VirtualHost with Rewrite causing issues with Authentication

Apollo · November 3, 2018, 10:37pm

[details=“Support intro”]
My first personal cloud started with Owncloud and back then users were able to access their contents using the following address style:

“https://domain.com/owncloud”

Then Nextcloud came along.
With the migration from Owncloud to Nextcloud, I had to maintain server configuration as close to the original Owncloud setup and in order to do that I had to make manual changes in several key files. If any of the key files weren’t properly modified, then I would loose access to the server and I had to spend significant amount of time trying to debug the issue.
I am running Nextcloud on Freenas 11-2 within an iocage jail and thanks to Danb35, Freenas users have access to a streamlining script installation available on Git.
As part of the automated install process, I am still required to make adjustment to the config files, before install and to other key files after install has completed in order to get everything back in order.
As the script is being updated on a regular basis, and because the Web update process is not always foolproof due to php dependancies and the like, I need to create a new iocage jail where I can validate if the new install is functional and no hidden issues will arise from the update itself.

I want to make my life easier and for that I need to move away from my current config and stick as much as possible to the default install process.

It would be much easier if I could just perform the install and be done with it but that would require updating all the user’s Windows and android apps to point to just the default domain without entering the “/owncloud” subdirectory.

I have looked at the RewriteRule as one of the solution.

To validate this approach, I have setup two iocage jails one based on the fully customized setup for NC14 and the other using the standard install of NC14.
Only one jail is enabled and running at any one time, because both Nextcloud instances are using the same IP address, domain name, files, db location and contents.

The intent is to prove I can proceed with the migration without causing any access issue for the various users.

The standard install of NC14 will only have the RewriteRule added to it to perform the https redirection.

The commend is written in the “domain.conf” file section of the VirtualHost:

RewriteEngine On
RewriteRule ^/owncloud “https://domain.com/” [R,L]
RewriteCond %{HTTP:Authorization} ^(.)
RewriteRule . - [e=HTTP_AUTHORIZATION:%1]

Restarting the jail and accessing it using the old address with “https://domain.com/owncloud” will work on the web browser redirecting me to the new “https://domain.com/” location.

The problem I am now experiencing is that the Nextcloud app running on Windows and Android and set to point to the old “https://domain.com/owncloud” address is being denied.

When I connect to my account (being the Admin), I see the following information on the top window:

Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files.

Under Web interface, I get the following message in the Security section within Personal Settings page:

Basic encryption module

Your private key password no longer matches your log-in password.
Set your old private key password to your current log-in password:

I am not able to update the Private key password.

At this point, I am not sure what to search for.
Did I miss something with the RewriteRule?

Interestingly enough, creating a new Windows App account and using the old address fails to connect but using the new one works.

Any input would be greatly appreciated.

eehmke · November 3, 2018, 11:19pm

This sounds like a bunch of problems. Try to set up a subdomain like

https://cloud.domain.com/

instead of

https://domain.com/owncloud

Not sure what you try to get with the rewrite rules.

Apollo · November 4, 2018, 6:53am

It is.
When I first started I wasn’t really aware of the restriction of the wildcard domain and the original port of owncloud may not have suggested otherwise.
I thought my personal cloud would have been limited to myself but gradually expanded to a few of my far away relatives.

because of it it makes maintenance a bit more challenging.

The RewriteRule, as far as I understand it should allow me to reconfigure my server the way I want without having to affect adversely the users.

The web browser scenario is working for the most part (I will need to validate it more thoroughly) but the Windows app and mobile apps do not behave the way I expect.
The RewriteRule seems to be failing for the App password. If I edit the Windows Nextcloud app user config file, and edit the address within to match the new one, then the app is able to connect properly.
Having proper RewriteRule setup and I should be peachy. until then I will have to keep experimenting, unless someone comes with the solution.

eehmke · November 4, 2018, 1:32pm

I must admit I don’t get it. Why don’t you set up a standard cloud and set up dedicated accounts for your relatives with the proper sharing rules? Btw, is the server located at your home or is it a rented internet server?

Apollo · November 4, 2018, 5:08pm

This is my home server and each user has its own account.
The problem is that the server first came to light as a Owncloud server and the DocumentRoot was relocated into a subfolder. All my users are using the domain name and subfolder to point to the updated Nextcloud server. If I change the domain name then my users can no longer access their account.
The solution is to use the php mod_rewrite library to redirect the request for the server. This is what I am struggling because it works for the web browser but denies access to the Windows and Android apps.

eehmke · November 6, 2018, 4:10pm

I think that changing from www.domain.com/cloud to cloud.domain.com would be acceptable for your users. The passwords and account names would not change.

Apollo · November 7, 2018, 4:18pm

You are missing the point.
User account and password are still the same.
All I need to do is find a way to implement the php rewrite in order to go from the old address and server structure to the new one whithout having to change the Windows or Android account details.

Right now, for a user to access files on a Windows PC, the Nextcloud app is using the current address:

https://mydomain.com/owncloud

If I update the path on my server to be the following:

https://owncloud.mydomain.com or
https://mydomain.com

Then either the Windows app config file “nextcloud.cfg” will need the URL path to be edited manually or the account should be disconnected to then being reconnected again.
On Android, there is no such thing. The account will have to be removed then added again.

Keeping this in mind, I am trying to come to a solution on the server side that will use the new address structure but will be able to understand the the old address so that the app can still connecte without being refused access.

Right now, redirection works in the web browser only and I need to apply the same principle for the mobile and PC applications to work.