Slow WebDAV performance


While the performance with the desktop client is allright, I’m experiencing an extremely slow performance when using WebDAV.

Nextcloud version: 11.0.2
Operating system and version: FreeBSD 11.0
Apache or nginx version: nginx 1.11.10
PHP version: 7.0
Is this the first time you’ve seen this error?: no

Can you reliably replicate it? (If so, please outline steps):

Unfortunately, there is nothing that I could see in the logs, but after doing file operations over WebDAV, it takes a long time until a reply is coming back. I’m not seeing any error, because it works, but exremely slow.

Is this a known error with Nextcloud?

1 Like

Can you confirm if it takes approx 30 seconds before a response? If so then most likely the brute force mechanism got triggered and is slowing down the responses.

You can disable it in the config.php file by adding:

'' => false,

But it would be better to improve the configuration. If you are behind a proxy, you will most likely translate all public IP’s to an internal IP, so it will look like only one IP is communicating, causing the brute force mechanism to be triggered.

Add to the config.php the following:

  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_X_FORWARDED',

and add to Apache (if you are using Apache) to the virtualhost:

  ProxyVia On
  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
1 Like


Thank you very much for the hint. It definitely looks like I’m hitting the brute force protection. My clients are behind NAT, but none of them is using a web proxy.

I’ve added
'' => false,
but I’m not sure if it’s working. I’m still seeing this error in the log:

{"reqId":"JcezzWUiWpkoLWmclg1o","remoteAddr":"","app":"PHP","message":"inet_ntop(): Invalid in_addr value at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#121","level":3,"time":"2017-04-11T11:21:31+02:00","method":"PROPFIND","url":"\/owncloud\/remote.php\/dav\/calendars\/ihsan\/inbox\/","user":"--","version":""}

Is there anything else I have to take care of?

You could also manually clear the brute force database table:

For MySQL: TRUNCATE TABLE <PREFIX>_bruteforce_attempts; (where PREFIX is as define in config.php)

and see what you get in your logs then.

P.S. It was more that the NextCloud is behind a web-proxy (i.e. Apache) but if you have NextCloud directly accessible than those lines for Apache won’t work.


Clearing the database table helped, but it looks like that the brute force thingie still isn’t turned off. For testing, I’ve connected with cadaver via WebDAV to my Nextcloud installation. I’ve created a directory “test” and deleted it afterwards.

dav:/owncloud/remote.php/webdav/> mkdir test
Creating `test': succeeded.
dav:/owncloud/remote.php/webdav/> rmcol test
Deleting collection `test': succeeded.

The new directory was created quickly, but deleting it took about two minutes. During this operation, these messages appeared in the log:

{"reqId":"eCqfOytiPHEaSIRSJFuT","remoteAddr":"","app":"PHP","message":"inet_ntop(): Invalid in_addr value at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#121","level":3,"time":"2017-04-11T14:12:13+02:00","method":"OPTIONS","url":"\/owncloud\/remote.php\/webdav\/","user":"--","version":""}
{"reqId":"GXYxuSjxd\/OKQkgiJqGU","remoteAddr":"","app":"PHP","message":"inet_pton(): Unrecognized address  at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#113","level":3,"time":"2017-04-11T14:12:13+02:00","method":"PROPFIND","url":"\/owncloud\/remote.php\/webdav\/","user":"--","version":""}
{"reqId":"GXYxuSjxd\/OKQkgiJqGU","remoteAddr":"","app":"PHP","message":"inet_ntop(): Invalid in_addr value at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#121","level":3,"time":"2017-04-11T14:12:13+02:00","method":"PROPFIND","url":"\/owncloud\/remote.php\/webdav\/","user":"--","version":""}
{"reqId":"heMhfX6i3EaswpJV\/wWH","remoteAddr":"","app":"PHP","message":"inet_pton(): Unrecognized address  at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#113","level":3,"time":"2017-04-11T14:12:25+02:00","method":"MKCOL","url":"\/owncloud\/remote.php\/webdav\/test\/","user":"--","version":""}
{"reqId":"heMhfX6i3EaswpJV\/wWH","remoteAddr":"","app":"PHP","message":"inet_ntop(): Invalid in_addr value at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#121","level":3,"time":"2017-04-11T14:12:25+02:00","method":"MKCOL","url":"\/owncloud\/remote.php\/webdav\/test\/","user":"--","version":""}
{"reqId":"heMhfX6i3EaswpJV\/wWH","remoteAddr":"","app":"PHP","message":"stream_get_contents() expects parameter 2 to be integer, string given at \/usr\/local\/www\/nextcloud\/3rdparty\/sabre\/http\/lib\/Message.php#81","level":3,"time":"2017-04-11T14:12:26+02:00","method":"MKCOL","url":"\/owncloud\/remote.php\/webdav\/test\/","user":"ihsan","version":""}
{"reqId":"bfiSecfD8Nv3R6AzDVd9","remoteAddr":"","app":"PHP","message":"inet_pton(): Unrecognized address  at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#113","level":3,"time":"2017-04-11T14:12:47+02:00","method":"PROPFIND","url":"\/owncloud\/remote.php\/webdav\/test\/","user":"--","version":""}
{"reqId":"bfiSecfD8Nv3R6AzDVd9","remoteAddr":"","app":"PHP","message":"inet_ntop(): Invalid in_addr value at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#121","level":3,"time":"2017-04-11T14:12:47+02:00","method":"PROPFIND","url":"\/owncloud\/remote.php\/webdav\/test\/","user":"--","version":""}
{"reqId":"vIyA0E+jqaI7Wc9Wg6U8","remoteAddr":"","app":"PHP","message":"inet_pton(): Unrecognized address  at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#113","level":3,"time":"2017-04-11T14:12:47+02:00","method":"DELETE","url":"\/owncloud\/remote.php\/webdav\/test\/","user":"--","version":""}
{"reqId":"vIyA0E+jqaI7Wc9Wg6U8","remoteAddr":"","app":"PHP","message":"inet_ntop(): Invalid in_addr value at \/usr\/local\/www\/nextcloud\/lib\/private\/Security\/Bruteforce\/Throttler.php#121","level":3,"time":"2017-04-11T14:12:47+02:00","method":"DELETE","url":"\/owncloud\/remote.php\/webdav\/test\/","user":"--","version":""}

And my config.php:

$CONFIG = array (
  'instanceid' => ‚**********‘,
  'passwordsalt' => ‚*************‘,
  'secret' => ‚****************‘,
  '' => 'false',
  'trusted_domains' => 
  array (
    0 => '',
  'datadirectory' => '/var/nextcloud/data',
  'overwrite.cli.url' => '',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => ‚********‘,
  'dbpassword' => ‚******‘,
  'logtimezone' => 'Europe/Zurich',
  'log_rotate_size' => '104857600',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'installed' => true,
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'php',
  'mail_domain' => ‚‘,
  'maintenance' => false,
  'loglevel' => 2,

Probably something is still not all right.

Besides, even the “” is set to false, the table contained again entries:

mysql> select * from oc_bruteforce_attempts;
| id | action | occurred   | ip | subnet | metadata   |
|  1 | login  | 1491912505 |    | /128   | {"uid":""} |
1 row in set (0.02 sec)

That is strange, also seeing the subnet it looks like it is IPv6 it is logging. Are you using IPv6?

I just double checked my table and I get:

mysql> select * from nc_bruteforce_attempts;
Empty set (0.00 sec)

The problem is I can’t compare it like-for-like since I have an Apache proxy in front of it, which creates the HTTP FORWARDED header entries with the source IP address so I don’t see a single IP address coming in. But even in your case that wouldn’t have since the NAT would still provide 1 single IP towards NC.

Yes, I am using IPv6, but during these Tests the clients were connecting only over IPv4.

The strange thing is it doesn’t show even an actual IP address and the subnet mask is a IPv6 one. So for some reason it is seeing a lot of IPv6 connecting which is causing to trigger the brute force mechanism. That doesn’t explain why disabling isn’t working. It could be a bug.

Any news on this?

1 Like

I also have problems with Webdav, like deleting,moving or listing files.

Hi t1omthy:

Last time I solved your issue by install redis server as file locking cache,

And change config.php as:

‘memcache.locking’ => ‘\OC\Memcache\Redis’,
‘redis’ =>
array (
‘host’ => ‘localhost’,
‘port’ => 6379,


Thanks for your reply. I have both, APU caching and redis locking enabled.

NC11 is not supported any more, please upgrade to a supported version (12 and 13) and see if the error still exists. If bruteforce detection is turned off and there is still activity on the bruteforce tables, there is probably a bug that should be reported to the bug tracker.

I use the latest version of NC, I just do not want to open a new discussion on the same topic.
Brute Force is not the problem.

Except for the webdav performance, is anything similar to your problem (configuration, error messages, …)?

1 Like

Not at all. I’ve tried many performance Tunings.

I have a portable hard drive that boots to Arch Linux on any machine, and I wanted desktop access to my files stored on a nextcloud server on a rPi, but performance was woefully slow to the point of being pointless. This fixed it for me.

Thank you so much.

I got also slow performances on Windows Webdav.
NC 16.0.4 with php7.3 - SSD - Redis
With Windows Explorer/Cyberduck and others i don’t go beyond 10MB/s where as i am in local network.