kesselb
commented
5 years ago Make sense somehow ;) If nginx expose HTTP_AUTHORIZATION to fastcgi nextcloud tries to use this credentials to login the user and brute force protection might be triggered.
I'm not sure if there is a way to turn this off. I assume you use the same server block for example.com and example.com/nextcloud. I would try to extend the location block for /nextcloud and add something like
fastcgi_param HTTP_AUTHORIZATION '';Here the code https://github.com/nextcloud/server/blob/0cfcccee29652c83e6c898bc487fe09bb54e0c22/lib/base.php#L1034
I think the cleanest solution would be a subdomain (nextcloud.example.com).
loratera
ghost
Steps to reproduce
Expected behaviour
Login appears and it's possible to login.
Actual behaviour
Login appears after a long time, and Brute-Force-Protection prevented further login attempts. But user haven't even seen the login page until BFP takes place. Nextcloud seems to use the login (cookie?) from the previously authenticated auth_basic module automatically.
If example,com/nextcloud is called directly, without previously verification on root domain, everything is working as expected.
Server configuration
Operating system: Raspbian GNU/Linux 9 (stretch) Web server: nginx/1.10.3 Database: 10.1.37-MariaDB-0+deb9u1 Raspbian 9.0 PHP version: PHP 7.0.33-0+deb9u1 Nextcloud version: (see Nextcloud admin page) 15.0.5 Updated from an older Nextcloud/ownCloud or fresh install: Fresh install of Nextcloud 15 Where did you install Nextcloud from: source Signing status:
Signing status
``` No errors have been found. ```List of activated apps:
App list
``` list Enabled: - accessibility: 1.1.0 - activity: 2.8.2 - calendar: 1.6.4 - cloud_federation_api: 0.1.0 - comments: 1.5.0 - contacts: 3.0.3 - dav: 1.8.1 - federatedfilesharing: 1.5.0 - federation: 1.5.0 - files: 1.10.0 - files_pdfviewer: 1.4.0 - files_sharing: 1.7.0 - files_texteditor: 2.7.0 - files_trashbin: 1.5.0 - files_versions: 1.8.0 - files_videoplayer: 1.4.0 - firstrunwizard: 2.4.0 - gallery: 18.2.0 - logreader: 2.0.0 - lookup_server_connector: 1.3.0 - nextcloud_announcements: 1.4.0 - notifications: 2.3.0 - oauth2: 1.3.0 - password_policy: 1.5.0 - provisioning_api: 1.5.0 - serverinfo: 1.5.0 - sharebymail: 1.5.0 - spreed: 5.0.2 - support: 1.0.0 - survey_client: 1.3.0 - systemtags: 1.5.0 - theming: 1.6.0 - twofactor_backupcodes: 1.4.1 - updatenotification: 1.5.0 - workflowengine: 1.5.0 Disabled: - admin_audit - encryption - files_external - user_ldap ```Nextcloud configuration:
Config report
``` ig:list system { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "example.com" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "15.0.5.3", "overwrite.cli.url": "https:\/\/example.com\/nextcloud", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "maintenance": false, "loglevel": 2 } } ```Are you using external storage, if yes which one: local/smb/sftp/... no Are you using encryption: yes/no no Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... no
Client configuration
Browser: Mozilla Firefox Operating system: Windows
Logs
Web server error log
Web server error log
``` Insert your webserver log here ```Nextcloud log (data/nextcloud.log)
Nextcloud log
``` {"reqId":"PnzqQkuYYIElE4zjycnv","level":2,"time":"2019-03-04T18:28:00+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"POST","url":"\/nextcloud\/login","message":"Login failed: 'secretUser' (Remote IP: '192.168.0.1')","userAgent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko\/20100101 Firefox\/60.0","version":"15.0.5.3"} ```Browser log
Browser log
``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```