search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.22k stars 4.05k forks source link

Can’t login without SSL (using just http) when someone already used same web browser with SSL (https) #29002

Closed nicrame closed 3 years ago

nicrame commented 3 years ago

The problem is that any user of Nextcloud isn't able to login using http protocol - when other user (anyone) already logged in on the same web browser using httpS.

Removing cookies for my Nextcloud site make possible to login with http protocol again. Everything is working fine, until i login with httpS protocol. Then again it is impossible to login using http only.

I tried that on my NAS server, and on fresh install in VM. Same behavior is on Firefox and Google Chrome.

Steps to reproduce

  1. Login to Nextcloud panel using httpS:// protocol.
  2. Logout.
  3. Login with http:// protocol on the same web browser.

Expected behaviour

Login accepted and have access to his files.

Actual behaviour

Website refresh to login page again and again.

Server configuration

Operating system: Linux 4.18.0-305.19.1.el8_4.x86_64 #1 SMP Tue Sep 7 07:07:31 EDT 2021 x86_64 - RHEL8 Web server: nginx/1.14.1 (fpm-fcgi) Database: MariaDB 10.5.12 PHP version: PHP-FPM 7.4.24 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, cgi-fcgi, bcmath, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, imap, intl, json, exif, mysqlnd, PDO, Phar, posix, shmop, SimpleXML, sockets, sodium, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlwriter, xsl, mcrypt, mysqli, pdo_mysql, pdo_sqlite, recode, xmlreader, xmlrpc, zip, apcu, geos, igbinary, imagick, lzf, msgpack, phpiredis, smbclient, zstd, mysql, redis, libsmbclient, Zend OPcache Nextcloud version: (see Nextcloud admin page) 22.1.1 - 22.1.1.2 Updated from an older Nextcloud/ownCloud or fresh install: Updated from 21.0.4 but same thing happen on fresh clean install of 22.1.1 Where did you install Nextcloud from: nextcloud.com tar.bz2 Signing status:

Signing status ``` Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here. No errors have been found. ```

List of activated apps:

App list ``` Enabled: - accessibility: 1.7.0 - activity: 2.15.0 - calendar: 2.3.4 - circles: 22.1.1 - cloud_federation_api: 1.4.0 - comments: 1.11.0 - contacts: 4.0.3 - contactsinteraction: 1.2.0 - dashboard: 7.1.0 - dav: 1.18.0 - deck: 1.5.3 - federatedfilesharing: 1.11.0 - federation: 1.11.0 - files: 1.16.0 - files_external: 1.12.1 - files_pdfviewer: 2.3.0 - files_rightclick: 1.1.0 - files_sharing: 1.13.2 - files_trashbin: 1.11.0 - files_versions: 1.14.0 - files_videoplayer: 1.11.0 - firstrunwizard: 2.11.0 - groupfolders: 10.0.0 - logreader: 2.7.0 - lookup_server_connector: 1.9.0 - mail: 1.10.5 - nextcloud_announcements: 1.11.0 - notes: 4.1.1 - notifications: 2.10.1 - oauth2: 1.9.0 - onlyoffice: 7.1.2 - password_policy: 1.12.0 - photos: 1.4.0 - privacy: 1.6.0 - provisioning_api: 1.11.0 - recommendations: 1.1.0 - serverinfo: 1.12.0 - settings: 1.3.0 - sharebymail: 1.11.0 - spreed: 12.1.2 - support: 1.5.0 - survey_client: 1.10.0 - systemtags: 1.11.0 - tasks: 0.14.2 - text: 3.3.0 - theming: 1.12.0 - twofactor_backupcodes: 1.10.1 - updatenotification: 1.11.0 - user_status: 1.1.1 - viewer: 1.6.0 - weather_status: 1.1.0 - workflowengine: 2.3.1 Disabled: - admin_audit - bruteforcesettings - camerarawpreviews - dicomviewer - documentserver_community - encryption - extract - files_photospheres - forms - maps - metadata - ransomware_protection - talk_matterbridge - user_ldap ```

Nextcloud configuration:

Config report ``` { "blacklisted_files": [], "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "127.0.0.1", "***REMOVED SENSITIVE VALUE***", "***REMOVED SENSITIVE VALUE***", "***REMOVED SENSITIVE VALUE***" ], "enable_previews": true, "enabledPreviewProviders": [ "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\PDF", "OC\\Preview\\Image", "OC\\Preview\\Photoshop", "OC\\Preview\\TIFF", "OC\\Preview\\SVG", "OC\\Preview\\Font", "OC\\Preview\\MP3", "OC\\Preview\\Movie", "OC\\Preview\\MKV", "OC\\Preview\\MP4", "OC\\Preview\\AVI" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "22.1.1.2", "overwrite.cli.url": "http:\/\/mynas.url.addrs", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "xf_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "default_language": "pl", "default_locale": "pl", "simpleSignUpLink.shown": false, "memcache.local": "\\OC\\Memcache\\APCu", "skeletondirectory": "core\/my-default", "maintenance": false, "app_install_overwrite": [ "bruteforcesettings", "dicomviewer", "files_photospheres" ], "mail_smtpmode": "smtp", "mail_smtpsecure": "tls", "mail_sendmailmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": 1, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "default_phone_region": "PL", "theme": "", "loglevel": 0, "updater.release.channel": "stable" } ```

Are you using external storage, if yes which one: smb

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 92.0.1 or Google Chrome Version 94.0.4606.61 (Official Build) (64-bit)

Operating system: Windows 10 (x64)

Logs

Web server error log

Web server error log ``` error.log is empty, here is access.log: 192.168.50.1 - - [29/Sep/2021:00:18:09 +0200] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-" 192.168.50.1 - - [29/Sep/2021:00:18:09 +0200] "GET /login HTTP/1.1" 200 6540 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-" 192.168.50.1 - - [29/Sep/2021:00:18:12 +0200] "POST /login HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-" 192.168.50.1 - - [29/Sep/2021:00:18:12 +0200] "GET /apps/dashboard/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-" 192.168.50.1 - - [29/Sep/2021:00:18:13 +0200] "GET /login?redirect_url=/apps/dashboard/ HTTP/1.1" 200 6563 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0" "-" ```

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` {"reqId":"ZP7H0eHsFkD6bLogfNne","level":0,"time":"2021-09-28T22:18:09+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"GET","url":"/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"} {"reqId":"7KVDqaLvBM3rKe2UjaBU","level":0,"time":"2021-09-28T22:18:09+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"GET","url":"/login","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"} {"reqId":"fWQTDHkA940qTQRpHaRe","level":0,"time":"2021-09-28T22:18:12+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"POST","url":"/login","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"} {"reqId":"0OwCYPqjZd8Lv9D7tO2A","level":0,"time":"2021-09-28T22:18:12+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"GET","url":"/apps/dashboard/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"} {"reqId":"0OwCYPqjZd8Lv9D7tO2A","level":0,"time":"2021-09-28T22:18:12+00:00","remoteAddr":"192.168.50.1","user":"--","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Current user is not logged in","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException","Message":"Current user is not logged in","Code":401,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":97,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":118,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":156,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":301,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1000,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":141,"CustomMessage":"Current user is not logged in"}} {"reqId":"rcDcazSRWMvFUz8DwsCX","level":0,"time":"2021-09-28T22:18:13+00:00","remoteAddr":"192.168.50.1","user":"--","app":"files_sharing","method":"GET","url":"/login?redirect_url=/apps/dashboard/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.1.1.2"} ```

Browser log

Browser log ``` Have no idea about this one. ```

For more details there are my config files of nginx there: https://help.nextcloud.com/t/cant-login-without-ssl-using-just-http/124469/11

szaimen commented 3 years ago

Hi there, this happens most likely because HSTS is configured for your Nextcloud and works as expected. Please refer to the forum https://help.nextcloud.com how to disable HSTS. Thanks!