search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.77k stars 4k forks source link

htaccess file conditions not met #17476

Closed ugokanain closed 4 years ago

ugokanain commented 4 years ago

Steps to reproduce

  1. Couldn't upload a file without getting a login popup window. Seems that the conditions for the clauses weren't met, so the authorization changes weren't being executed

  2. Probably something similar, but nextcloud is mangling the headers set by the htaccess file. I have the Strict-Transport clause set, but it is gone after nextcloud serves a page

Expected behaviour

To upload a file without a login window The Strict-Transport-Security not to be deleted from the headers

Actual behaviour

Get a popup window requesting the user to log to nextcloud. When nextcloud serves a page, Strict-Transport-Security is deleted

Server configuration

See https://help.nextcloud.com/t/nextcloud-17-alters-headers/61578 for details about config and steps needed to resolve the issue with the login window. The Strict-Transport hasn't been resolved

Nextcloud version: 17.0.0.9

fresh install:

Where did you install Nextcloud from: softaculous

Signing status:

Signing status ``` Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here. No errors have been found.

If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder Enabled:

Nextcloud configuration: If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder { "system": { "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusteddomains": [ "REMOVED SENSITIVE VALUE", "localhost" ], "datadirectory": "REMOVED SENSITIVE VALUE", "dbtype": "mysql", "version": "17.0.0.9", "overwrite.cli.url": "REMOVED SENSITIVE VALUE", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc", "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "default_language": "REMOVED SENSITIVE VALUE", "default_locale": "REMOVED SENSITIVE VALUE", "logtimezone": "REMOVED SENSITIVE VALUE", "mysql.utf8mb4": true, "mail_domain": "REMOVED SENSITIVE VALUE", "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_smtpmode": "smtp", "mail_smtphost": "REMOVED SENSITIVE VALUE", "mail_smtpport": "25", "mail_sendmailmode": "smtp", "memcache.local": "\OC\Memcache\APCu" }, "apps": { "accessibility": { "enabled": "yes", "installed_version": "1.3.0", "types": "" }, "activity": { "enabled": "yes", "installed_version": "2.10.1", "types": "filesystem" }, "admin_audit": { "enabled": "yes", "installed_version": "1.7.0", "types": "logging" }, "announcementcenter": { "enabled": "yes", "installed_version": "3.6.1", "types": "logging" }, "backgroundjob": { "lastjob": "12" }, "bruteforcesettings": { "enabled": "yes", "installed_version": "1.4.0", "types": "" }, "calendar": { "enabled": "yes", "installed_version": "1.7.1", "types": "" }, "circles": { "allow_federated": "0", "allow_linked_groups": "0", "enabled": "no", "installed_version": "0.17.8", "members_limit": "50", "skip_invitation_to_closed_circles": "1", "types": "" }, "cloud_federation_api": { "enabled": "yes", "installed_version": "1.0.0", "types": "filesystem" }, "comments": { "enabled": "yes", "installed_version": "1.7.0", "types": "logging" }, "contacts": { "enabled": "yes", "installed_version": "3.1.6", "types": "" }, "core": { "default_encryption_module": "OC_DEFAULT_MODULE", "encryption_enabled": "yes", "installedat": "1570345057.4615", "lastcron": "1570568013", "lastupdatedat": "1570563544", "lastupdateResult": "[]", "oc.integritycheck.checker": "[]", "public_files": "files_sharing\/public.php", "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php", "shareapi_allow_group_sharing": "yes", "shareapi_allow_public_upload": "yes", "shareapi_allow_resharing": "no", "shareapi_allow_share_dialog_user_enumeration": "yes", "shareapi_default_expire_date": "no", "shareapi_default_permissions": "31", "shareapi_default_permission_cancreate": "yes", "shareapi_default_permission_candelete": "yes", "shareapi_default_permission_canshare": "yes", "shareapi_default_permission_canupdate": "yes", "shareapi_enable_link_password_by_default": "no", "shareapi_enforce_expire_date": "yes", "shareapi_enforce_links_password": "no", "shareapi_exclude_groups": "no", "shareapi_exclude_groups_list": "[\"\"]", "shareapi_only_share_with_group_members": "no", "theming.variables": "a5ac82c56cda553df02ffca8e02fd1be", "vendor": "nextcloud" }, "dav": { "enabled": "yes", "installed_version": "1.13.0", "types": "filesystem" }, "deck": { "enabled": "yes", "installed_version": "0.7.0", "types": "dav" }, "encryption": { "enabled": "yes", "installed_version": "2.5.0", "masterKeyId": "master_65c66cbe", "publicShareKeyId": "pubShare_65c66cbe", "recoveryKeyId": "recoveryKey_65c66cbe", "types": "filesystem" }, "federatedfilesharing": { "enabled": "yes", "installed_version": "1.7.0", "types": "" }, "federation": { "autoAddServers": "0", "enabled": "yes", "installed_version": "1.7.0", "types": "authentication" }, "files": { "cronjob_scan_files": "500", "enabled": "yes", "installed_version": "1.12.0", "types": "filesystem" }, "files_accesscontrol": { "enabled": "no", "installed_version": "1.7.0", "types": "filesystem" }, "files_antivirus": { "av_cmd_options": "", "av_host": "", "av_infected_action": "delete", "av_max_file_size": "-1", "av_mode": "executable", "av_path": "\/usr\/bin\/clamscan", "av_port": "0", "av_socket": "\/var\/run\/clamav\/clamd.ctl", "av_stream_max_length": "26214400", "enabled": "no", "installed_version": "2.2.0", "types": "filesystem,dav" }, "files_automatedtagging": { "enabled": "yes", "installed_version": "1.7.0", "types": "filesystem" }, "files_external": { "enabled": "yes", "installed_version": "1.8.0", "types": "filesystem" }, "files_pdfviewer": { "enabled": "yes", "installed_version": "1.6.0", "types": "" }, "files_retention": { "enabled": "yes", "installed_version": "1.6.0", "types": "filesystem" }, "files_rightclick": { "enabled": "no", "installed_version": "0.15.1", "types": "" }, "files_sharing": { "enabled": "yes", "incoming_server2server_group_share_enabled": "yes", "installed_version": "1.9.0", "lookupServerUploadEnabled": "no", "outgoing_server2server_share_enabled": "no", "types": "filesystem" }, "files_trashbin": { "enabled": "yes", "installed_version": "1.7.0", "types": "filesystem,dav" }, "files_versions": { "enabled": "yes", "installed_version": "1.10.0", "types": "filesystem,dav" }, "files_videoplayer": { "enabled": "yes", "installed_version": "1.6.0", "types": "" }, "firstrunwizard": { "enabled": "no", "installed_version": "2.6.0", "types": "logging" }, "gallery": { "enabled": "no", "installed_version": "18.4.0", "types": "" }, "groupquota": { "enabled": "yes", "installed_version": "0.1.1", "types": "filesystem" }, "logreader": { "enabled": "yes", "installed_version": "2.2.0", "types": "" }, "lookup_server_connector": { "enabled": "yes", "installed_version": "1.5.0", "types": "authentication" }, "nextcloud_announcements": { "enabled": "yes", "installed_version": "1.6.0", "pub_date": "Mon, 02 Sep 2019 00:00:00 +0200", "types": "logging" }, "notifications": { "enabled": "yes", "installed_version": "2.5.0", "types": "logging" }, "oauth2": { "enabled": "yes", "installed_version": "1.5.0", "types": "authentication" }, "password_policy": { "enabled": "yes", "enforceHaveIBeenPwned": "1", "enforceNumericCharacters": "1", "enforceSpecialCharacters": "1", "enforceUpperLowerCase": "1", "installed_version": "1.7.0", "types": "" }, "privacy": { "enabled": "yes", "fullDiskEncryptionEnabled": "1", "installed_version": "1.1.0", "readableLocation": "REMOVED SENSITIVE VALUE", "types": "" }, "provisioning_api": { "enabled": "yes", "installed_version": "1.7.0", "types": "prevent_group_restriction" }, "ransomware_protection": { "enabled": "yes", "extensionadditions": "[\".0xe\",\".3g2\",\".3ga\",\".3gp\",\".3gp2\",\".3gpp\",\".3gpp2\",\".3mm\",\".3p2\",\".4mp\",\".5xb\",\".5xe\",\".5xs\",\".8ck\",\".8svx\",\".60d\",\".73k\",\".89k\",\".264\",\".669\",\".787\",\".890\",\".a2b\",\".a2i\",\".a2m\",\".a6p\",\".a7r\",\".aa\",\".aa3\",\".aac\",\".aaf\",\".aax\",\".ab\",\".abc\",\".abm\",\".ac\",\".ac3\",\".acc\",\".acd\",\".acd-bak\",\".acd-zip\",\".acm\",\".acp\",\".acr\",\".act\",\".actc\",\".action\",\".actm\",\".adg\",\".adt\",\".adts\",\".adv\",\".aec\",\".aecap\",\".aegraphic\",\".aep\",\".aepx\",\".aet\",\".aetx\",\".afc\",\".agm\",\".agr\",\".ahk\",\".aif\",\".aifc\",\".aiff\",\".aimppl\",\".air\",\".ajp\",\".akp\",\".alc\",\".ale\",\".all\",\".als\",\".am\",\".amc\",\".amf\",\".amr\",\".ams\",\".amv\",\".amx\",\".amxd\",\".amz\",\".ang\",\".anim\",\".anx\",\".aob\",\".ape\",\".apk\",\".apl\",\".app\",\".applescript\",\".aqt\",\".arcut\",\".arf\",\".aria\",\".ariax\",\".arscript\",\".as\",\".asb\",\".asd\",\".asf\",\".asx\",\".at3\",\".au\",\".aud\",\".aup\",\".av\",\".av3\",\".avastsounds\",\".avb\",\".avc\",\".avchd\",\".avd\",\".ave\",\".avi\",\".avm\",\".avp\",\".avr\",\".avs\",\".avv\",\".awk\",\".awlive\",\".axm\",\".axv\",\".ay\",\".azw2\",\".b4s\",\".ba\",\".band\",\".bap\",\".bat\",\".bdd\",\".bdm\",\".bdmv\",\".bdt2\",\".bdt3\",\".beam\",\".bidule\",\".bik\",\".bik2\",\".bin\",\".bix\",\".bk2\",\".blz\",\".bmc\",\".bmk\",\".bnk\",\".bnp\",\".box\",\".brstm\",\".bs4\",\".bsf\",\".btm\",\".bu\",\".bun\",\".bvr\",\".bwf\",\".bwg\",\".bww\",\".byu\",\".caction\",\".caf\",\".caff\",\".camproj\",\".camrec\",\".camv\",\".cda\",\".cdda\",\".cdlx\",\".cdo\",\".cdr\",\".ced\",\".cel\",\".celx\",\".cfa\",\".cgi\",\".cgrp\",\".chm\",\".cidb\",\".cine\",\".cip\",\".ckb\",\".ckf\",\".clk\",\".clpi\",\".cmd\",\".cme\",\".cmmp\",\".cmmtpl\",\".cmproj\",\".cmrec\",\".cmv\",\".cof\",\".coffee\",\".com\",\".command\",\".conform\",\".copy\",\".cpi\",\".cpl\",\".cpr\",\".cpt\",\".cpvc\",\".crec\",\".crt\",\".csh\",\".cst\",\".cts\",\".cvc\",\".cwb\",\".cwp\",\".cws\",\".cwt\",\".cx3\",\".cyw\",\".d2v\",\".d3v\",\".dad\",\".dash\",\".dat\",\".dav\",\".db2\",\".dce\",\".dcf\",\".dck\",\".dcm\",\".dcr\",\".dct\",\".ddat\",\".dek\",\".dewf\",\".df2\",\".dfc\",\".dff\",\".dif\",\".dig\",\".dir\",\".divx\",\".dld\",\".dls\",\".dlx\",\".dm\",\".dmb\",\".dmc\",\".dmf\",\".dmsa\",\".dmsd\",\".dmsd3d\",\".dmse\",\".dmsm\",\".dmsm3d\",\".dmss\",\".dmx\",\".dnc\",\".docm\",\".dotm\",\".dpa\",\".dpg\",\".dra\",\".dream\",\".drg\",\".ds\",\".ds2\",\".dsf\",\".dsm\",\".dss\",\".dsy\",\".dtm\",\".dts\",\".dtshd\",\".dv\",\".dv-avi\",\".dv4\",\".dvdmedia\",\".dvf\",\".dvr\",\".dvr-ms\",\".dvx\",\".dwd\",\".dxl\",\".dxr\",\".dzm\",\".dzp\",\".dzt\",\".ee\",\".ear\",\".ebm\",\".ebs\",\".ebs2\",\".ecf\",\".edl\",\".efa\",\".efe\",\".efk\",\".efq\",\".efs\",\".efv\",\".eham\",\".elf\",\".emd\",\".emp\",\".emx\",\".epk\",\".es\",\".esh\",\".esps\",\".evo\",\".ex\",\".ex4\",\".ex5\",\".exe\",\".exe1\",\".exo\",\".exopc\",\".exp\",\".expressionmap\",\".exs\",\".eye\",\".eyetv\",\".ezs\",\".ezt\",\".f2r\",\".f3r\",\".f4a\",\".f4f\",\".f4m\",\".f4p\",\".f4v\",\".f32\",\".f64\",\".fas\",\".fbr\",\".fbz\",\".fcarch\",\".fcp\",\".fcproject\",\".fdp\",\".fev\",\".ffd\",\".ffm\",\".fky\",\".flac\",\".flc\",\".flh\",\".fli\",\".flic\",\".flm\",\".flp\",\".flv\",\".flx\",\".fpa\",\".fpdx\",\".fpi\",\".frg\",\".frs\",\".fsb\",\".fsc\",\".fsm\",\".ftc\",\".ftm\",\".ftmx\",\".fvt\",\".fxp\",\".fzf\",\".fzv\",\".g2m\",\".g64\",\".g64x\",\".g721\",\".g723\",\".g726\",\".gadget\",\".gbproj\",\".gbs\",\".gcs\",\".gfp\",\".gifv\",\".gig\",\".gl\",\".gom\",\".gp5\",\".gpbank\",\".gpe\",\".gpk\",\".gpu\",\".gpx\",\".grasp\",\".groove\",\".gs\",\".gsf\",\".gsflib\",\".gsm\",\".gts\",\".gvi\",\".gvp\",\".gxf\",\".h0\",\".h4b\",\".h5b\",\".h5e\",\".h5s\",\".h264\",\".ham\",\".hbe\",\".hca\",\".hdmov\",\".hdp\",\".hdv\",\".hevc\",\".hkm\",\".hms\",\".hpf\",\".hsb\",\".hta\",\".iaa\",\".icd\",\".ics\",\".iff\",\".ifo\",\".igp\",\".igr\",\".iim\",\".imovielibrary\",\".imoviemobile\",\".imovieproj\",\".imovieproject\",\".imp\",\".inf1\",\".inp\",\".ins\",\".insv\",\".int\",\".inx\",\".ipa\",\".ipf\",\".ircp\",\".irf\",\".ism\",\".isma\",\".ismc\",\".ismclip\",\".ismv\",\".isp\",\".isu\",\".ita\",\".iti\",\".itls\",\".its\",\".iva\",\".ivf\",\".ivr\",\".ivs\",\".izz\",\".izzy\",\".jam\",\".jar\",\".jdr\",\".jmv\",\".jnr\",\".job\",\".js\",\".jse\",\".jsf\",\".jspf\",\".jss\",\".jsx\",\".jts\",\".jtv\",\".k3g\",\".k26\",\".kar\",\".kdenlive\",\".kfn\",\".kix\",\".kmp\",\".kmv\",\".koz\",\".kpl\",\".krz\",\".ksc\",\".ksf\",\".ksh\",\".kt3\",\".ktn\",\".kx\",\".l\",\".la\",\".lnk\",\".lo\",\".lof\",\".logic\",\".logicx\",\".lrec\",\".lrv\",\".ls\",\".lsf\",\".lso\",\".lsx\",\".lvix\",\".lwv\",\".m1pg\",\".m1v\",\".m2a\",\".m2p\",\".m2t\",\".m2ts\",\".m2v\",\".m3g\",\".m3u\",\".m3u8\",\".m4a\",\".m4b\",\".m4e\",\".m4p\",\".m4r\",\".m4u\",\".m4v\",\".m5p\",\".m15\",\".m21\",\".m75\",\".ma1\",\".mac\",\".mam\",\".mani\",\".mbr\",\".mcr\",\".mdc\",\".mdr\",\".med\",\".mel\",\".mem\",\".meta\",\".mgv\",\".mid\",\".midi\",\".minigsf\",\".minipsf\",\".miniusf\",\".mio\",\".mj2\",\".mjp\",\".mjpeg\",\".mjpg\",\".mk3d\",\".mka\",\".mkv\",\".mlx\",\".mm\",\".mmf\",\".mmlp\",\".mmm\",\".mmp\",\".mmpz\",\".mmv\",\".mnv\",\".mo3\",\".mob\",\".mod\",\".modd\",\".moff\",\".mogg\",\".moi\",\".moov\",\".mov\",\".movie\",\".mp2\",\".mp2v\",\".mp3\",\".mp4\",\".mp4.infovid\",\".mp4v\",\".mp21\",\".mpa\",\".mpc\",\".mpdp\",\".mpe\",\".mpeg\",\".mpeg1\",\".mpeg2\",\".mpeg4\",\".mpf\",\".mpg\",\".mpg2\",\".mpg4\",\".mpga\",\".mpgindex\",\".mpl\",\".mpls\",\".mproj\",\".mpsub\",\".mpu\",\".mpv\",\".mpv2\",\".mpx\",\".mqv\",\".mrc\",\".mrp\",\".ms\",\".msc\",\".mscx\",\".mscz\",\".msdvd\",\".mse\",\".msh\",\".msi\",\".msl\",\".msmpl_bank\",\".msp\",\".mst\",\".msv\",\".mswmm\",\".mt2\",\".mt2s\",\".mte\",\".mtf\",\".mti\",\".mtm\",\".mtp\",\".mts\",\".mtv\",\".mui\",\".mus\",\".musx\",\".mux\",\".mvb\",\".mvc\",\".mvd\",\".mve\",\".mvex\",\".mvp\",\".mvy\",\".mx3\",\".mx4\",\".mx5\",\".mx5template\",\".mxe\",\".mxf\",\".mxl\",\".mxmf\",\".mxv\",\".myr\",\".mys\",\".n\",\".n3r\",\".narrative\",\".nbs\",\".ncl\",\".ncor\",\".ncw\",\".nexe\",\".nfv\",\".nkb\",\".nkc\",\".nki\",\".nkm\",\".nks\",\".nkx\",\".nml\",\".nmsv\",\".note\",\".npl\",\".nra\",\".nrt\",\".nsa\",\".nsv\",\".ntn\",\".ntp\",\".nut\",\".nuv\",\".nvc\",\".nvf\",\".nwc\",\".obs\",\".obw\",\".odm\",\".ofr\",\".oga\",\".ogg\",\".ogm\",\".ogv\",\".ogx\",\".okt\",\".oma\",\".omf\",\".omg\",\".omx\",\".opus\",\".ore\",\".orv\",\".osp\",\".osx\",\".otm\",\".otrkey\",\".ots\",\".out\",\".ove\",\".ovw\",\".pac\",\".paf\",\".paf.exe\",\".pandora\",\".par\",\".pbf\",\".pca\",\".pcast\",\".pcg\",\".pds\",\".peak\",\".pek\",\".pex\",\".pgi\",\".phar\",\".pho\",\".photoshow\",\".phy\",\".pif\",\".piv\",\".pjs\",\".pk\",\".pkf\",\".pla\",\".playlist\",\".plproj\",\".pls\",\".plsc\",\".plx\",\".ply\",\".pmf\",\".pmv\",\".pna\",\".pno\",\".pns\",\".potm\",\".ppam\",\".ppc\",\".ppcx\",\".ppj\",\".ppsm\",\".pptm\",\".prc\",\".prel\",\".prg\",\".pro\",\".pro4dvd\",\".pro5dvd\",\".proqc\",\".prproj\",\".prtl\",\".ps1\",\".psb\",\".psf\",\".psf1\",\".psf2\",\".psh\",\".psm\",\".pssd\",\".psv\",\".psy\",\".ptcop\",\".ptf\",\".ptm\",\".pts\",\".ptt\",\".ptx\",\".ptxt\",\".pva\",\".pvc\",\".pvd\",\".pvr\",\".pwc\",\".pxv\",\".pyc\",\".pyo\",\".pz\",\".qcp\",\".qit\",\".qpx\",\".qt\",\".qtch\",\".qtindex\",\".qtl\",\".qtm\",\".qtz\",\".r1m\",\".r3d\",\".ra\",\".ram\",\".ravi\",\".raw\",\".rax\",\".rbf\",\".rbs\",\".rbx\",\".rcd\",\".rcproject\",\".rcrec\",\".rcut\",\".rcy\",\".rdb\",\".rec\",\".reg\",\".rex\",\".rfl\",\".rfu\",\".rgrp\",\".rgs\",\".rip\",\".rm\",\".rmd\",\".rmi\",\".rmj\",\".rmp\",\".rms\",\".rmv\",\".rmvb\",\".rmx\",\".rng\",\".rns\",\".rol\",\".roq\",\".rox\",\".rp\",\".rpj\",\".rsn\",\".rso\",\".rsx\",\".rta\",\".rti\",\".rts\",\".rum\",\".run\",\".rv\",\".rvid\",\".rvl\",\".rvx\",\".rx2\",\".rxe\",\".s2a\",\".s3i\",\".s3m\",\".s3z\",\".saf\",\".san\",\".sap\",\".sbg\",\".sbi\",\".sbk\",\".sbs\",\".sbt\",\".sbz\",\".sc2\",\".sca\",\".scar\",\".scb\",\".scc\",\".scm\",\".scn\",\".scpt\",\".scptd\",\".scr\",\".screenflow\",\".script\",\".scs11\",\".sct\",\".sd\",\".sd2\",\".sd2f\",\".sdat\",\".sds\",\".sdt\",\".sdv\",\".sec\",\".sedprj\",\".seed\",\".seq\",\".ser\",\".server\",\".ses\",\".sesx\",\".sf2\",\".sfap0\",\".sfd\",\".sfera\",\".sfk\",\".sfl\",\".sfpack\",\".sfs\",\".sfvidcap\",\".sfz\",\".sgp\",\".shb\",\".shn\",\".shs\",\".sib\",\".siv\",\".slp\",\".slx\",\".sma\",\".smf\",\".smi\",\".smil\",\".smk\",\".sml\",\".smm\",\".smp\",\".smpx\",\".smv\",\".snagproj\",\".snd\",\".sng\",\".sngx\",\".sns\",\".song\",\".sou\",\".spl\",\".sppack\",\".spr\",\".sprg\",\".spx\",\".sqz\",\".srt\",\".sseq\",\".ssf\",\".ssm\",\".ssnd\",\".stap\",\".stl\",\".stm\",\".str\",\".strm\",\".stx\",\".sty\",\".svd\",\".svi\",\".svx\",\".swa\",\".swf\",\".swi\",\".swt\",\".sxt\",\".syh\",\".syn\",\".syw\",\".syx\",\".tak\",\".tcp\",\".td0\",\".tda3mt\",\".tdt\",\".tdx\",\".tg\",\".theater\",\".thm\",\".thp\",\".tiapp\",\".tid\",\".tivo\",\".tix\",\".tlb\",\".tms\",\".toc\",\".tod\",\".tp\",\".tp0\",\".tpd\",\".tpr\",\".trak\",\".trec\",\".trp\",\".ts\",\".tsp\",\".tsv\",\".tta\",\".ttxt\",\".tvlayer\",\".tvrecording\",\".tvs\",\".tvshow\",\".txw\",\".u\",\".u3p\",\".uax\",\".udf\",\".ult\",\".uni\",\".upx\",\".url\",\".usf\",\".usflib\",\".usm\",\".ust\",\".uw\",\".uwf\",\".v264\",\".vag\",\".vap\",\".vb\",\".vbc\",\".vbe\",\".vbs\",\".vbscript\",\".vc1\",\".vc3\",\".vcpf\",\".vcr\",\".vcv\",\".vdj\",\".vdo\",\".vdr\",\".vdx\",\".veg\",\".vem\",\".vep\",\".vexe\",\".vf\",\".vft\",\".vfw\",\".vfz\",\".vgm\",\".vgz\",\".vid\",\".video\",\".viewlet\",\".vip\",\".viv\",\".vivo\",\".vix\",\".vlab\",\".vlc\",\".vlx\",\".vmd\",\".vmf\",\".vmlf\",\".vmlt\",\".vmo\",\".vob\",\".voc\",\".vox\",\".voxal\",\".vp3\",\".vp6\",\".vp7\",\".vpj\",\".vpl\",\".vpm\",\".vpr\",\".vpw\",\".vqf\",\".vr\",\".vrf\",\".vro\",\".vs4\",\".vse\",\".vsh\",\".vsp\",\".vsq\",\".vsqx\",\".vtt\",\".vtx\",\".vxp\",\".vyf\",\".w01\",\".w32\",\".w64\",\".wav\",\".wave\",\".wax\",\".wcm\",\".wcp\",\".webm\",\".wfb\",\".wfd\",\".wfm\",\".wfp\",\".wfsp\",\".wgi\",\".widget\",\".wiz\",\".wlmp\",\".wm\",\".wma\",\".wmd\",\".wmmp\",\".wmv\",\".wmx\",\".workflow\",\".wot\",\".wow\",\".wp3\",\".wpk\",\".wpl\",\".wpm\",\".wpp\",\".wproj\",\".wrk\",\".ws\",\".wsf\",\".wsh\",\".wsve\",\".wtpl\",\".wtpt\",\".wtv\",\".wus\",\".wut\",\".wv\",\".wvc\",\".wve\",\".wvm\",\".wvx\",\".wwu\",\".wxp\",\".x86\",\".xa\",\".xap\",\".xbap\",\".xej\",\".xel\",\".xesc\",\".xfl\",\".xfs\",\".xlam\",\".xlm\",\".xlmv\",\".xlsm\",\".xltm\",\".xm\",\".xmf\",\".xml\",\".xmu\",\".xmv\",\".xqt\",\".xrns\",\".xsp\",\".xspf\",\".xvid\",\".xys\",\".y4m\",\".yog\",\".yookoo\",\".yuv\",\".zeg\",\".zl9\",\".zm1\",\".zm2\",\".zm3\",\".zmv\",\".zpa\",\".zpl\",\".zvd\"]", "extension_exclusions": "[]", "installed_version": "1.5.0", "notefile_exclusions": "[]", "notes_include_biased": "yes", "types": "logging" }, "recommendations": { "enabled": "yes", "installed_version": "0.5.0", "types": "" }, "serverinfo": { "enabled": "yes", "installed_version": "1.7.0", "types": "" }, "sharebymail": { "enabled": "yes", "enforcePasswordProtection": "no", "installed_version": "1.7.0", "sendpasswordmail": "no", "types": "filesystem" }, "sharerenamer": { "enabled": "no", "installed_version": "2.7.2", "types": "" }, "support": { "enabled": "yes", "installed_version": "1.0.1", "types": "session" }, "survey_client": { "enabled": "yes", "installed_version": "1.5.0", "last_report": "{\"id\":\"ocohj1jpvnud\",\"items\":[[\"server\",\"version\",\"17.0.0.9\"],[\"server\",\"code\",\"other\"],[\"server\",\"enable_avatars\",\"yes\"],[\"server\",\"enable_previews\",\"yes\"],[\"server\",\"memcache.local\",\"none\"],[\"server\",\"memcache.distributed\",\"none\"],[\"server\",\"asset-pipeline.enabled\",\"no\"],[\"server\",\"filelocking.enabled\",\"yes\"],[\"server\",\"memcache.locking\",\"none\"],[\"server\",\"debug\",\"no\"],[\"server\",\"cron\",\"ajax\"],[\"php\",\"version\",\"7.1.32\"],[\"php\",\"memory_limit\",134217728],[\"php\",\"max_execution_time\",3600],[\"php\",\"upload_max_filesize\",2097152],[\"database\",\"type\",\"mysql\"],[\"database\",\"version\",\"5.7.27\"],[\"database\",\"size\",3031040],[\"apps\",\"accessibility\",\"1.3.0\"],[\"apps\",\"activity\",\"2.10.1\"],[\"apps\",\"cloud_federation_api\",\"1.0.0\"],[\"apps\",\"comments\",\"1.7.0\"],[\"apps\",\"dav\",\"1.13.0\"],[\"apps\",\"federatedfilesharing\",\"1.7.0\"],[\"apps\",\"federation\",\"1.7.0\"],[\"apps\",\"files\",\"1.12.0\"],[\"apps\",\"files_pdfviewer\",\"1.6.0\"],[\"apps\",\"files_rightclick\",\"0.14.2\"],[\"apps\",\"files_sharing\",\"1.9.0\"],[\"apps\",\"files_trashbin\",\"1.7.0\"],[\"apps\",\"files_versions\",\"1.10.0\"],[\"apps\",\"files_videoplayer\",\"1.6.0\"],[\"apps\",\"firstrunwizard\",\"2.6.0\"],[\"apps\",\"gallery\",\"18.4.0\"],[\"apps\",\"logreader\",\"2.2.0\"],[\"apps\",\"lookup_server_connector\",\"1.5.0\"],[\"apps\",\"nextcloud_announcements\",\"1.6.0\"],[\"apps\",\"notifications\",\"2.5.0\"],[\"apps\",\"oauth2\",\"1.5.0\"],[\"apps\",\"password_policy\",\"1.7.0\"],[\"apps\",\"privacy\",\"1.1.0\"],[\"apps\",\"provisioning_api\",\"1.7.0\"],[\"apps\",\"recommendations\",\"0.5.0\"],[\"apps\",\"serverinfo\",\"1.7.0\"],[\"apps\",\"sharebymail\",\"1.7.0\"],[\"apps\",\"support\",\"1.0.1\"],[\"apps\",\"survey_client\",\"1.5.0\"],[\"apps\",\"systemtags\",\"1.7.0\"],[\"apps\",\"text\",\"1.1.0\"],[\"apps\",\"theming\",\"1.8.0\"],[\"apps\",\"twofactor_backupcodes\",\"1.6.0\"],[\"apps\",\"updatenotification\",\"1.7.0\"],[\"apps\",\"viewer\",\"1.1.0\"],[\"apps\",\"workflowengine\",\"1.7.0\"],[\"stats\",\"num_files\",132],[\"stats\",\"num_users\",1],[\"stats\",\"num_storages\",2],[\"stats\",\"num_storages_local\",1],[\"stats\",\"num_storages_home\",1],[\"stats\",\"num_storages_other\",0],[\"stats\",\"num_comments\",0],[\"stats\",\"num_comment_markers\",0],[\"stats\",\"num_systemtags\",0],[\"stats\",\"num_systemtags_mappings\",0],[\"files_sharing\",\"num_shares\",0],[\"files_sharing\",\"num_shares_user\",0],[\"files_sharing\",\"num_shares_groups\",0],[\"files_sharing\",\"num_shares_link\",0],[\"files_sharing\",\"num_shares_link_no_password\",0],[\"files_sharing\",\"num_fed_shares_sent\",0],[\"files_sharing\",\"num_fed_shares_received\",0],[\"encryption\",\"enabled\",\"no\"],[\"encryption\",\"default_module\",\"no\"]]}", "last_sent": "1570354938", "types": "" }, "suspicious_login": { "enabled": "yes", "installed_version": "2.3.0", "types": "authentication" }, "systemtags": { "enabled": "yes", "installed_version": "1.7.0", "types": "logging" }, "text": { "enabled": "yes", "installed_version": "1.1.0", "types": "" }, "theming": { "cachebuster": "3", "enabled": "yes", "installed_version": "1.8.0", "name": "REMOVED SENSITIVE VALUE", "slogan": "REMOVED SENSITIVE VALUE", "types": "logging", "url": "REMOVED SENSITIVE VALUE" }, "twofactor_backupcodes": { "enabled": "yes", "installed_version": "1.6.0", "types": "" }, "twofactor_totp": { "enabled": "yes", "installed_version": "4.0.0", "types": "" }, "updatenotification": { "enabled": "yes", "files_rightclick": "0.15.1", "installed_version": "1.7.0", "types": "", "update_check_errors": "0" }, "uploaddetails": { "enabled": "yes", "installed_version": "0.1.2", "types": "" }, "viewer": { "enabled": "yes", "installed_version": "1.1.0", "types": "" }, "workflow_script": { "enabled": "no", "installed_version": "1.2.0", "types": "filesystem" }, "workflowengine": { "enabled": "yes", "installed_version": "1.7.0", "types": "filesystem" } } }

Are you using encryption: yes

Client configuration

firefox/chrome/safari

Operating system:

Logs

Web server error log

no error, nextcloud just misbehaving

kesselb commented 4 years ago

1) How to reproduce this problem? This looks more like some configuration values inherited from your domain.com to cloud.domain.com. 2) Are you able to reproduce it with https://try.nextcloud.com? File drop works for me.

Get a popup window requesting the user to log to nextcloud.

Can you share a screenshot?

When nextcloud serves a page, Strict-Transport-Security is deleted

https://github.com/nextcloud/server/search?p=1&q=Strict-Transport-Security&unscoped_q=Strict-Transport-Security there is no code removing Strict-Transport-Security.

ugokanain commented 4 years ago

I did try the demo, and it worked there. However, can't get it to work on my server with the conditional clauses. With the code not commented out, it works. As the ss shows, if not included the login window pops up.

I didn't touched the original code:

  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

Other than nextcloud modifying the headers, don't know how to explain the lack of the strict-transport, which gets replaced by Pragma and Content-Security-Policy. Could it be deleting or replacing the line somehow?

Page served by nextcloud

< HTTP/1.1 302 Found
< Date: Tue, 08 Oct 2019 00:19:58 GMT
< Server: Apache
< X-Powered-By: PHP/7.1.32
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘nonce-…=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’;
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff

Page served by the server itself

< HTTP/1.1 404 Not Found
< Date: Tue, 08 Oct 2019 00:09:11 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff

The reason for the Referrer-Policy and X-Content-Type-Options, is that I added that to my main htaccess file :) So it gets served on all my pages

<ifModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</ifModule>

# Add security and privacy related headers
Header always set Referrer-Policy "no-referrer"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Download-Options "noopen"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set X-Robots-Tag "none"
Header always set X-XSS-Protection "1; mode=block"
#SetEnv modHeadersAvailable true

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>
ugokanain commented 4 years ago

Just to satisfy a doubt, I found that nextclould adds the headers even if the htaccess file added is missing

I removed all the code from the server, and this is what it replies if nothing is present (i left the Strict-Transport in)

< HTTP/1.1 404 Not Found
< Date: Tue, 08 Oct 2019 23:16:18 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Content-Length: 315
< Content-Type: text/html; charset=iso-8859-1

These are the headers returned by nextcloud with the same conditions as the previous one

< Server: Apache
< X-Powered-By: PHP/7.1.32
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-…='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block

The same, but without the Strict-Transport in the htaccess files

< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-…='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block
ugokanain commented 4 years ago

I just heard from the server people:

the server is configured to use CGI PHP handler. This could be the issue when you include in the code, it doesn't execute

Guess you didn't include an option if people are still running cgi handler

kesselb commented 4 years ago

Guess you didn't include an option if people are still running cgi handler

Don't think so. Not sure what is necessary for running nextcloud via php-cgi. I think your webserver configuration is invalid. Your nextcloud instance is also reachable via domain.com/cloud/. That means it's installed in a subfolder of the domain. .htaccess files are inherited. So all rules for domain.com apply for cloud.domain.com too. I would try to setup a dedicated virtualhost for cloud.domain.com.

ghost commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.