Nextcloud version (eg, 12.0.2):
17.0.0
Operating system and version (eg, Ubuntu 17.04):
CentOS 7 64-bit
Apache or nginx version (eg, Apache 2.4.25): nginx-1.12.2
PHP version (eg, 7.1):
7.2
The issue you are facing:
(Note: I am posting two back to back topics to describe two separate issues. My apologies if this is bad form; please merge or edit if necessary.
My documents folder contains .php files. When the desktop client tries to sync these it comes back with the following:
Documents/redacted.php cannot be synced due to an error. See the log for details.
There is no error logged under settings/ administration/ logging in the web interface. There is nothing logged in Nextcloud.log either. Research leads to the File Access Control app, but it’s not even installed. The config.sample.php file has the blacklisted_files option, but it hasn’t been changed from the default:
‘blacklisted_files’ => array(’.htaccess’),
As I’m the only one using this installation, and my data directory is outside the web root, I feel that the risk of malicious actors uploading a php script and somehow getting the server to execute it is near if not zero. Is there a way to disable blocking of .php files?
Is this the first time you’ve seen this error? (Y/N):
Y
Steps to replicate it:
- Install Nextcloud under CentOS / Nginx / MariaDB / PHP 7.2
- Setup Mac OS client to connect to the admin user
- Place a .php file in a synced folder.
The output of your Nextcloud log in Admin > Logging:
No server logs
Everything is working fine
The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => '***REDACTED***',
'passwordsalt' => '***REDACTED***',
'secret' => '***REDACTED***',
'trusted_domains' =>
array (
0 => 'cloud.caturria.ca',
),
'apps_paths' => array(
array(
'path'=> '/home/nextcloud/nextcloud/apps',
'url' => '/apps',
'writable' => true,
),
),
'simpleSignUpLink.shown' => false,
'datadirectory' => '/home/nextcloud/data',
'version' => '17.0.0.9',
'dbtype' => 'mysql',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => '***REDACTED***',
'installed' => true,
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'mail_from_address' => 'cloud',
'mail_domain' => 'caturria.ca',
'mail_smtphost' => 'mail.caturria.ca',
'mail_smtpport' => '587',
'mail_smtpsecure' => 'tls',
'mail_smtpauthtype' => 'PLAIN',
'mail_smtpauth' => 1,
'mail_smtpname' => 'cloud@caturria.ca',
'mail_smtppassword' => '***REDACTED***',
'memcache.local' => '\OC\Memcache\Redis',
'redis' => [
'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
'port' => 6379,
'timeout' => 0.0,
'password' => '***REDACTED***', // Optional, if not defined no password will be used.
],
'maintenance' => false,
);
The output of your Apache/nginx/system log in /var/log/____:
99.236.74.213 - - [11/Oct/2019:22:59:14 -0400] "OPTIONS /notifications/hub?id=xD23krUVle-zMg1xXkEYRQ&_=1570849156401 HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko)" "-"
99.236.74.213 - - [11/Oct/2019:22:59:14 -0400] "OPTIONS /api/accounts/revision-date HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko)" "-"
99.236.74.213 - - [11/Oct/2019:22:59:14 -0400] "GET /api/accounts/revision-date HTTP/2.0" 200 13 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko)" "-"
99.236.74.213 - caturria [11/Oct/2019:22:59:16 -0400] "PROPFIND /remote.php/dav/files/caturria/ HTTP/1.1" 207 401 "-" "Mozilla/5.0 (Macintosh) mirall/2.6.0stable (build 20190927) (Nextcloud)" "-"
99.236.74.213 - caturria [11/Oct/2019:22:59:17 -0400] "PROPFIND /remote.php/dav/files/caturria/ HTTP/1.1" 207 381 "-" "Mozilla/5.0 (Macintosh) mirall/2.6.0stable (build 20190927) (Nextcloud)" "-"
***Nothing logged in error.log***
I’ve also included the Nginx server block configuration:
server{
listen 80;
server_name cloud.caturria.ca;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains;" always;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
return 301 https://$host$uri;
}
server{
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/caturria.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/caturria.ca/privkey.pem;
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains;" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
add_header X-Frame-Options SAMEORIGIN;
server_name cloud.caturria.ca;
root /home/nextcloud/nextcloud;
fastcgi_hide_header X-Powered-By;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
client_max_body_size 512M;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/php-fpm-cloud.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
Lastly, the php-fpm configuration:
[cloud]
user = nextcloud
group = nextcloud
listen = /var/run/php-fpm-cloud.sock
listen.owner = nginx
listen.group = nginx
php_admin_value[session.save_handler] = files
php_admin_value[session.save_path] = /home/nextcloud/.session
php_admin_value[disable_functions] =
php_admin_value[memory_limit] = 512M
php_admin_value[opcache.interned_strings_buffer] = 8
php_admin_value[opcache.max_accelerated_files] = 10000
php_admin_value[opcache.memory_consumption] = 128
php_admin_flag[opcache.save_comments] = 1
php_admin_flag[opcache.revalidate_freq] = 1
php_admin_value[upload_max_filesize]=1g
php_admin_value[post_max_size]=1g
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /home/nextcloud/nextcloud
clear_env = no
I’ve been attempting to troubleshoot this and researching for the last two days to no avail. Thank you very much for your time.
Thanks,
Jordan.