Server: AH01630: client denied by server configuration: /var/www/nextcloud/config

Created on 20 Nov 2018  ·  48Comments  ·  Source: nextcloud/server

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Report

This is the first time I'm doing this, please be gentle ;-)

The client is trying to access /var/www/nextcloud/config, which is explicitly denied all access via the .htaccess file in that particular directory.
I noticed this because I also have fail2ban running on the server, and my own IP address kept getting locked out of apache. I noticed the following line in my error.log:

AH01630: client denied by server configuration: /var/www/nextcloud/config

Client configuration

Client version: 2.5.0git

Operating system: Ubuntu 18.04 with GNOME

OS language: English

Qt version used by client package (Linux only, see also Settings dialog):

Client package (From Nextcloud or distro) (Linux only): Launchpad PPA

Installation path of client: /usr/bin/nextcloud

Server configuration

Operating system:

Web server: Apache

Database: MySQL 5.7.24

PHP version: 7.0.32

Nextcloud version: 14.03

Storage backend (external storage):

Logs

Please use Gist (https://gist.github.com/) or a similar code paster for longer
logs.

Template for output < 10 lines

  1. Client logfile: Output of nextcloud --logwindow or nextcloud --logfile log.txt
    (On Windows using cmd.exe, you might need to first cd into the Nextcloud directory)
    (See also https://docs.nextcloud.com/desktop/2.3/troubleshooting.html#log-files)

  2. Web server error log:

  3. Server logfile: nextcloud log (data/nextcloud.log):

1. to develop bug low

Most helpful comment

I came to the following findings:

1) The Require all denied from the .htaccess in config is the reason for Apache's log entry
2) There is no client request to /config, but curl <host>/ocs/v1.php/config?format=json triggers the log
3) It might be a rewrite rule that results in a request being rewritten to /config

All 48 comments

The only acess I see is to

<server>/ocs/v1.php/config

I see this also every 15 Minutes with this client, V2.5 on Ubuntu 18.04.

Could you post your log output of the client. And your webserver config?

As for the log, I can't do that right away, since I downgraded to 2.3.3, but the server config file in question is probably the one in the config directory itself:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

Somebody on diaspora* found this one after I posted something there:
https://pod.lazyteddy.eu/posts/48948

I'll try to get a logfile later today.

If you mean the file .owncloudsync.log on the client machine I noticed something weird. The last entries are this:

#=#=#=# Syncrun started 2018-11-14T18:00:58
#=#=#=#=# Propagation starts 2018-11-14T18:00:58 (last step: 889 msec, total: 889 msec)
#=#=#=# Syncrun finished 2018-11-14T18:00:59 (last step: 29 msec, total: 919 msec)

I've confirmed in /var/log/apt/history.log that a few minutes later I upgraded the client to 2.5.0git on this machine. Since then no log entries any more. But syncing seems fine.

On the server side, this is my config:

<?php
$CONFIG = array (
  'instanceid' => 'XXX',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' =>
  array (
    0 => 'XXX',
  ),
  'datadirectory' => 'XXX',
  'overwrite.cli.url' => 'XXX',
  'version' => '14.0.4.2',
  'dbtype' => 'mysql',
  'dbname' => 'XXX',
  'dbhost' => 'XXX',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XXX',
  'dbpassword' => 'XXX',
  'logtimezone' => 'Europe/Berlin',
  'default_language' => 'de',
  'htaccess.RewriteBase' => '/',
  'share_folder' => '/XXX',
  'cron.lockfile.location' => 'XXX',
  'tempdirectory' => 'XXX',
  'installed' => true,
  'mail_domain' => 'XXX',
  'trashbin_retention_obligation' => '30,60',
  'versions_retention_obligation' => '15,30',
  'log_rotate_size' => 104857600,
  'activity_expire_days' => 90,
  'mail_from_address' => 'XXX',
  'mail_smtpmode' => 'smtp',
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\TXT',
    6 => 'OC\\Preview\\MarkDown',
  ),
  'loglevel' => 2,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'token_auth_enforced' => true,
  'auth.bruteforce.protection.enabled' => true,
  'updater.release.channel' => 'stable',
  'theme' => '',
  'mail_smtpsecure' => 'tls',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'XXX',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'XXX',
  'mail_smtppassword' => 'XXX',
  'sentry.dsn' => 'XXX',
  'sentry.public-dsn' => 'XXX',
);

No errors there and nothing special in the logs either, but this from Apache:

[Sat Nov 24 07:08:38.511169 2018] [authz_core:error] [pid 17589:tid 140163210172160] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:16:38.526937 2018] [authz_core:error] [pid 17589:tid 140163210172160] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:24:38.545834 2018] [authz_core:error] [pid 17589:tid 140163193386752] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:32:38.539323 2018] [authz_core:error] [pid 17590:tid 140163184994048] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:48:38.519454 2018] [authz_core:error] [pid 17590:tid 140163201779456] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:56:38.515436 2018] [authz_core:error] [pid 17589:tid 140163201779456] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config

(So it's every 8 Minutes and not 15.)

Since this is over IPv6 the client ip in question is exactly the ip of this ubuntu machine with the 2.5-client.

Should have started the client with the debug parameters, but I finally figured it out. :)

I noticed a TIMEOUT in the client logs every 8 Minutes and on reconnect I saw the denied-line in the Apache Logs. I had this vhost running with HTTP/2, so I downgraded to HTTP/1.1 to test this out. And the TIMEOUTs are gone in the client. So far so good.

But every time I start the client there is one new entry in the Apache logs. This does not happen, when I pause the sync and let it continue later.

I attach the client debug log from startup here:
debug.log

Server is running Ubuntu 18.04.1 with Apache 2.4.29-1ubuntu4.4.

I see this also; I'm just using the nextcloud:apache docker image, so I don't think this is a configuration issue.

I have just upgraded from NC13 -> 14 -> 15. As soon as I went to 14 I started to see the error and my fail2ban kicked in.
At first I thought it was the admin checks but after seeing this, I think not.
Edit: a bit of playing around (and upgrading the client to 2.5.1git) and it seems like the access attempt happens on client start; as mentioned earlier. I've not noticed during actual syncs (which I had to force).

I see this as well on client version 2.5.1. My setup is: single Nextcloud server, several clients (on different machines).

In my case the message is logged on the server twice, and the messages are triggered by client startup (and startup only).

AH01630: client denied by server configuration: /var/www/html/config
AH01630: client denied by server configuration: /var/www/html/config

I'm getting the same here.
Can reproduce all the time on my Fedora desktop on one folder, happened once on my iOS App (v. 2.22.7.4). So maybe the issue is with nextcloud/server?

@Skomli Disabling HTTP/2 worked for you?

Server version: 15.0.2

Client version:

$ sudo dnf info nextcloud-client
Last metadata expiration check: 3:20:52 ago on Tue Jan 15 16:18:07 2019.
Installed Packages
Name         : nextcloud-client
Version      : 2.5.1
Release      : 1.fc29
Arch         : x86_64
Size         : 7.5 M
Source       : nextcloud-client-2.5.1-1.fc29.src.rpm
Repo         : @System
From repo    : updates-testing

Client log:

Nextcloud client logoutput
Please be aware that the follow log snippet is redacted. The actual usernames, filenames and paths have been replaced by [*PLACEHOLDERS*]

[OCC::WebFlowCredentials::stillValid    "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::SyncJournalDb::setErrorBlacklistEntry     Setting blacklist entry for  "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf" 1 "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: " 1547581567 0 1526897146 "fd2c68402c70140160404c8560187d09" "" 0
[OCC::PropagateItemJob::done    Could not complete propagation of "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf" by OCC::PropagateDownloadFile(0x613330a540f0) with status 3 and error: "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityWidget::slotItemCompleted     Item  "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf"  retrieved resulted in  "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityWidget::slotItemCompleted     Item  "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf"  retrieved resulted in error  "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityListModel::addErrorToActivityList     Error successfully added to the notification list:  "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::WebFlowCredentials::slotFinished  request finished

Webserver cfg:

Apache2 Config

# Settings for mod_md
# https://github.com/icing/mod_md 

MDomain sub.mydomain.tld
MDMustStaple on
MDPrivateKeys RSA 4096
MDRequireHttps permanent
MDCAChallenges http-01

MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

ServerName sub.mydomain.tld
ExtendedStatus on

<VirtualHost *:80>
    ServerName sub.mydomain.tld
    Redirect permanent / https://sub.mydomain.tld/
</VirtualHost>

<VirtualHost _default_:443>
    Protocols h2 http/1.1
    ServerName sub.mydomain.tld
    ServerAdmin [email protected]

    SSLEngine On

    Header setifempty feature-policy: "geolocation 'self'; midi 'none'; sync-xhr 'none'; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; fullscreen 'self'; payment 'none'"
    Header set Referrer-Policy: "strict-origin-when-cross-origin"
    Header set Expect-CT "max-age=0, enforce, report-uri=https://[*REDACTED*].report-uri.com/r/d/ct/enforce"

    Alias / "/var/www/nextcloud/"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All

        <IfModule mod_dav.c>
        Dav off
        </IfModule>

        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud

    </Directory>

    <Location /server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from localhost
    </Location>
</VirtualHost>

# Recommendations by Mozilla, via https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.34&openssl=1.1.1a&hsts=yes&profile=modern
# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

Webserver Log:

[Tue Jan 15 19:17:55.077441 2019] [authz_core:error] [pid 4040:tid 140370015000320] [client *.*.*.50:39056] AH01630: client denied by server configuration: /var/www/nextcloud/config

Forgot to ping @rullzer for additional logs.
Let me know if you need more.

Any news on that?
Or workarounds to solve that problem?

To avoid locking from fail2ban you may add

ignoreregex = var/www/nextcloud/config

into /etc/fail2ban/filter.d/apache-auth.conf

For me it worked.

I came to the following findings:

1) The Require all denied from the .htaccess in config is the reason for Apache's log entry
2) There is no client request to /config, but curl <host>/ocs/v1.php/config?format=json triggers the log
3) It might be a rewrite rule that results in a request being rewritten to /config

I came to the following findings:

1. The `Require all denied` from the `.htaccess` in `config` is the reason for Apache's log entry

2. There is no client request to `/config`, but `curl <host>/ocs/v1.php/config?format=json` triggers the log

3. It might be a rewrite rule that results in a request being rewritten to `/config`

I can confirm this behavior on my sever. The requests sent are (twice!):
GET /ocs/v1.php/config?format=json HTTP/1.0
GET /ocs/v1.php/config?format=json HTTP/1.0

This happens for instance with clients with the User Agent "Mozilla/5.0 (Macintosh) mirall/2.5.2git (build 20190319) (Nextcloud)" and "Mozilla/5.0 (Windows) mirall/2.5.1final (build 20181204) (Nextcloud)".

It does not feel like a rewrite rule is applied, is it? access.log lists 200 as status message.

It does not feel like a rewrite rule is applied, is it? access.log lists 200 as status message.

Rewrite, not redirect.

This seem to be a configuration issue with apache. Those are the rewrite rules:

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT}  DavClnt
  RewriteRule ^$         /remote.php/webdav/          [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/robots.txt
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

On every request to the nextcloud server, that is like this <host>/ANY.php/config. I can reproduce with those: /ocs/v1.php/config, /ocs/v2.php/config, /remote.php/config, /index.php/config... Somehow Apache first tries to get the filesystem access directly and then redirects to the called PHP script.

This behavior is (most likely) caused by the option PT:

The target (or substitution string) in a RewriteRule is assumed to be a file path, by default. The use of the [PT] flag causes it to be treated as a URI instead. That is to say, the use of the [PT] flag causes the result of the RewriteRule to be passed back through URL mapping, so that location-based mappings, such as Alias, Redirect, or ScriptAlias, for example, might have a chance to take effect.

If, for example, you have an Alias for /icons, and have a RewriteRule pointing there, you should use the [PT] flag to ensure that the Alias is evaluated.

See https://httpd.apache.org/docs/current/rewrite/flags.html#flag_pt

has anybody an idea how to exclude the directory config from this check to avoid the log spamming?

Maybe @kesselb or @rakekniven have some idea.

Any progress? I have the same problem with fail2ban.

I was having this problem with NC 16.
I solved it by editing the Apache vhost file, and adding the "Satisfy any" (and maybe the "Require all granted") line to the Directory section.
More details at https://docs.nextcloud.com/server/16/admin_manual/installation/source_installation.html#additional-apache-configurations

Don't know if this applies to earlier versions of NC.

Thanks for info, "Satisfy any" does the job.

@bekon16 Did you use "Require all" AND "Satisfy any" or just the last one?

@bekon16 Did you use "Require all" AND "Satisfy any" or just the last one?

Probably last one, i dont remember exactly, but i have reverted this, because all data files was accessible without any authentication - not sure only it was related to my apache config or not - but be careful when you use it in yours configuration.

Here is reported issue related to this:
https://github.com/nextcloud/server/issues/6449

Thank you. This fits my expectation and close the gap.
I use only "Require all" and it seems to work.
But I want to be sure :-)

see this also;
here are my server informations

root@ncServer:/var/log/apache2                                                                                                                                                                                  
➤ cat nextcloud_error.log.1
[Sun Feb 23 12:33:53.135749 2020] [access_compat:error] [pid 6516] [client 127.0.0.1:44388] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 13:03:43.056532 2020] [access_compat:error] [pid 3522] [client 127.0.0.1:46046] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 19:20:44.817497 2020] [access_compat:error] [pid 12263] [client 127.0.0.1:41154] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 21:46:57.886302 2020] [access_compat:error] [pid 12310] [client 127.0.0.1:49772] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 21:50:25.513269 2020] [access_compat:error] [pid 12271] [client 127.0.0.1:49926] AH01797: client denied by server configuration: /var/www/nextcloud/config
➤ cat nextcloud_access.log.1 | grep -E "(12:33:53)|(13:03:43)|(19:20:44)|(21:46:57)|(21:50:25)"
127.0.0.1 - admin [23/Feb/2020:12:33:53 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:12:33:53 +0800] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 4668 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 4668 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /remote.php/dav/avatars/admin/128.png HTTP/1.1" 200 34504 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:19:20:44 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:46:57 +0800] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 8467 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:46:57 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:50:25 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"



md5-e89f8e0f53d39aeab186c81e62d15b3b



➤ cat config/.htaccess 
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

➤  a2query -m | grep php && dpkg -l | grep apache2
php7.4 (enabled by maintainer script)
ii  apache2                                      2.4.41-1+ubuntu16.04.1+deb.sury.org+5                    amd64        Apache HTTP Server
ii  apache2-bin                                  2.4.41-1+ubuntu16.04.1+deb.sury.org+5                    amd64        Apache HTTP Server (modules and other binary files)
ii  apache2-data                                 2.4.41-1+ubuntu16.04.1+deb.sury.org+5                    all          Apache HTTP Server (common files)
ii  apache2-utils                                2.4.41-1+ubuntu16.04.1+deb.sury.org+5                    amd64        Apache HTTP Server (utility programs for web servers)
rc  libapache2-mod-php7.0                        7.0.33-0ubuntu0.16.04.7                                  amd64        server-side, HTML-embedded scripting language (Apache 2 module)
rc  libapache2-mod-php7.3                        7.3.12-1+ubuntu16.04.1+deb.sury.org+1                    amd64        server-side, HTML-embedded scripting language (Apache 2 module)
ii  libapache2-mod-php7.4                        7.4.2-6+ubuntu16.04.1+deb.sury.org+1                     amd64        server-side, HTML-embedded scripting language (Apache 2 module)

➤ sudo -u www-data php ./occ status
  - installed: true
  - version: 18.0.0.10
  - versionstring: 18.0.0
  - edition: 

Confirmed with nextcloud-client == 2.64 on all platform (windows, linux, mac) and nextcloud 18 on centos7 , the client try to use the url /config, this creates a log trace that fail2ban uses to ban the IP.

The evidences

xxx.xxx.xxx.xxx - - [09/Mar/2020:20:37:20 +0100] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 206 "-" "Mozilla/5.0 (Linux) mirall
/2.6.4git (Nextcloud)"

xx.xxx.xxx.xxx - - [09/Mar/2020:20:37:51 +0100] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 206 "-" "Mozilla/5.0 (Linux) mirall
/2.6.4git (Nextcloud)"

the log traces in error.log

[Mon Mar 09 20:37:20.506584 2020] [access_compat:error] [pid 20722] [client xx.xx.xx.1xx:40732] AH01797: client denied by server co
nfiguration: /usr/share/nextcloud/config
[Mon Mar 09 20:37:51.146870 2020] [access_compat:error] [pid 22534] [client xx.xx.xx.xx:40758] AH01797: client denied by server configuration: /usr/share/nextcloud/config

Exact same problem here, a solution would be nice.
Cheers,

I created a filter.local to avoid to be banned by fail2ban, it will survive to a fail2ban rpm update, but it is just a fix :|

[root@prometheus ~]# cat /etc/fail2ban/filter.d/apache-auth.local 
# Fail2Ban apache-auth filter


[Definition]
#
ignoreregex = /usr/share/nextcloud/config$ 

Same problem here, I tried some moddification but it does not works

[Tue Mar 31 01:20:51.999828 2020] [access_compat:error] [pid 5535] [client xx.xx.xx.xx:57776] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 01:52:39.859634 2020] [access_compat:error] [pid 6372] [client xx.xx.xx.xx:58156] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 09:35:06.714255 2020] [access_compat:error] [pid 8933] [client xx.xx.xx.xx:58306] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 12:25:27.861677 2020] [access_compat:error] [pid 8925] [client xx.xx.xx.xx:58321] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 12:43:45.713555 2020] [access_compat:error] [pid 8933] [client xx.xx.xx.xx:58478] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Tue Mar 31 13:04:00.876156 2020] [access_compat:error] [pid 25554] [client xx.xx.xx.xx:58647] AH01797: client denied by server configuration: /var/www/nextcloud/config

Can confirm this issue on Debian 10 + Nextcloud Client 2.5.1; nextcloud server 18.0.3 running on apache with ssl (https), http2 enabled.

Can confirm this issue on Debian 10 + Nextcloud Client 2.5.1; nextcloud server 18.0.3 running on apache with ssl (https), http2 enabled.

I patch the issue changing something in the vHost: check it if it could help

Look at #Satisfy Any, it is a comment because it did not do anything
I remember that the most important is the Require all granted line inside <Directory>

My NextCloud vHost inside /etc/apache2/sites-available/ :

<VirtualHost *:80>
  DocumentRoot /var/www/nextcloud/
  ServerName cloud.YOUR_SERVER.com

  RewriteEngine On
  RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]

  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>

  </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName cloud.YOUR_SERVER.com
    DocumentRoot /var/www/nextcloud
    CustomLog /var/log/apache2/cloud-access.log combined
    ErrorLog /var/log/apache2/cloud-error.log

    <Directory /var/www/nextcloud/>
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
        #Satisfy Any

        <IfModule mod_dav.c>
            Dav off
        </IfModule>

        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
    </Directory>

    <IfModule mod_dav.c>
        Dav off
    </IfModule>


<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

</VirtualHost>

same problem with ubuntu 18.04 server + nc 18.0.3 + following clients:

linux 2.6.4git
windows 2.6.4
mac 2.6.4

the "#Satisfy Any" is not in my vhost already

vhost:

VirtualHost *:443>
        SSLEngine on
        SSLOptions +StrictRequire
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
        LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
        ServerAdmin #######
        DocumentRoot /var/www/html/nextcloud
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log extended
        ServerName ######


        <Directory /var/www/html/nextcloud/>
                Options +FollowSymlinks
                AllowOverride All

                <IfModule mod_dav.c>
                Dav off
                </IfModule>

                SetEnv HOME /var/www/html/nextcloud
                SetEnv HTTP_HOME /var/www/html/nextcloud

        </Directory>

        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15768000; preload"
                Header always set Referrer-Policy "strict-origin-when-cross-origin"
                Header always set X-Content-Type-Options "nosniff"
                #Header always set Referrer-Policy "no-referrer"
                #Header always set X-Frame-Options "SAMEORIGIN"
        </IfModule>

        <IfModule reqtimeout_module>
                RequestReadTimeout body=0
                RequestReadTimeout handshake=0
                RequestReadTimeout header=0
        </IfModule>
        </Directory>

</VirtualHost>

I "fixed" it via the ignoreregex thing in fail2ban. But I don't think that that's the best solution.

Source: lines [7,12] of /etc/httpd/conf.d/nextcloud.conf

# ln -s /etc/httpd/conf.d/nextcloud-access.conf.avail /etc/httpd/conf.d/z-nextcloud-access.conf

im getting the same error in my apache2 error log

[access_compat:error] [pid 1784] [client :55489] AH01797: client denied by server configuration: /var/www/nextcloud/config
[access_compat:error] [pid 1898] [client :56535] AH01797: client denied by server configuration: /var/www/nextcloud/config
[access_compat:error] [pid 8153] [client :49709] AH01797: client denied by server configuration: /var/www/nextcloud/config
[access_compat:error] [pid 18598] [client :62644] AH01797: client denied by server configuration: /var/www/nextcloud/config

@nickvergessen any ideas?

  • same error here which trigger apache-auth fail2ban ( put ignore regex as workaround )
  • it is not something urgent but would be great to solve it :+1:
CentOS Linux release 8.2.2004 (Core)
Linux home-lab.com 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Nextcloud: 19.0.3

Same issue, nextcloud server 20.0.0, nextcloud-desktop 2.5.1-3+deb10u1, apache 2.4.38-3+deb10u4, stock configuration from https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#apache-web-server-configuration

I spent some time today to understand what the PT flag is supposed to do. I still have no idea why it's there in the first place. If one of you has a test system:

Change RewriteRule . index.php [PT,E=PATH_INFO:$1] to RewriteRule . index.php [E=PATH_INFO:$1]

And let us know if you run into weird issues ;) Keep in mind the change is not update safe and the integrity check might complain.

Hm,
apparently this is a PITA since some time.

I was able to track down when this error message happened in my set-up. Apparently every time I did restart the Linux nexctloud client the following sequence of requests have been issued:

tail -f nextcloud-ssl-access.log | grep mirall

xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:25 +0100] "GET /status.php HTTP/1.1" 200 5014 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:25 +0100] "PROPFIND /remote.php/webdav/ HTTP/1.1" 207 1210 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 6405 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 1195 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 1506 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /remote.php/dav/avatars/nextcloud/128.png HTTP/1.1" 200 28393 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1" 200 948 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "GET /ocs/v2.php/cloud/activity?start=0&count=100&format=json HTTP/1.1" 200 18976 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "PROPFIND /remote.php/dav/files/nextcloud/ HTTP/1.1" 207 44867 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"

And at the same time I did receive an error log entry:
[Thu Oct 29 13:38:26.397012 2020] [access_compat:error] [pid 20310] [client 77.21.95.34:47200] AH01797: client denied by server configuration: /var/www/nextcloud/config

Apache 2.4, Debian 9

sites http conf:

:
        DocumentRoot /var/www/nextcloud
:
<Directory /var/www/nextcloud>
        Options Indexes FollowSymLinks MultiViews
        Require all granted  # <------ this means that all basically all access is granted for everybody
        AllowOverride All # <--------- this means that .htaccess files in directories are respected
</Directory>
: 

So lets look at the .htaccess in /var/www/nextcloud/config

:
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>
:

I do interpret this as follows:

  • if the module authz_core is active (which it is), then access is denied for everybody using the "NEW" directives
  • if the modules access_compat is active (which is, too), then access is denied for everybody using the "OLD" directives

Apparently Apache seems to have some issues with mixing old and new directives (google: access_compat:error AH01797)

So I tried:

a2dismod access_compat
systemctl restart apache2

The result was that the error still happened when restarting the Linux nextcloud client, but this time reported from a different module (which is to be expected - we expressly stated that we do NOT want anybody to access this data).

[Thu Oct 29 13:55:28.787665 2020] [authz_core:error] [pid 19091] [client 77.21.95.34:46576] AH01630: client denied by server configuration: /var/www/nextcloud/config

So I would assume that the request of "GET /ocs/v1.php/config?format=json" should either not happen, or we should somehow allow this.

Any clues anybody?

I thought it was SUPPOSED to happen like this, that the error generated proves that the security we want (no direct access to the data/ folder) is in place and data is accessible only after authenticated. I am basing assumption off of @tflidd comment here: https://help.nextcloud.com/t/client-denied-by-server-configuration-ocdata/13250/4

Of course it is supposed too happen that nextcloud won't let you access this folder. BUT why is an app TRYING to access it?!?!? The problem is in the app!
This way errors are being logged. And intrusion detection software will take these errors as an indication of an attack and will block you!The app uses this call to identify the "hostname" of the nextcloud server - at least that's what I understood from trying to look at the code. I assume there must be other ways of doing that than to access something that is forbidden (and as such won't provide any information anyhow)... Unluckily I don't feel professional enough to fix this!Wolf
-------- Ursprüngliche Nachricht --------Von: OneAceGuy notifications@github.com Datum: 04.11.20 19:02 (GMT+01:00) An: nextcloud/server server@noreply.github.com Cc: WarpinWolf wolf.duttlinger@gmail.com, Manual manual@noreply.github.com Betreff: Re: [nextcloud/server] AH01630: client denied by server configuration: /var/www/nextcloud/config (#15688)
I thought it was SUPPOSED to happen like this, that the error generated proves that the security we want (no direct access to the data/ folder) is in place and data is accessible only after authenticated. I am basing assumption off of @tflidd comment here: https://help.nextcloud.com/t/client-denied-by-server-configuration-ocdata/13250/4

—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or unsubscribe.

@WarpinWolf What you say makes sense. I just don't think it is a problem with Nextcloud app, but maybe the desktop client. Reading the earlier comments here and on other related threads (here and here) it appeared some folks were recommending granting access at the webserver, effectively disabling .htaccess. Probably not a good idea.

I also encountered this issue yesterday, but simply modified fail2ban as described by others to avoid getting my IP banned. For me the issue was with fail2ban, not with Nextcloud. If fail2ban is disable, yes the errors are still raised in the log, but it does not impact functionality or performance of Nextcloud. I know not a great answer, but I need my production instance up and running, not disabled because of an aggressive fail2ban policy.

I appreciate your additional investigation and look forward to hearing from someone with more experience and insights that can answer the questions you posed.

OK - we do have the DESKTOP CLIENT that does issue a request that by design is not able to be fulfilled. This results in an error log entry. A correctly configure intrusion detection software identifies a repeatedly occurring error as an attack vector and bans the associated IP address.
Neither allowing the request by modifying the .htaccess file nor disabling the recognition of possible intrusions is a SOLUTION. They may be used as a workaround but carry their own risks.
The SOLUTION is to change the CLIENT issuing the wrong request. Unluckily I can't help here.

I do not know why it should be necessary to identify the server capabilities as obviously we will "never" get a valid anwer in line 231 of https://github.com/nextcloud/desktop/blob/master/src/gui/connectionvalidator.cpp

    // And we'll retrieve the ocs config in parallel
    // note that 'this' might be destroyed before the job finishes, so intentionally not parented
    auto configJob = new JsonApiJob(_account, QLatin1String("ocs/v1.php/config"));

Easiest thing would be to stop calling this method.....

@WarpinWolf your assumption is wrong. I would really appreciate if you could stop commenting on this issue. Your comments are not helpful and misleading.

If you are interested in the actual problem I suggest to read this issue carefully from the beginning.

https://github.com/nextcloud/desktop/pull/2619 is going to remove the request to /ocs/v1.php/config?format=json. You are welcome to try the new version. Instructions are over there. Only a build for linux is available afaik.

That should fix the problem for most people but the crazy rewrite rule (that rewrites /ocs/v1.php/config?format=json to /config) is still there and may needs another fix.

nextcloud/desktop#2619 is going to remove the request to /ocs/v1.php/config?format=json. You are welcome to try the new version. Instructions are over there. Only a build for linux is available afaik.

That should fix the problem for most people but the crazy rewrite rule (that rewrites /ocs/v1.php/config?format=json to /config) is still there and may needs another fix.

Note however that as @nickvergessen pointed out, said patch breaks support for the "copy internal link" feature in the client. So I guess the alternative I proposed earlier of having another way to get the host part is likely a better path.

Was this page helpful?
0 / 5 - 0 ratings