Truecharts + traefik + Multi-Account Containers -> get 401 instead of login form

ℹ️ Support
, , ,
1

Nextcloud version : 28.0.2
Operating system and version : TrueNAS-SCALE-23.10.1.3
Nginx version: 1.25.3
PHP version: 8.2.15
Truecharts nextcloud chart version: 28.1.40
Google Chrome version: 121.0.6167.161
Firefox version: 123.0b9
Firefox Multi-Account Containers plugin version: 8.1.3
Traefik version: 2.10.7

The issue you are facing:

I go to the nx web page and get a 401 response status in the console and Error text on the page without any description. All this happens before even attempting to log in. Basically I go to the login form at “/login” and get a 401 in response instead of the credential form.

If you use http basic auth from Traefik you get 401 status on any requests. In this case work through the plugin (Multi-Account Containers) hangs forever, i.e. nextcloud returns 401 and further, despite any ways of clearing data in the browser.

Is this the first time you’ve seen this error? : Y

Steps to replicate it:

  1. Enable in traefik http basic auth middlewave for nextcloud
  2. Open Firefox
  3. Create and select any container in Firefox Multi-Account Containers
  4. Delete all data and cookies of your web version of nx
  5. Enter your NX domain url in the browser bar
  6. Pass http basic auth (from Traefik)
    After http authorization the request goes to nextcloud server and is expected to receive nextcloud authorization form, but in response I get 401 and nextcloud page with error “Error” without description.
    изображение
    изображение1177×1051 21.5 KB
  7. Open Google Chroom
  8. Delete all data and cookies of your web version of nx
  9. Enter your NX domain url in the browser bar
  10. Pass http basic auth (from Traefik) and get the same result as in step 6.
  11. Disable in traefik http basic auth middlewave for nextcloud
  12. Open Google Chroom
  13. Delete all data and cookies of your web version of nx
  14. Enter your NX domain url in the browser bar - and you get a page with an authorization form - Successful, working.
  15. Open Firefox
  16. Select container in Firefox Multi-Account Containers from step 3
  17. Delete all data and cookies of your web version of nx
  18. Enter your NX domain url in the browser bar - Fail, get the same result as step 6.
  19. Disable Multi-Account Containers plugin or don’t use it
  20. Delete all data and cookies of your web version of nx
  21. Enter your NX domain url in the browser bar - and you get a page with an authorization form - Successful, working.

The output of your Nextcloud log in Admin > Logging:

{"reqId":"PKPirQQ0lLnB6gbXfaiW","level":2,"time":"2024-02-10T17:48:07+06:00","remoteAddr":"192.168.1.1","user":"--","app":"core","method":"GET","url":"/login?clear=1","message":"Login failed: 'aleksei' (Remote IP: '192.168.1.1')","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0","version":"28.0.2.5","data":{"app":"core"},"id":"65c7afc0a113c"}

Nextcloud logs for kubernets pod

2024-02-10 23:25:12.695641+06:00172.16.1.238 - aleksei 10/Feb/2024:23:24:47 +0600 "GET /index.php" 401

Http request log

Request:
GET /login HTTP/2
Host: *sensored*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Authorization: Basic YWxla3NlaTpwbWZTIzUkaXVTVDNCdSYqUyZQMjhNKiplI1N4SnNKJWVIMlE2NjdzYkR2eG5LMlJZa05DRipwQm1uOCp0b3heWF4mN0NK
Connection: keep-alive
Cookie: oc_sessionPassphrase=AS0NjZxt5%2Fl%2Bfp6ecNb6gnOkk%2FU2H13jvE2rBgbGaujWm1amiGA50aKAl7AMQkFVH%2FsoY0qp24MXb%2B5tSOSsENHetRAlszd%2BNgZAe%2BWSlq2HKlHk3Tqpc7sqw1AMt3Nh; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; occbqevzek7l=1783e89351dc4dde8a40ddb998597ed3
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-GPC: 1

Response:
HTTP/2 401 
cache-control: no-store, no-cache, must-revalidate
content-encoding: gzip
content-security-policy: default-src 'self'; script-src 'self' 'nonce-U1c0ZjZKa1J4b3JYdW5ydmJHQmtCV2x3OTROVC9XajBvUDNSZ3RpL3F2dz06TVFvMHZ2NStpT3lGM3lpQ0FqTlVaZ0Fmei9BVXFRV2l3ZGJsMkxudm1MOD0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
content-type: text/html; charset=UTF-8
date: Sat, 10 Feb 2024 17:25:12 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: same-origin
set-cookie: occbqevzek7l=de51a1a362348b03db67d718a4481798; path=/; secure; HttpOnly; SameSite=Lax
strict-transport-security: max-age=63072000
vary: Accept-Encoding
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block
X-Firefox-Spdy: h2
2

About an hour later, after several computer restarts, the Firefox Multi-Account Containers plugin worked (the bug was gone) and I was able to get the authorization form instead of the 401 status. So I think the main problem was in the http base auth before nx.

3

the problem is likely here. AFAIK there is no way to add additional basic auth in front of Nextcloud internal authentication (and there is definitely no reason to do so)

https://help.nextcloud.com/search?q=basic+auth

4

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.