This is the first time I'm doing this, please be gentle ;-)
The client is trying to access /var/www/nextcloud/config, which is explicitly denied all access via the .htaccess file in that particular directory.
I noticed this because I also have fail2ban running on the server, and my own IP address kept getting locked out of apache. I noticed the following line in my error.log:
AH01630: client denied by server configuration: /var/www/nextcloud/config
Client version: 2.5.0git
Operating system: Ubuntu 18.04 with GNOME
OS language: English
Qt version used by client package (Linux only, see also Settings dialog):
Client package (From Nextcloud or distro) (Linux only): Launchpad PPA
Installation path of client: /usr/bin/nextcloud
Operating system:
Web server: Apache
Database: MySQL 5.7.24
PHP version: 7.0.32
Nextcloud version: 14.03
Storage backend (external storage):
Please use Gist (https://gist.github.com/) or a similar code paster for longer
logs.
Template for output < 10 lines
Client logfile: Output of nextcloud --logwindow
or nextcloud --logfile log.txt
(On Windows using cmd.exe
, you might need to first cd
into the Nextcloud directory)
(See also https://docs.nextcloud.com/desktop/2.3/troubleshooting.html#log-files)
Web server error log:
Server logfile: nextcloud log (data/nextcloud.log):
The only acess I see is to
<server>/ocs/v1.php/config
I see this also every 15 Minutes with this client, V2.5 on Ubuntu 18.04.
Could you post your log output of the client. And your webserver config?
As for the log, I can't do that right away, since I downgraded to 2.3.3, but the server config file in question is probably the one in the config directory itself:
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
</ifModule>
# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>
Somebody on diaspora* found this one after I posted something there:
https://pod.lazyteddy.eu/posts/48948
I'll try to get a logfile later today.
If you mean the file .owncloudsync.log
on the client machine I noticed something weird. The last entries are this:
#=#=#=# Syncrun started 2018-11-14T18:00:58
#=#=#=#=# Propagation starts 2018-11-14T18:00:58 (last step: 889 msec, total: 889 msec)
#=#=#=# Syncrun finished 2018-11-14T18:00:59 (last step: 29 msec, total: 919 msec)
I've confirmed in /var/log/apt/history.log
that a few minutes later I upgraded the client to 2.5.0git on this machine. Since then no log entries any more. But syncing seems fine.
On the server side, this is my config:
<?php
$CONFIG = array (
'instanceid' => 'XXX',
'passwordsalt' => 'XXX',
'secret' => 'XXX',
'trusted_domains' =>
array (
0 => 'XXX',
),
'datadirectory' => 'XXX',
'overwrite.cli.url' => 'XXX',
'version' => '14.0.4.2',
'dbtype' => 'mysql',
'dbname' => 'XXX',
'dbhost' => 'XXX',
'dbtableprefix' => 'oc_',
'dbuser' => 'XXX',
'dbpassword' => 'XXX',
'logtimezone' => 'Europe/Berlin',
'default_language' => 'de',
'htaccess.RewriteBase' => '/',
'share_folder' => '/XXX',
'cron.lockfile.location' => 'XXX',
'tempdirectory' => 'XXX',
'installed' => true,
'mail_domain' => 'XXX',
'trashbin_retention_obligation' => '30,60',
'versions_retention_obligation' => '15,30',
'log_rotate_size' => 104857600,
'activity_expire_days' => 90,
'mail_from_address' => 'XXX',
'mail_smtpmode' => 'smtp',
'enabledPreviewProviders' =>
array (
0 => 'OC\\Preview\\PNG',
1 => 'OC\\Preview\\JPEG',
2 => 'OC\\Preview\\GIF',
3 => 'OC\\Preview\\BMP',
4 => 'OC\\Preview\\XBitmap',
5 => 'OC\\Preview\\TXT',
6 => 'OC\\Preview\\MarkDown',
),
'loglevel' => 2,
'maintenance' => false,
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'localhost',
'port' => 6379,
),
'token_auth_enforced' => true,
'auth.bruteforce.protection.enabled' => true,
'updater.release.channel' => 'stable',
'theme' => '',
'mail_smtpsecure' => 'tls',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpauth' => 1,
'mail_smtphost' => 'XXX',
'mail_smtpport' => '587',
'mail_smtpname' => 'XXX',
'mail_smtppassword' => 'XXX',
'sentry.dsn' => 'XXX',
'sentry.public-dsn' => 'XXX',
);
No errors there and nothing special in the logs either, but this from Apache:
[Sat Nov 24 07:08:38.511169 2018] [authz_core:error] [pid 17589:tid 140163210172160] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:16:38.526937 2018] [authz_core:error] [pid 17589:tid 140163210172160] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:24:38.545834 2018] [authz_core:error] [pid 17589:tid 140163193386752] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:32:38.539323 2018] [authz_core:error] [pid 17590:tid 140163184994048] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:48:38.519454 2018] [authz_core:error] [pid 17590:tid 140163201779456] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:56:38.515436 2018] [authz_core:error] [pid 17589:tid 140163201779456] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
(So it's every 8 Minutes and not 15.)
Since this is over IPv6 the client ip in question is exactly the ip of this ubuntu machine with the 2.5-client.
Should have started the client with the debug parameters, but I finally figured it out. :)
I noticed a TIMEOUT in the client logs every 8 Minutes and on reconnect I saw the denied-line in the Apache Logs. I had this vhost running with HTTP/2, so I downgraded to HTTP/1.1 to test this out. And the TIMEOUTs are gone in the client. So far so good.
But every time I start the client there is one new entry in the Apache logs. This does not happen, when I pause the sync and let it continue later.
I attach the client debug log from startup here:
debug.log
Server is running Ubuntu 18.04.1 with Apache 2.4.29-1ubuntu4.4.
I see this also; I'm just using the nextcloud:apache
docker image, so I don't think this is a configuration issue.
I have just upgraded from NC13 -> 14 -> 15. As soon as I went to 14 I started to see the error and my fail2ban kicked in.
At first I thought it was the admin checks but after seeing this, I think not.
Edit: a bit of playing around (and upgrading the client to 2.5.1git) and it seems like the access attempt happens on client start; as mentioned earlier. I've not noticed during actual syncs (which I had to force).
I see this as well on client version 2.5.1. My setup is: single Nextcloud server, several clients (on different machines).
In my case the message is logged on the server twice, and the messages are triggered by client startup (and startup only).
AH01630: client denied by server configuration: /var/www/html/config
AH01630: client denied by server configuration: /var/www/html/config
I'm getting the same here.
Can reproduce all the time on my Fedora desktop on one folder, happened once on my iOS App (v. 2.22.7.4). So maybe the issue is with nextcloud/server?
@Skomli Disabling HTTP/2 worked for you?
Server version: 15.0.2
Client version:
$ sudo dnf info nextcloud-client
Last metadata expiration check: 3:20:52 ago on Tue Jan 15 16:18:07 2019.
Installed Packages
Name : nextcloud-client
Version : 2.5.1
Release : 1.fc29
Arch : x86_64
Size : 7.5 M
Source : nextcloud-client-2.5.1-1.fc29.src.rpm
Repo : @System
From repo : updates-testing
Client log:
Nextcloud client logoutput
Please be aware that the follow log snippet is redacted. The actual usernames, filenames and paths have been replaced by [*PLACEHOLDERS*]
[OCC::WebFlowCredentials::stillValid "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::SyncJournalDb::setErrorBlacklistEntry Setting blacklist entry for "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf" 1 "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: " 1547581567 0 1526897146 "fd2c68402c70140160404c8560187d09" "" 0
[OCC::PropagateItemJob::done Could not complete propagation of "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf" by OCC::PropagateDownloadFile(0x613330a540f0) with status 3 and error: "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityWidget::slotItemCompleted Item "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf" retrieved resulted in "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityWidget::slotItemCompleted Item "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf" retrieved resulted in error "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityListModel::addErrorToActivityList Error successfully added to the notification list: "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::WebFlowCredentials::slotFinished request finished
Webserver cfg:
Apache2 Config
# Settings for mod_md
# https://github.com/icing/mod_md
MDomain sub.mydomain.tld
MDMustStaple on
MDPrivateKeys RSA 4096
MDRequireHttps permanent
MDCAChallenges http-01
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
ServerName sub.mydomain.tld
ExtendedStatus on
<VirtualHost *:80>
ServerName sub.mydomain.tld
Redirect permanent / https://sub.mydomain.tld/
</VirtualHost>
<VirtualHost _default_:443>
Protocols h2 http/1.1
ServerName sub.mydomain.tld
ServerAdmin [email protected]
SSLEngine On
Header setifempty feature-policy: "geolocation 'self'; midi 'none'; sync-xhr 'none'; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; fullscreen 'self'; payment 'none'"
Header set Referrer-Policy: "strict-origin-when-cross-origin"
Header set Expect-CT "max-age=0, enforce, report-uri=https://[*REDACTED*].report-uri.com/r/d/ct/enforce"
Alias / "/var/www/nextcloud/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost
</Location>
</VirtualHost>
# Recommendations by Mozilla, via https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.34&openssl=1.1.1a&hsts=yes&profile=modern
# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Webserver Log:
[Tue Jan 15 19:17:55.077441 2019] [authz_core:error] [pid 4040:tid 140370015000320] [client *.*.*.50:39056] AH01630: client denied by server configuration: /var/www/nextcloud/config
Forgot to ping @rullzer for additional logs.
Let me know if you need more.
Any news on that?
Or workarounds to solve that problem?
To avoid locking from fail2ban you may add
ignoreregex = var/www/nextcloud/config
into /etc/fail2ban/filter.d/apache-auth.conf
For me it worked.
I came to the following findings:
1) The Require all denied
from the .htaccess
in config
is the reason for Apache's log entry
2) There is no client request to /config
, but curl <host>/ocs/v1.php/config?format=json
triggers the log
3) It might be a rewrite rule that results in a request being rewritten to /config
I came to the following findings:
1. The `Require all denied` from the `.htaccess` in `config` is the reason for Apache's log entry 2. There is no client request to `/config`, but `curl <host>/ocs/v1.php/config?format=json` triggers the log 3. It might be a rewrite rule that results in a request being rewritten to `/config`
I can confirm this behavior on my sever. The requests sent are (twice!):
GET /ocs/v1.php/config?format=json HTTP/1.0
GET /ocs/v1.php/config?format=json HTTP/1.0
This happens for instance with clients with the User Agent "Mozilla/5.0 (Macintosh) mirall/2.5.2git (build 20190319) (Nextcloud)" and "Mozilla/5.0 (Windows) mirall/2.5.1final (build 20181204) (Nextcloud)".
It does not feel like a rewrite rule is applied, is it? access.log lists 200 as status message.
It does not feel like a rewrite rule is applied, is it? access.log lists 200 as status message.
Rewrite, not redirect.
This seem to be a configuration issue with apache. Those are the rewrite rules:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule ^$ /remote.php/webdav/ [L,R=302]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg)$
RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
RewriteCond %{REQUEST_FILENAME} !/remote.php
RewriteCond %{REQUEST_FILENAME} !/public.php
RewriteCond %{REQUEST_FILENAME} !/cron.php
RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
RewriteCond %{REQUEST_FILENAME} !/status.php
RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
RewriteCond %{REQUEST_FILENAME} !/robots.txt
RewriteCond %{REQUEST_FILENAME} !/updater/
RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
RewriteRule . index.php [PT,E=PATH_INFO:$1]
RewriteBase /
<IfModule mod_env.c>
SetEnv front_controller_active true
<IfModule mod_dir.c>
DirectorySlash off
</IfModule>
</IfModule>
</IfModule>
On every request to the nextcloud server, that is like this <host>/ANY.php/config
. I can reproduce with those: /ocs/v1.php/config
, /ocs/v2.php/config
, /remote.php/config
, /index.php/config
... Somehow Apache first tries to get the filesystem access directly and then redirects to the called PHP script.
This behavior is (most likely) caused by the option PT
:
The target (or substitution string) in a RewriteRule is assumed to be a file path, by default. The use of the [PT] flag causes it to be treated as a URI instead. That is to say, the use of the [PT] flag causes the result of the RewriteRule to be passed back through URL mapping, so that location-based mappings, such as Alias, Redirect, or ScriptAlias, for example, might have a chance to take effect.
If, for example, you have an Alias for /icons, and have a RewriteRule pointing there, you should use the [PT] flag to ensure that the Alias is evaluated.
See https://httpd.apache.org/docs/current/rewrite/flags.html#flag_pt
has anybody an idea how to exclude the directory config
from this check to avoid the log spamming?
Maybe @kesselb or @rakekniven have some idea.
Any progress? I have the same problem with fail2ban.
I was having this problem with NC 16.
I solved it by editing the Apache vhost file, and adding the "Satisfy any" (and maybe the "Require all granted") line to the Directory section.
More details at https://docs.nextcloud.com/server/16/admin_manual/installation/source_installation.html#additional-apache-configurations
Don't know if this applies to earlier versions of NC.
Thanks for info, "Satisfy any" does the job.
@bekon16 Did you use "Require all" AND "Satisfy any" or just the last one?
@bekon16 Did you use "Require all" AND "Satisfy any" or just the last one?
Probably last one, i dont remember exactly, but i have reverted this, because all data files was accessible without any authentication - not sure only it was related to my apache config or not - but be careful when you use it in yours configuration.
Here is reported issue related to this:
https://github.com/nextcloud/server/issues/6449
Thank you. This fits my expectation and close the gap.
I use only "Require all" and it seems to work.
But I want to be sure :-)
see this also;
here are my server informations
root@ncServer:/var/log/apache2
➤ cat nextcloud_error.log.1
[Sun Feb 23 12:33:53.135749 2020] [access_compat:error] [pid 6516] [client 127.0.0.1:44388] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 13:03:43.056532 2020] [access_compat:error] [pid 3522] [client 127.0.0.1:46046] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 19:20:44.817497 2020] [access_compat:error] [pid 12263] [client 127.0.0.1:41154] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 21:46:57.886302 2020] [access_compat:error] [pid 12310] [client 127.0.0.1:49772] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 21:50:25.513269 2020] [access_compat:error] [pid 12271] [client 127.0.0.1:49926] AH01797: client denied by server configuration: /var/www/nextcloud/config
➤ cat nextcloud_access.log.1 | grep -E "(12:33:53)|(13:03:43)|(19:20:44)|(21:46:57)|(21:50:25)"
127.0.0.1 - admin [23/Feb/2020:12:33:53 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:12:33:53 +0800] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 4668 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 4668 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /remote.php/dav/avatars/admin/128.png HTTP/1.1" 200 34504 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:19:20:44 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:46:57 +0800] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 8467 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:46:57 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:50:25 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
md5-e89f8e0f53d39aeab186c81e62d15b3b
➤ cat config/.htaccess
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order Allow,Deny
Deny from all
Satisfy All
</IfModule>
# Section for Apache 2.2
<IfModule !mod_authz_core.c>
<IfModule !mod_access_compat.c>
<IfModule mod_authz_host.c>
Order Allow,Deny
Deny from all
</IfModule>
Satisfy All
</IfModule>
</IfModule>
# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
IndexIgnore *
</IfModule>
➤ a2query -m | grep php && dpkg -l | grep apache2
php7.4 (enabled by maintainer script)
ii apache2 2.4.41-1+ubuntu16.04.1+deb.sury.org+5 amd64 Apache HTTP Server
ii apache2-bin 2.4.41-1+ubuntu16.04.1+deb.sury.org+5 amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.41-1+ubuntu16.04.1+deb.sury.org+5 all Apache HTTP Server (common files)
ii apache2-utils 2.4.41-1+ubuntu16.04.1+deb.sury.org+5 amd64 Apache HTTP Server (utility programs for web servers)
rc libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.7 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
rc libapache2-mod-php7.3 7.3.12-1+ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
ii libapache2-mod-php7.4 7.4.2-6+ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
➤ sudo -u www-data php ./occ status
- installed: true
- version: 18.0.0.10
- versionstring: 18.0.0
- edition:
Confirmed with nextcloud-client == 2.64 on all platform (windows, linux, mac) and nextcloud 18 on centos7 , the client try to use the url /config, this creates a log trace that fail2ban uses to ban the IP.
The evidences
xxx.xxx.xxx.xxx - - [09/Mar/2020:20:37:20 +0100] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 206 "-" "Mozilla/5.0 (Linux) mirall
/2.6.4git (Nextcloud)"
xx.xxx.xxx.xxx - - [09/Mar/2020:20:37:51 +0100] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 206 "-" "Mozilla/5.0 (Linux) mirall
/2.6.4git (Nextcloud)"
the log traces in error.log
[Mon Mar 09 20:37:20.506584 2020] [access_compat:error] [pid 20722] [client xx.xx.xx.1xx:40732] AH01797: client denied by server co
nfiguration: /usr/share/nextcloud/config
[Mon Mar 09 20:37:51.146870 2020] [access_compat:error] [pid 22534] [client xx.xx.xx.xx:40758] AH01797: client denied by server configuration: /usr/share/nextcloud/config
Exact same problem here, a solution would be nice.
Cheers,
I created a filter.local to avoid to be banned by fail2ban, it will survive to a fail2ban rpm update, but it is just a fix :|
[root@prometheus ~]# cat /etc/fail2ban/filter.d/apache-auth.local
# Fail2Ban apache-auth filter
[Definition]
#
ignoreregex = /usr/share/nextcloud/config$
Same problem here, I tried some moddification but it does not works
[Tue Mar 31 01:20:51.999828 2020] [access_compat:error] [pid 5535] [client xx.xx.xx.xx:57776] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 01:52:39.859634 2020] [access_compat:error] [pid 6372] [client xx.xx.xx.xx:58156] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 09:35:06.714255 2020] [access_compat:error] [pid 8933] [client xx.xx.xx.xx:58306] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 12:25:27.861677 2020] [access_compat:error] [pid 8925] [client xx.xx.xx.xx:58321] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 12:43:45.713555 2020] [access_compat:error] [pid 8933] [client xx.xx.xx.xx:58478] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 13:04:00.876156 2020] [access_compat:error] [pid 25554] [client xx.xx.xx.xx:58647] AH01797: client denied by server configuration: /var/www/nextcloud/config
Can confirm this issue on Debian 10 + Nextcloud Client 2.5.1; nextcloud server 18.0.3 running on apache with ssl (https), http2 enabled.
Can confirm this issue on Debian 10 + Nextcloud Client 2.5.1; nextcloud server 18.0.3 running on apache with ssl (https), http2 enabled.
I patch the issue changing something in the vHost: check it if it could help
Look at #Satisfy Any
, it is a comment because it did not do anything
I remember that the most important is the Require all granted
line inside <Directory>
My NextCloud vHost inside /etc/apache2/sites-available/
:
<VirtualHost *:80>
DocumentRoot /var/www/nextcloud/
ServerName cloud.YOUR_SERVER.com
RewriteEngine On
RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]
<Directory /var/www/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName cloud.YOUR_SERVER.com
DocumentRoot /var/www/nextcloud
CustomLog /var/log/apache2/cloud-access.log combined
ErrorLog /var/log/apache2/cloud-error.log
<Directory /var/www/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
#Satisfy Any
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
<IfModule mod_dav.c>
Dav off
</IfModule>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
</VirtualHost>
same problem with ubuntu 18.04 server + nc 18.0.3 + following clients:
linux 2.6.4git
windows 2.6.4
mac 2.6.4
the "#Satisfy Any" is not in my vhost already
vhost:
VirtualHost *:443>
SSLEngine on
SSLOptions +StrictRequire
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
ServerAdmin #######
DocumentRoot /var/www/html/nextcloud
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log extended
ServerName ######
<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options "nosniff"
#Header always set Referrer-Policy "no-referrer"
#Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>
<IfModule reqtimeout_module>
RequestReadTimeout body=0
RequestReadTimeout handshake=0
RequestReadTimeout header=0
</IfModule>
</Directory>
</VirtualHost>
I "fixed" it via the ignoreregex thing in fail2ban. But I don't think that that's the best solution.
Source: lines [7,12] of /etc/httpd/conf.d/nextcloud.conf
# ln -s /etc/httpd/conf.d/nextcloud-access.conf.avail /etc/httpd/conf.d/z-nextcloud-access.conf
im getting the same error in my apache2 error log
[access_compat:error] [pid 1784] [client :55489] AH01797: client denied by server configuration: /var/www/nextcloud/config
[access_compat:error] [pid 1898] [client :56535] AH01797: client denied by server configuration: /var/www/nextcloud/config
[access_compat:error] [pid 8153] [client :49709] AH01797: client denied by server configuration: /var/www/nextcloud/config
[access_compat:error] [pid 18598] [client :62644] AH01797: client denied by server configuration: /var/www/nextcloud/config
@nickvergessen any ideas?
CentOS Linux release 8.2.2004 (Core)
Linux home-lab.com 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Nextcloud: 19.0.3
Same issue, nextcloud server 20.0.0, nextcloud-desktop 2.5.1-3+deb10u1, apache 2.4.38-3+deb10u4, stock configuration from https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#apache-web-server-configuration
I spent some time today to understand what the PT flag is supposed to do. I still have no idea why it's there in the first place. If one of you has a test system:
Change RewriteRule . index.php [PT,E=PATH_INFO:$1]
to RewriteRule . index.php [E=PATH_INFO:$1]
And let us know if you run into weird issues ;) Keep in mind the change is not update safe and the integrity check might complain.
Hm,
apparently this is a PITA since some time.
I was able to track down when this error message happened in my set-up. Apparently every time I did restart the Linux nexctloud client the following sequence of requests have been issued:
tail -f nextcloud-ssl-access.log | grep mirall
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:25 +0100] "GET /status.php HTTP/1.1" 200 5014 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:25 +0100] "PROPFIND /remote.php/webdav/ HTTP/1.1" 207 1210 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 6405 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 1195 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 1506 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /remote.php/dav/avatars/nextcloud/128.png HTTP/1.1" 200 28393 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1" 200 948 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "GET /ocs/v2.php/cloud/activity?start=0&count=100&format=json HTTP/1.1" 200 18976 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "PROPFIND /remote.php/dav/files/nextcloud/ HTTP/1.1" 207 44867 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
And at the same time I did receive an error log entry:
[Thu Oct 29 13:38:26.397012 2020] [access_compat:error] [pid 20310] [client 77.21.95.34:47200] AH01797: client denied by server configuration: /var/www/nextcloud/config
Apache 2.4, Debian 9
sites http conf:
:
DocumentRoot /var/www/nextcloud
:
<Directory /var/www/nextcloud>
Options Indexes FollowSymLinks MultiViews
Require all granted # <------ this means that all basically all access is granted for everybody
AllowOverride All # <--------- this means that .htaccess files in directories are respected
</Directory>
:
So lets look at the .htaccess in /var/www/nextcloud/config
:
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order Allow,Deny
Deny from all
Satisfy All
</IfModule>
:
I do interpret this as follows:
Apparently Apache seems to have some issues with mixing old and new directives (google: access_compat:error AH01797)
So I tried:
a2dismod access_compat
systemctl restart apache2
The result was that the error still happened when restarting the Linux nextcloud client, but this time reported from a different module (which is to be expected - we expressly stated that we do NOT want anybody to access this data).
[Thu Oct 29 13:55:28.787665 2020] [authz_core:error] [pid 19091] [client 77.21.95.34:46576] AH01630: client denied by server configuration: /var/www/nextcloud/config
So I would assume that the request of "GET /ocs/v1.php/config?format=json" should either not happen, or we should somehow allow this.
Any clues anybody?
I thought it was SUPPOSED to happen like this, that the error generated proves that the security we want (no direct access to the data/
folder) is in place and data is accessible only after authenticated. I am basing assumption off of @tflidd comment here: https://help.nextcloud.com/t/client-denied-by-server-configuration-ocdata/13250/4
Of course it is supposed too happen that nextcloud won't let you access this folder. BUT why is an app TRYING to access it?!?!? The problem is in the app!
This way errors are being logged. And intrusion detection software will take these errors as an indication of an attack and will block you!The app uses this call to identify the "hostname" of the nextcloud server - at least that's what I understood from trying to look at the code. I assume there must be other ways of doing that than to access something that is forbidden (and as such won't provide any information anyhow)... Unluckily I don't feel professional enough to fix this!Wolf
-------- Ursprüngliche Nachricht --------Von: OneAceGuy notifications@github.com Datum: 04.11.20 19:02 (GMT+01:00) An: nextcloud/server server@noreply.github.com Cc: WarpinWolf wolf.duttlinger@gmail.com, Manual manual@noreply.github.com Betreff: Re: [nextcloud/server] AH01630: client denied by server configuration: /var/www/nextcloud/config (#15688)
I thought it was SUPPOSED to happen like this, that the error generated proves that the security we want (no direct access to the data/ folder) is in place and data is accessible only after authenticated. I am basing assumption off of @tflidd comment here: https://help.nextcloud.com/t/client-denied-by-server-configuration-ocdata/13250/4
—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or unsubscribe.
@WarpinWolf What you say makes sense. I just don't think it is a problem with Nextcloud app, but maybe the desktop client. Reading the earlier comments here and on other related threads (here and here) it appeared some folks were recommending granting access at the webserver, effectively disabling .htaccess
. Probably not a good idea.
I also encountered this issue yesterday, but simply modified fail2ban as described by others to avoid getting my IP banned. For me the issue was with fail2ban, not with Nextcloud. If fail2ban is disable, yes the errors are still raised in the log, but it does not impact functionality or performance of Nextcloud. I know not a great answer, but I need my production instance up and running, not disabled because of an aggressive fail2ban policy.
I appreciate your additional investigation and look forward to hearing from someone with more experience and insights that can answer the questions you posed.
OK - we do have the DESKTOP CLIENT that does issue a request that by design is not able to be fulfilled. This results in an error log entry. A correctly configure intrusion detection software identifies a repeatedly occurring error as an attack vector and bans the associated IP address.
Neither allowing the request by modifying the .htaccess file nor disabling the recognition of possible intrusions is a SOLUTION. They may be used as a workaround but carry their own risks.
The SOLUTION is to change the CLIENT issuing the wrong request. Unluckily I can't help here.
I do not know why it should be necessary to identify the server capabilities as obviously we will "never" get a valid anwer in line 231 of https://github.com/nextcloud/desktop/blob/master/src/gui/connectionvalidator.cpp
// And we'll retrieve the ocs config in parallel
// note that 'this' might be destroyed before the job finishes, so intentionally not parented
auto configJob = new JsonApiJob(_account, QLatin1String("ocs/v1.php/config"));
Easiest thing would be to stop calling this method.....
@WarpinWolf your assumption is wrong. I would really appreciate if you could stop commenting on this issue. Your comments are not helpful and misleading.
If you are interested in the actual problem I suggest to read this issue carefully from the beginning.
https://github.com/nextcloud/desktop/pull/2619 is going to remove the request to /ocs/v1.php/config?format=json
. You are welcome to try the new version. Instructions are over there. Only a build for linux is available afaik.
That should fix the problem for most people but the crazy rewrite rule (that rewrites /ocs/v1.php/config?format=json
to /config
) is still there and may needs another fix.
nextcloud/desktop#2619 is going to remove the request to
/ocs/v1.php/config?format=json
. You are welcome to try the new version. Instructions are over there. Only a build for linux is available afaik.That should fix the problem for most people but the crazy rewrite rule (that rewrites
/ocs/v1.php/config?format=json
to/config
) is still there and may needs another fix.
Note however that as @nickvergessen pointed out, said patch breaks support for the "copy internal link" feature in the client. So I guess the alternative I proposed earlier of having another way to get the host part is likely a better path.
Most helpful comment
I came to the following findings:
1) The
Require all denied
from the.htaccess
inconfig
is the reason for Apache's log entry2) There is no client request to
/config
, butcurl <host>/ocs/v1.php/config?format=json
triggers the log3) It might be a rewrite rule that results in a request being rewritten to
/config