search

ONLYOFFICE / onlyoffice-nextcloud

The app which enables the users to edit office documents from Nextcloud using ONLYOFFICE Document Server, allows multiple users to collaborate in real time and to save back those changes to Nextcloud
GNU Affero General Public License v3.0
560 stars 159 forks source link

Host violates local access rules #554

Open TheColin21 opened 2 years ago

TheColin21 commented 2 years ago

When a user of my Nextcloud 22.2.3 instance with OnlyOffice installed tries to convert and download a file via Nextcloud's context-menu, the error "Host violates local access rules" appears and the following gets logged:

{...,"app":"onlyoffice","method":"GET","url":"/apps/onlyoffice/downloadas?fileId=1187970&toExtension=pdf","message":"GetConvertedUri: 1187970","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53","version":"22.2.3.0","exception":{"Exception":"OCP\\Http\\Client\\LocalServerException","Message":"Host violates local access rules","Code":0,"Trace":[{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/lib/private/Http/Client/DnsPinMiddleware.php","line":136,"function":"ThrowIfLocalIp","class":"OC\\Http\\Client\\LocalAddressChecker","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php","line":64,"function":"OC\\Http\\Client\\{closure}","class":"OC\\Http\\Client\\DnsPinMiddleware","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":31,"function":"__invoke","class":"GuzzleHttp\\PrepareBodyMiddleware","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php","line":71,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":63,"function":"__invoke","class":"GuzzleHttp\\RedirectMiddleware","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php","line":75,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/guzzlehttp/guzzle/src/Client.php","line":331,"function":"__invoke","class":"GuzzleHttp\\HandlerStack","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/guzzlehttp/guzzle/src/Client.php","line":168,"function":"transfer","class":"GuzzleHttp\\Client","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/guzzlehttp/guzzle/src/Client.php","line":187,"function":"requestAsync","class":"GuzzleHttp\\Client","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/lib/private/Http/Client/Client.php","line":293,"function":"request","class":"GuzzleHttp\\Client","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/apps/onlyoffice/lib/documentservice.php","line":362,"function":"post","class":"OC\\Http\\Client\\Client","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/apps/onlyoffice/lib/documentservice.php","line":171,"function":"Request","class":"OCA\\Onlyoffice\\DocumentService","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/apps/onlyoffice/lib/documentservice.php","line":90,"function":"SendRequestToConvertService","class":"OCA\\Onlyoffice\\DocumentService","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/apps/onlyoffice/controller/editorcontroller.php","line":1048,"function":"GetConvertedUri","class":"OCA\\Onlyoffice\\DocumentService","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/lib/private/AppFramework/Http/Dispatcher.php","line":217,"function":"download","class":"OCA\\Onlyoffice\\Controller\\EditorController","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/lib/private/AppFramework/Http/Dispatcher.php","line":126,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/lib/private/AppFramework/App.php","line":156,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/lib/base.php","line":1006,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/vhosts/domain.tld/cloud.domain.tld/lib/private/Http/Client/LocalAddressChecker.php","Line":42,"CustomMessage":"GetConvertedUri: 1187970"},"id":"619770457a4d3"}

pacohope commented 2 years ago

I was seeing this too with my server (running Nextcloud 20.0.10). I applied the fix described in #293 and the errors went away.

TheColin21 commented 2 years ago

I found the problem. I secured my instance via ipfiltering. The request gets sent from my clouds IPv6 address which I whitelisted but this seems to be getting ignored. The conversion works if I disable the filtering. Can I force IPv4 in my OnlyOffice or Nextcloud configuration or is there a special format to be used for IPv6 addresses?

SergeyKorneyev commented 2 years ago

Hi @TheColin21 Have you tried adding the 'allow_local_remote_servers' => true, line to Nextcloud's config.php? This is the most common fix for the error you're getting.

TheColin21 commented 2 years ago

I have. Didn't work. I switched to secret authentication a few days ago.

Am 15. Dezember 2021 09:28:18 MEZ schrieb SergeyKorneyev @.***>:

Hi @TheColin21 Have you tried adding the 'allow_local_remote_servers' => true, line to Nextcloud's config.php? This is the most common fix for the error you're getting.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/ONLYOFFICE/onlyoffice-nextcloud/issues/554#issuecomment-994488771

ant0nwax commented 2 years ago

Hi I have an issue that is similar, which I started to report here: https://github.com/ONLYOFFICE/DocumentServer/issues/1659

WWW reverseproxy on CentOS 7 with apache https OnylOffice on CentOS 8 with apache http Nextcloud on CentOS 8 /data on NFS (TrueNAS) with nginx https


iLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJhbnQwbiIsImZpbGVJZCI6NTA4MzEsImZpbGVQYXRoIjoiXC9Eb2N1bWVudHNcLyFGSU5BTlpFTiAoY29weSkueGxzeCIsInNoYXJlVG9rZW4iOm51bGwsImFjdGlvbiI6InRyYWNrIn0.RQhJD1908mg4rAT89MmmOtM_vrvGJIEbBrd9PDKxFB8","message":"Track: 50831 status 2 error","userAgent":"Node.js/6.13","version":"23.0.0.10","exception":{"Exception":"OCP\\Http\\Client\\LocalServerException","Message":"Host violates local access rules","Code":0,"Trace":[{"file":"/var/www/html/nextcloud/lib/private/Http/Client/DnsPinMiddleware.php","line":136,"function":"ThrowIfLocalIp","class":"OC\\Http\\Client\\LocalAddressChecker","type":"->","args":["192.168.1.29"]},{"file":"/var/www/html/nextcloud/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php","line":35,"function":"OC\\Http\\Client\\{closure}","class":"OC\\Http\\Client\\DnsPinMiddleware","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":31,"function":"__invoke","class":"GuzzleHttp\\PrepareBodyMiddleware","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"/var/www/html/nextcloud/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php","line":71,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/nextcloud/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":63,"function":"__invoke","class":"GuzzleHttp\\RedirectMiddleware","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"/var/www/html/nextcloud/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php","line":75,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php","line":331,"function":"__invoke","class":"GuzzleHttp\\HandlerStack","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"/var/www/html/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php","line":168,"function":"transfer","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]},{"file":"/var/www/html/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php","line":187,"function":"requestAsync","class":"GuzzleHttp\\Client","type":"->","args":["get",{"__class__":"GuzzleHttp\\Psr7\\Uri"},{"verify":"/var/www/html/nextcloud/resources/config/ca-bundle.crt","timeout":60,"allow_redirects":{"on_redirect":{"__class__":"Closure"}},"nextcloud":{"allow_local_address":false},"synchronous":true,"0":"And 6 more entries, set log level to debug to see all entries"}]},{"file":"/var/www/html/nextcloud/lib/private/Http/Client/Client.php","line":223,"function":"request","class":"GuzzleHttp\\Client","type":"->","args":["get","https://onlyoffice.DOMAINREPLACED.TLD/cache/files/465943287_3418/output.xlsx/output.xlsx?md5=YnCQbWPQyaJfTGxIz7IR7A&expires=1646289208&filename=output.xlsx",{"verify":"/var/www/html/nextcloud/resources/config/ca-bundle.crt","timeout":60,"allow_redirects":{"on_redirect":{"__class__":"Closure"}},"nextcloud":{"allow_local_address":false},"headers":{"User-Agent":"Nextcloud Server Crawler","Accept-Encoding":"gzip"},"0":"And 1 more entries, set log level to debug to see all entries"}]},{"file":"/var/www/html/nextcloud/apps/onlyoffice/lib/documentservice.php","line":364,"function":"get","class":"OC\\Http\\Client\\Client","type":"->","args":["https://onlyoffice.DOMAINREPLACED.TLD/cache/files/465943287_3418/output.xlsx/output.xlsx?md5=YnCQbWPQyaJfTGxIz7IR7A&expires=1646289208&filename=output.xlsx",{"timeout":60}]},{"file":"/var/www/html/nextcloud/apps/onlyoffice/controller/callbackcontroller.php","line":513,"function":"Request","class":"OCA\\Onlyoffice\\DocumentService","type":"->","args":["https://onlyoffice.DOMAINREPLACED.TLD/cache/files/465943287_3418/output.xlsx/output.xlsx?md5=YnCQbWPQyaJfTGxIz7IR7A&expires=1646289208&filename=output.xlsx"]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":217,"function":"track","class":"OCA\\Onlyoffice\\Controller\\CallbackController","type":"->","args":["eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJhbnQwbiIsImZpbGVJZCI6NTA4MzEsImZpbGVQYXRoIjoiXC9Eb2N1bWVudHNcLyFGSU5BTlpFTiAoY29weSkueGxzeCIsInNoYXJlVG9rZW4iOm51bGwsImFjdGlvbiI6InRyYWNrIn0.RQhJD1908mg4rAT89MmmOtM_vrvGJIEbBrd9PDKxFB8",["oc8wm0d8cdqs_USERNAMEREPLACED"],"465943287",2,"https://onlyoffice.DOMAINREPLACED.TLD/cache/files/465943287_3418/output.xlsx/output.xlsx?md5=YnCQbWPQyaJfTGxIz7IR7A&expires=1646289208&filename=output.xlsx",null,[],null,null,[{"type":0,"userid":"oc8wm0d8cdqs_USERNAMEREPLACED"}]]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":126,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\Onlyoffice\\Controller\\CallbackController"},"track"]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\Onlyoffice\\Controller\\CallbackController"},"track"]},{"file":"/var/www/html/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Onlyoffice\\Controller\\CallbackController","track",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"onlyoffice.callback.track"}]},{"file":"/var/www/html/nextcloud/lib/base.php","line":1006,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/onlyoffice/track"]},{"file":"/var/www/html/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/nextcloud/lib/private/Http/Client/LocalAddressChecker.php","Line":42,"CustomMessage":"Track: 50831 status 2 error"}}```
Commifreak commented 2 years ago

Hi,

I have updated from 10 -> 24 (in order) and now facing the same error but only within the preview app?

NC 24.0.1:

XML status ```xml ok 200 OK 24.0.1.1 yes yes \OC\Memcache\APCu none yes \OC\Memcache\Redis no 270470131712 0.16 0.24 0.24 16393216 14214144 4193280 4193280 50 0 501 588260 546 1 531 16 2507 1177 0 435 601 115 101 18 10 66 27 29 12 25 363 63 18 1 20 1 205 262 139 11 195 39 6 7 682 5 109 78 30 3 78 3 3 24 1 1 1 Apache/2.4.41 8.0.19 536870912 3600 17179869184 1 74991072 59226656 0 0 6290992 6290976 16 108072 2733 5168 16229 56512450 1654171071 0 0 0 0 2748 0 0 99.995137591131 5 4 6 0 0 4099 0 4880855 60332 96559 5556 0 1654171071 2008872 mmap 1 33554312 31282216 Core date libxml openssl pcre zlib filter hash json Reflection SPL session standard sodium cgi-fcgi mysqlnd PDO xml apcu bcmath bz2 calendar ctype curl dom mbstring FFI fileinfo ftp gd gettext gmp iconv igbinary imagick intl ldap exif mysqli pdo_mysql Phar posix readline redis shmop SimpleXML sockets sysvmsg sysvsem sysvshm tokenizer xmlreader xmlwriter xsl zip Zend OPcache mysql 8.0.29 620142592 48 51 81 ```

The log entry:

{
   "reqId":"Ad2juo2OnFy4Y7lKhwpk",
   "level":2,
   "time":"2022-06-03T08:03:49+00:00",
   "remoteAddr":"192.168.0.192",
   "user":"ID",
   "app":"no app in context",
   "method":"GET",
   "url":"/index.php/apps/files_versions/preview?file=xxx.docx&version=1653392980",
   "message":"Host 192.168.205.20 was not connected to because it violates local access rules",
   "userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36",
   "version":"24.0.1.1"
}

or:

{
   "reqId":"AIYYpVl41usbGnZYN8C6",
   "level":2,
   "time":"2022-06-03T08:04:53+00:00",
   "remoteAddr":"172.31.30.142",
   "user":"ID",
   "app":"no app in context",
   "method":"GET",
   "url":"/index.php/core/preview?fileId=1658598&x=250&y=250",
   "message":"Host 192.168.205.20 was not connected to because it violates local access rules",
   "userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
   "version":"24.0.1.1"
}

And this floods my log :(

192.168.205.20 is my collabora server!

config snips:

  'trusted_domains' => 
  array (
    0 => 'nextcloud.mydomain.de',
  ),

// ....
  'proxyexclude' => 
  array (
    0 => '192.168.205.20', // collabora server ip
    1 => 'collabora.server.de',
  ),