[BUG] Nextcloud not working with Fedora's file manager

[Myzel394]

Description I followed the docker-compose.yml tutorial for setting up Nextcloud (https://github.com/bunkerity/bunkerweb/blob/master/examples/nextcloud/docker-compose.yml). I can access the web interface without any problems, however, connecting to it via Fedora's file manager results in a false alert from Bunkerweb.

How to reproduce

1. Use Fedora 37
2. Add Nextcloud via "Online Accounts" in Settings
3. Enable Files
4. Try to open Nextcloud

Logs

mydomain xxx.xxx.xxx.xxx - - [29/Jan/2023:15:23:39 +0000] "OPTIONS /remote.php/webdav HTTP/2.0" 200 0 "-" "gvfs/1.50.3"
2023/01/29 15:23:39 [warn] 2969#2969: *369 ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:\/|\w)[^\s]*(?:\s+http\/\d|[\r\n])' against variable `REQUEST_BODY' (Value: `<?xml version="1.0" encoding="utf-8" ?>\x0a <D:propfind xmlns:D="DAV:">\x0a  <D:prop>\x0a<D:resource (64 characters omitted)' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "33"] [id "921110"] [rev ""] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: propfind xmlns:d="dav:">\x0a found within REQUEST_BODY: <?xml version="1.0" encoding="utf-8" ?>\x0a <d:propfind xmlns:d="dav:">\x0a  <d:prop>\x0a<d:resourcetype/>\x0a<d:getcontentlength/>\x0a  </d:prop>\x0a  (13 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/33"] [hostname "xxx.xxx.xxx.xxx"] [uri "/remote.php/webdav"] [unique_id "167500581947.814574"] [ref "o44,25v632,146t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"], client: xxx.xxx.xxx.xxx, server: mydomain, request: "PROPFIND /remote.php/webdav HTTP/2.0", host: "mydomain"
2023/01/29 15:23:39 [error] 2969#2969: *369 [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxx.xxx.xxx"] [uri "/remote.php/webdav"] [unique_id "xxx.xxx"] [ref ""], client: xxx.xxx.xxx, server: mydomain, request: "PROPFIND /remote.php/webdav HTTP/2.0", host: "mydomain"

[jkonecny12]

I'm also facing this + 'Ge' operator:

Mar 23 21:14:53 <snip> podman[12997]: 2023/03/23 20:14:53 [error] 18708#18708: *65965 [client 10.88.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.88.21.120"] [uri "/remote.php/dav/files/<snip>"] [unique_id "167960249353.731285"] [ref ""], client: 10.88.0.1, server: <snip>, request: "PROPFIND <snip> HTTP/2.0", host: "<snip>", referrer: "https://<snip>/index.php/apps/files/?dir=<snip>"

[chrismade]

I would also be interested in a working / proven setup bunkerweb + nextcloud (and using podman instead of docker like @jkonecny12 does - I had a working podman setup till V1.4.8 but were unsuccessful for V1.5.0 due to the many breaking changes)

[lesensei]

I guess you all have solved this by now, but I thought I'd comment on this for future users (and so this can be closed, maybe ?). This is not due to Bunkerweb itself but to the OWASP Core Rules Set of ModSecurity. @Myzel394 's post shows rule 921110 is triggered, which is supposed to prevent HTTP smuggling attack (see here for details). The message with Matched "Operator `Ge' with parameter `5' is actually the consequence of the action of rule 921110, which sets an anomaly score of 5. This in turn triggers the second rule, which is the one responsible for actually blocking the request.

So, in your case, you'll need to disable the first rule, and the way to do that depends on the integration you're using. For exemple, with docker autoconf, you'd add something like this to the labels of your nextcloud service:

bunkerweb.CUSTOM_CONF_MODSEC_nextcloud_webdav.conf: >
        SecRule REQUEST_FILENAME "/remote.php/webdav" "id:1,ctl:ruleRemoveById=921110"

Hope this helps.

[mwester117]

I would also be interested in a working / proven setup bunkerweb + nextcloud (and using podman instead of docker like @jkonecny12 does - I had a working podman setup till V1.4.8 but were unsuccessful for V1.5.0 due to the many breaking changes)

Hey I am having the same issue here: https://github.com/bunkerity/bunkerweb/issues/584

Did you find a solution? Please give this issue an upvote. I am still searching for a solution

[chrismade]

@mwester117 sorry, no - I'm still on bunkerweb 1.4.8 as I have not yet been able to find a working setup in 1.5.x in a reasonable invest of time :-( -- and my nextcloud is not yet bunkerweb protected

[jkonecny12]

I'm using CentOS 7 (hard to find time to migrate) + =Nextcloud community container.

However, seems that from podman 1.4.8 there is somehow working solution for official all-in-one solution https://github.com/nextcloud/all-in-one/discussions/3487

[chrismade]

@jkonecny12 many thanks for this pointer!!