400 Bad Request when using non-default port

[vitSkalicky]

Describe the bug

When using a non-default port for oCIS, instead of login page, an error page appears: "Failed to connect to server Unexpected HTTP response: 400. Please check your connection and try again.".

Steps to reproduce

Install oCIS according to the guide at https://doc.owncloud.com/ocis/next/depl-examples/small-scale.html with port set to for example 4321.

Exact steps on fresh Debian 10 server (commands pasted one at time into the terminal):

```bash sudo wget -O /usr/local/bin/ocis https://download.owncloud.com/ocis/ocis/stable/2.0.0/ocis-2.0.0-linux-amd64 sudo chmod +x /usr/local/bin/ocis sudo useradd --system --no-create-home --shell=/sbin/nologin ocis sudo mkdir -p /var/lib/ocis sudo chown ocis:ocis /var/lib/ocis sudo mkdir -p /etc/ocis sudo touch /etc/ocis/ocis.env sudo chown -R ocis:ocis /etc/ocis sudo echo "OCIS_URL=https://ocistest.example.com:4321 PROXY_HTTP_ADDR=0.0.0.0:9200 PROXY_TLS=false OCIS_INSECURE=false OCIS_LOG_LEVEL=warn OCIS_CONFIG_DIR=/etc/ocis OCIS_BASE_DATA_PATH=/var/lib/ocis " | sudo tee /etc/ocis/ocis.env > /dev/null yes | sudo -u ocis ocis init --config-path /etc/ocis echo ' [Unit] Description=OCIS server [Service] Type=simple User=ocis Group=ocis EnvironmentFile=/etc/ocis/ocis.env ExecStart=/usr/local/bin/ocis server Restart=always [Install] WantedBy=multi-user.target ' | sudo tee /etc/systemd/system/ocis.service > /dev/null sudo systemctl daemon-reload sudo systemctl enable --now ocis apt update && \ apt upgrade -y && \ apt install nginx certbot python3-certbot-nginx -y echo ' server { listen 80 ; listen [::]:80 ; server_name ocis.example.com; } ' | sudo tee /etc/nginx/sites-available/ocis > /dev/null sudo ln -s /etc/nginx/sites-available/ocis /etc/nginx/sites-enabled/ocis sudo systemctl reload nginx sudo certbot --nginx --test-cert -d ocistest.example.com --register-unsafely-without-email --agree-tos -n echo ' server { listen 80 ; listen [::]:80 ; server_name ocistest.example.com; # location to redirect to https location / { # add port if deviates via OCIS_URL return 302 https://$server_name:4321$request_uri; } } server { # default 443 but can deviate if set in OCIS_URL listen 4321 ssl http2; listen [::]:4321 ssl http2; server_name ocistest.example.com; # certificates managed by Certbot ssl_certificate /etc/letsencrypt/live/ocistest.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ocistest.example.com/privkey.pem; # options and dhparams managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://localhost:9200; proxy_set_header Host $host; client_max_body_size 0; } } ' | sudo tee /etc/nginx/sites-available/ocis > /dev/null sudo systemctl reload nginx ```

Then open https://ocistest.example.com:4321 and you get this:

When inspecting requests, everything is 200 OK except for https://ocistest.example.com:4321/signin/v1/identifier/_/hello which is 400 Bad Request.

oCIS service log:

skalicky@debian-2gb-nbg1-1:~$ sudo journalctl -u ocis.service
-- Logs begin at Thu 2023-01-12 18:09:21 UTC, end at Thu 2023-01-12 18:47:01 UTC. --
Jan 12 18:24:58 debian-2gb-nbg1-1 systemd[1]: Started OCIS server.
Jan 12 18:24:58 debian-2gb-nbg1-1 ocis[1070]: {"level":"warn","service":"storage-system","pkg":"rhttp","time":"2023-01-12T18:24:58.663299128Z","message":"missing or incomplete nats configuration. Events will not be published."}
Jan 12 18:25:00 debian-2gb-nbg1-1 ocis[1070]: {"level":"warn","service":"users","LDAP CACert":"/var/lib/ocis/idm/ldap.crt","time":"2023-01-12T18:25:00.621398815Z","message":"CA cert file is not ready yet. Waiting 2 seconds for it to appear."}
Jan 12 18:25:00 debian-2gb-nbg1-1 ocis[1070]: {"level":"warn","service":"auth-basic","LDAP CACert":"/var/lib/ocis/idm/ldap.crt","time":"2023-01-12T18:25:00.622975433Z","message":"CA cert file is not ready yet. Waiting 2 seconds for it to appear."}
Jan 12 18:25:00 debian-2gb-nbg1-1 ocis[1070]: {"level":"warn","service":"groups","LDAP CACert":"/var/lib/ocis/idm/ldap.crt","time":"2023-01-12T18:25:00.623334331Z","message":"CA cert file is not ready yet. Waiting 2 seconds for it to appear."}
Jan 12 18:25:03 debian-2gb-nbg1-1 ocis[1070]: {"level":"warn","service":"idp","kid":"private-key","path":"/var/lib/ocis/idp/private-key.pem","time":"2023-01-12T18:25:03.951175267Z","message":"skipped as signer with same kid already loaded"}
Jan 12 18:44:33 debian-2gb-nbg1-1 ocis[1070]: {"level":"warn","service":"idp","error":"origin does not match request URL","host":"ocistest.example.com","origin":"https://ocistest.example.com:4321","referer":"https://ocistest.example.com:4321/signin/v1/identifier?client_id=web&code_challenge=F_6WmN9qszyTp6g2vsYl2k-PSK9SAMAYI4XyIqgszNo&code_challenge_method=S256&flow=oidc&redirect_uri=https%3A%2F%2Focistest.example.com%3A4321%2Foidc-callback.html&response_mode=query&response_type=code&scope=openid+profile+email&state=8aba3a194bcf46279735e1e7725f33b1","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0","time":"2023-01-12T18:44:33.488806249Z","message":"rejecting identifier HTTP request"}

note: The domain actually used obviously wasn't example.com

[kobergj]

@vitSkalicky I think there is just a slight misconfiguration.

The port of OCIS_URL and PROXY_HTTP_ADDR should be the same. So changing PROXY_HTTP_ADDR=0.0.0.0:9200 to PROXY_HTTP_ADDR=0.0.0.0:4321 in your above example should make ocis accessible on port 4321.

[vitSkalicky]

@kobergj You might have misunderstood the configuration. If I do that, ocis tries to listen on port 4321, but there is already NGINX listening on this port proxying requests to port 9200. Also, if I set OCIS_URL=https://ocistest.example.com (and ports in NGINX setting from 4321 to 443), everything does work. Unfortunately I don't have port 443 available on my machine. (testing this on a VPS)

[ruifeng96150]

Is anyone can fix this bug?

[vitSkalicky]

almost - I managed to track down the issue to be in Nginx reverse proxy configuration - some HTTP headers are missing the non-default port. The error is therefore in the docs.