET /csrftoken HTTP/1.1", host: "subdomainserver", referrer: "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208"
2022/09/05 01:54:11 [notice] 366204#366204: *3 rewritten data: "/index.php/csrftoken", args: "", client: 10.10.10.8, server: subdomainserver, request: "GET /csrftoken HTTP/1.1", host: "subdomainserver", referrer: "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208"
2022/09/05 01:54:35 [notice] 366205#366205: *13 "^" matches "/apps/files/ajax/getstoragestats", client: 10.10.10.8, server: subdomainserver, request: "GET /apps/files/ajax/getstoragestats?dir=%2FPI%20RESTANTA%2FPI%2B%2B HTTP/1.1", host: "subdomainserver", referrer: "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208"
2022/09/05 01:54:35 [notice] 366205#366205: *13 rewritten data: "/index.php/apps/files/ajax/getstoragestats", args: "dir=%2FPI%20RESTANTA%2FPI%2B%2B", client: 10.10.10.8, server: subdomainserver, request: "GET /apps/files/ajax/getstoragestats?dir=%2FPI%20RESTANTA%2FPI%2B%2B HTTP/1.1", host: "subdomainserver", referrer: "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208"

Proxy-Pass access log:

10.10.10.1 - - [05/Sep/2022:02:03:09 +0300] "GET / HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:09 +0300] "GET /apps/files/ HTTP/2.0" 200 11054 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:10 +0300] "GET /robots.txt HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:10 +0300] "GET /apps/files/ HTTP/2.0" 200 11057 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:10 +0300] "GET /ocs/v2.php/search/providers?from=%2Fapps%2Ffiles%2F HTTP/2.0" 200 231 "https://subdomainserver/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:11 +0300] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/2.0" 200 81 "https://subdomainserver/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:11 +0300] "PUT /apps/user_status/heartbeat HTTP/2.0" 200 114 "https://subdomainserver/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:11 +0300] "GET /ocs/v1.php/apps/files_external/api/v1/mounts?format=json HTTP/2.0" 200 103 "https://subdomainserver/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:11 +0300] "GET /apps/recommendations/api/recommendations HTTP/2.0" 499 0 "https://subdomainserver/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:11 +0300] "GET /ocs/v2.php/core/whatsnew?format=json HTTP/2.0" 499 0 "https://subdomainserver/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:11 +0300] "GET /ocs/v2.php/apps/text/workspace?path=%2F HTTP/2.0" 499 0 "https://subdomainserver/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:11 +0300] "PROPFIND /remote.php/dav/files/ugd/ HTTP/2.0" 499 0 "https://subdomainserver/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:18 +0300] "MKCOL /remote.php/dav/uploads/ugd/web-file-upload-95e26e2a7bbbc7535a57fe81f5dd3763-1662332598467 HTTP/2.0" 201 0 "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Mobile Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:20 +0300] "PUT /remote.php/dav/uploads/ugd/web-file-upload-95e26e2a7bbbc7535a57fe81f5dd3763-1662332598467/0 HTTP/2.0" 201 0 "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Mobile Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:20 +0300] "PUT /remote.php/dav/uploads/ugd/web-file-upload-95e26e2a7bbbc7535a57fe81f5dd3763-1662332598467/10485760 HTTP/2.0" 201 0 "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Mobile Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:20 +0300] "MOVE /remote.php/dav/uploads/ugd/web-file-upload-95e26e2a7bbbc7535a57fe81f5dd3763-1662332598467/.file HTTP/2.0" 403 548 "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Mobile Safari/537.36" - - - - - - - -
10.10.10.1 - - [05/Sep/2022:02:03:20 +0300] "GET /apps/files/ajax/getstoragestats?dir=%2FPI%20RESTANTA%2FPI%2B%2B HTTP/2.0" 200 194 "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Mobile Safari/537.36" - - - - - - - -

Proxy-Pass error log:

2022/09/05 02:03:18 [warn] 2180731#2180731: *1 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000001, client: 10.10.10.1, server: subdomainserver, request: "PUT /remote.php/dav/uploads/ugd/web-file-upload-95e26e2a7bbbc7535a57fe81f5dd3763-1662332598467/0 HTTP/2.0", host: "subdomainserver", referrer: "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208"
2022/09/05 02:03:20 [warn] 2180731#2180731: *1 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000002, client: 10.10.10.1, server: subdomainserver, request: "PUT /remote.php/dav/uploads/ugd/web-file-upload-95e26e2a7bbbc7535a57fe81f5dd3763-1662332598467/10485760 HTTP/2.0", host: "subdomainserver", referrer: "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208"
2022/09/05 02:03:20 [error] 2180731#2180731: *1 access forbidden by rule, client: 10.10.10.1, server: subdomainserver, request: "MOVE /remote.php/dav/uploads/ugd/web-file-upload-95e26e2a7bbbc7535a57fe81f5dd3763-1662332598467/.file HTTP/2.0", host: "subdomainserver", referrer: "https://subdomainserver/apps/files/?dir=/PI%20RESTANTA/PI%2B%2B&fileid=167208"

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

https://pastebin.com/N3Re8QZb