SSO stopped working - "Detected a login from a suspicious login"

ℹ️ Support
, ,
1

Hello all,

Running NextCloud AIO v10.10.0 (Docker, Ubuntu), with OpenID Connect v7.1.0, SSO, EntraID with a Caddy Proxy in front of the default AIO Apache.

Everything was working well until SSO users attempt to log in - they get through all of the EntraID prompts, then the NextCloud interface pops up an error “## Internal Server Error” below.

Looking in the NextCloud logs I can see “suspicious login” error messages that correlate to every attempt to log in via SSO.

I edited my config.php to include various networks appearing in the configuration errors, modified the caddyfile - but nothing in the environment changed, it just stopped working.

Any assistance appreciated.

Config.php entries:

‘trusted_proxies’ =>
array (
0 => ‘127.0.0.1’,
1 => ‘::1’,
2 => ‘172.18.0.0/16’,
3 => ‘172.16.0.0/12’,
),
‘forwarded_for_headers’ =>
array (
0 => ‘HTTP_X_FORWARDED_FOR’,
),

Caddyfile:

myservername.domain.com {
reverse_proxy nextcloud-aio-apache:11000 {
header_up -X-Forwarded-For
header_up X-Forwarded-For {remote}
header_up X-Real-IP {remote}
header_up X-Forwarded-Proto {scheme}
header_up Host {host}
}

log {
    output file /data/logs/nimbus.log
    format json
}

encode gzip

header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Referrer-Policy "no-referrer"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    X-XSS-Protection "1; mode=block"
    Permissions-Policy "interest-cohort=()"
}

}

Logfile errors:

Warning suspicious_login
Detected a login from a suspicious login. user=[user@domain.com] ip=127.0.0.1 strategy=ipv4

Error suspicious_login
could not save the details of a suspicious login

|Error|suspicious_login|DbalExceptionAn exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 7 ERROR: value too long for type character varying(1024)

Exception thrown: OC\DB\Exceptions\DbalException|
| — | — |

Nextcloud Interface Error, user facing:

Internal Server Error

The server was unable to complete your request.

If this happens again, please send the technical details below to the server administrator.

More details can be found in the server log.

Technical details

  • Remote Address: 127.0.0.1
  • Request ID: 89fJMaeJ0DAuGdUnOydu
2

Odd - I noticed that my caddy proxy network was not part of the trusted proxies setting in config.php. Much of that file is overwritten on reboot so you can’t make certain changes to it that are persistent.

I had turned off the suspicious login app, restarted, and attempted to make an override file for the config.php, and after a few container restarts the caddy network appeared in my config.php, suspicious login detection was re-enabled and SSO worked again.

So odd - if anyone has any suggestions I’d really appreciate the feedback.

1 Like