Why am I getting a force redirect from HTTP to HTTPS

Espresso_Machine · May 28, 2019, 8:48pm

I have a setup where I have a network with the Nextcloud server and several computers. I have an NGiNX reverse proxy that performs SSL termination for the Nextcloud address and ensures that an HTTPS connection is enforced for parties accessing the server through its domain “nextcloud.server.com”

The issue I am having is that when trying to access the Nextcloud server using its local IP “192.168.1.102” it converts HTTP to HTTPS but the server does not have its own SSL certificate.

I cannot find why it does this forced conversion from HTTP to HTTPS even though I am bypassing the reverse proxy “192.168.1.100”. What am I missing?

.htaccess

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Referrer-Policy "no-referrer"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
  php_value upload_max_filesize 511M
  php_value post_max_size 511M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value always_populate_raw_post_data -1
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_php7.c>
  php_value upload_max_filesize 511M
  php_value post_max_size 511M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT}  DavClnt
  RewriteRule ^$         /remote.php/webdav/          [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //

NGiNX config:

upstream php-handler {
    # server 127.0.0.1:9000;
    server unix:/var/run/php/php7.2-fpm.sock;
}
server {
   # listen 80 default_server; listen [::]:80 default_server; server_name nextcloud.server.com;
    listen 80;
    listen [::]:80;
    # Add headers to serve security related headers Before enabling Strict-Transport-Security headers please read into this topic first. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about the consequences in https://hstspreload.org/. This option will add the domain to a hardcoded list that is shipped in all major browsers and getting removed from this list could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Path to the root of your installation
    root /var/www/cloud/;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # The following 2 rules are only needed for the user_webfinger app. Uncomment it if you're planning to use this app. rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; last;
    location = /.well-known/carddav {
      return 301 $scheme://$host/cloud/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/cloud/remote.php/dav;
    }
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon
text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    # Uncomment if your server is build with the ngx_pagespeed module This module is currently not supported. pagespeed off;
    location / {
        rewrite ^ /index.php$uri;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
    # Adding the cache control header for js and css files Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to have those duplicated to the ones above) Before enabling Strict-Transport-Security headers please read into this topic first. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about the consequences in https://hstspreload.org/. This option will add the domain to a hardcoded list that is shipped in all major browsers and getting removed from this list could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Config.php (Nextcloud)

<?php
$CONFIG = array (
  'trusted_proxies' =>
  array (
    0 => '192.168.1.100',
    1 => '192.168.1.102',
  ),
  'instanceid' => 'REDACTED_INFORMATION',
  'passwordsalt' => 'REDACTED_INFORMATION',
  'secret' => 'REDACTED_INFORMATION',
  'trusted_domains' =>
  array (
    0 => 'nextcloud.server.com',
    1 => '192.168.1.102',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'verify_peer_off' => true,
  'dbtype' => 'mysql',
  'version' => '15.0.7.0',
  'dbname' => 'cloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'REDACTED_INFORMATION',
  'dbpassword' => 'REDACTED_INFORMATION',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'REDACTED_INFORMATION',
  'mail_domain' => 'REDACTED_INFORMATION',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'REDACTED_INFORMATION',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'REDACTED_INFORMATION',
  'mail_smtppassword' => 'REDACTED_INFORMATION',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
);

KristijanZic · May 29, 2019, 2:19am

I don’t know how to config the NGiNX since I don’t use it but I’d bet 100% that the issue would be resolved if you simply configure an SSL certificate.
Just use CertBot (tool for automatic SSL configuration) to issue https://letsencrypt.org/ SSL certificate. It’s free and it works.

This way you’d be able to reach your nextcloud instance over https and your connection would be secure.

Mdoering · May 29, 2019, 7:15am

Like KristijanZic mentioned:
The most effective and secure way to solve it is using a certificate.
All in all you should avoid using http on a webserver whenever it is possible.
For your case I would recommend that you try using a cert, not trying a workaround to get it working via http…yes it is a bit of work, but security is worth it.

Using letsencrypt is a easy and cheap solution for getting it done. There are tons of tutorials in the web how to get it working and implementing it in webservers.
In some cases the certbot engine form letsencrypt wont work (if ISP blocks ports etc.)

In this case, or if you use NC only for intranet solutions, you are also able to think about using openssl.
With openssl you are able to generate certificates by yourself for applying them in webservers.
Also you can generate your CA (Certification-Authority) by yourself. I did it like that for my intranet solution (no access from external (like www) to the server).
Following the steps I did:

Generate a CA via openssl
Saving the CA-Stuff in a VERY secure place (you should save it somwhere you find it and nobody has acceass to; if some bad-boy gets it, he would be able to generate certificates and do MIM-Attacks)
Generate a Cert-Request for your NC-Webserver
Signing the request with your generated CA
Implementing the signed Cert at your NC-Webserver
Deploying the CA to your Browsers (Firefox etc) or Windows-PC’s. That will avoid the “…this site is not trusted…”-stuff in the browsers.

Greetings from Germany

Reiner_Nippes · May 29, 2019, 7:59am

@Espresso_Machine do you have a browser plugin like https everywhere?