Trouble with Nextcloud Caused by WAF

Nextcloud version (eg, 29.0.5): Nextcloud Hub 7 (28.0.10)
Operating system and version (eg, Ubuntu 24.04): replace me
Apache or nginx version (eg, Apache 2.4.25): Linux version 4.18.0-553.8.1.lve.el8.x86_64 (mockbuild@buildfarm06-new.corp.cloudlinux.com) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-22) (GCC)) #1 SMP Thu Jul 4 16:24:39 UTC 2024

PHP version (eg, 8.3): 8.2.21

The issue you are facing:

I am facing issues with the WAF (Web Application Firewall) on my coreserver while using NextCloud. The WAF (Imunify360) is triggered by certain actions, which causes temporary IP address restrictions. This leads to minor errors that disrupt my experience, and the ongoing need to disable the WAF incurs additional overhead.

coreserver is a Japanese hosting service that provides various web hosting solutions. While it is popular in Japan, it may not be widely known internationally.
https://www.coreserver.jp/

Is this the first time you’ve seen this error? (Y/N):

Y

Steps to replicate it:

  1. Use NextCloud to perform routine data synchronization.
  2. Monitor the WAF logs for any triggered events related to NextCloud.
  3. Observe the resulting temporary IP restrictions affecting NextCloud operations.

The output of your Nextcloud log in Admin > Logging:

There’s many error lines, I paste latest few errors.
https://pastebin.com/ebMWtzn4

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'oc5oqfkmcv2p',
  'passwordsalt' => '***************************',
  'secret' => '***************************',
  'trusted_domains' => 
  array (
    0 => '##my_fqdn_##',
    1 => '##my_fqdn_##',
  ),
  'datadirectory' => '/home/##myuserdirectory##/domains/##my_nextcloud_fqdn##/public_html/data',
  'dbtype' => 'mysql',
  'version' => '28.0.10.1',
  'overwrite.cli.url' => 'https://my_nextcloud_fqdn',
  'dbname' => '##my_hosting_userid##_nc1',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'nc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '##my_hosting_userid##_nc1',
  'dbpassword' => '**********************',
  'installed' => true,
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => '##hostingnumber##.coreserver.jp',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpport' => '587',
  'mail_from_address' => 'noreply',
  'mail_domain' => '##my_fqdn##',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'noreply@##my_fqdn##',
  'mail_smtppassword' => '***************',
  'loglevel' => 2,
  'app_install_overwrite' => 
  array (
    0 => 'libresign',
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

Due to being on a shared hosting server, I do not have access to the httpd access logs as per the hosting service’s policy.
I don’t know the version at this time, but I am using LiteSpeed.

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

I paste latest some lines only.
https://pastebin.com/89jAxvPY

issues with WAF providers especially cloudflare are frequently reported. I don’t think there is a way to avoid them. I would first ask your provider to allow the “well-known” FOSS application like Nextcloud in their WAF…

@wwe

Given that this is often reported with Cloudflare, I’ve come to recognize more strongly that it may indeed be a WAF or hosting issue.

I now realize that this is an issue I need to resolve with the hosting service’s support, and I’m continuing to communicate with them.

Actually, I’ve also discovered some new information beyond what I initially posted. Once I’ve gathered more details, I will report back in this thread.

Thank you again!

1 Like

I contacted the core server support, and the following response was provided:

  • Adjust the WAF settings.
  • Set exclusion rules by referring to the logs recorded in the WAF.
  • Alternatively, disable the mode_security settings in Litespeed.

I understood this advice, but I couldn’t confirm the log contents as I had temporarily excluded the problematic files. As a result, no recent errors have occurred.

If the same issue arises again, I will try these recommended settings.

This issue was confirmed to be entirely related to the hosting and WAF settings. I hope this information will help anyone else facing similar trouble in the future.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.