Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Server-Side deny (403) not working if htaccess.RewriteBase is enabled #5856

Closed
michag86 opened this issue Jul 24, 2017 · 1 comment
Closed

Server-Side deny (403) not working if htaccess.RewriteBase is enabled #5856

michag86 opened this issue Jul 24, 2017 · 1 comment

Comments

@michag86
Copy link
Contributor

Steps to reproduce

  1. Configure LocationMatch for one site to protect it from external access and reload the webserver
                <LocationMatch (/nextcloudroot/settings/admin)|(/nextcloudroot/index.php/settings/admin)>
                    Order Deny,Allow
                    Deny from all
                    Allow from 192.168.0.0/24
                </LocationMatch>
  1. Check that /index.php/settings/admin is only available from 192.168.0.0/24, external sources get 403
  2. Configure htaccess.RewriteBase and run occ maintenance:update:htacces
  3. check /index.php/settings/admin or /settings/admin again

Expected behaviour

from external (not 192.168.0.0/24) you get 403

Actual behaviour

/settings/admin is available from external

Rewrite Log (trace 3)

[Mon Jul 24 10:37:24.284856 2017] [access_compat:error] [pid 17071] [client 195.191.14.88:59543] AH01797: client denied by server configuration: /var/www/html/nextcloud/settings/admin
[Mon Jul 24 10:37:24.284913 2017] [rewrite:trace2] [pid 17071] mod_rewrite.c(470): [client 195.191.14.88:59543] init rewrite engine with requested uri /core/templates/403.php
[Mon Jul 24 10:37:24.284924 2017] [rewrite:trace1] [pid 17071] mod_rewrite.c(470): [client 195.191.14.88:59543] pass through /core/templates/403.php
[Mon Jul 24 10:37:24.285019 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285032 2017]  [perdir /var/www/html/nextcloud/] applying pattern '.*' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285049 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285058 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^\\.well-known/host-meta' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285067 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285074 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^\\.well-known/host-meta\\.json' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285083 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285092 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^\\.well-known/carddav' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285100 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285126 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^\\.well-known/caldav' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285136 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285143 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^remote/(.*)' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285152 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285160 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^(?:build|tests|config|lib|3rdparty|templates)/.*' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285169 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285176 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^(?:\\.|autotest|occ|issue|indie|db_|console).*' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285185 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285192 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^core/js/oc.js$' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285200 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285207 2017]  [perdir /var/www/html/nextcloud/] applying pattern '^core/preview.png$' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285215 2017]  [perdir /var/www/html/nextcloud/] strip per-dir prefix: /var/www/html/nextcloud/core/templates/403.php -> core/templates/403.php
[Mon Jul 24 10:37:24.285222 2017]  [perdir /var/www/html/nextcloud/] applying pattern '.' to uri 'core/templates/403.php'
[Mon Jul 24 10:37:24.285259 2017] [rewrite:trace2] [pid 17071] mod_rewrite.c(470): [client 195.191.14.88:59543] [perdir /var/www/html/nextcloud/] rewrite 'core/templates/403.php' -> 'index.php'

Possible solution

Adding core/templates/403.php (and 404.php?) to exclusions from rewrite in .htaccess:

[...]
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_FILENAME} !core/templates/403.php
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
[...]

Server configuration

Operating system: Linux darkvoice 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64

Web server: Apache (apache2handler)

Database: sqlite3 3.11.0

PHP version: 7.0.18-0ubuntu0.16.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, mysqlnd, PDO, xml, apcu, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, imap, intl, json, ldap, exif, mcrypt, mysqli, pdo_mysql, pdo_sqlite, Phar, posix, pspell, readline, shmop, SimpleXML, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 12.0.0 - 12.0.0.29

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from:

Signing status:

Signing status 
[]

List of activated apps:

App list ``` Enabled: - activity: 2.5.2 - bruteforcesettings: 1.0.2 - calendar: 1.5.3 - circles: 0.10.0 - comments: 1.2.0 - contacts: 1.5.3 - dav: 1.3.0 - external: 2.0.3 - federatedfilesharing: 1.2.0 - federation: 1.2.0 - files: 1.7.2 - files_pdfviewer: 1.1.1 - files_sharing: 1.4.0 - files_texteditor: 2.4.1 - files_trashbin: 1.2.0 - files_versions: 1.5.0 - files_videoplayer: 1.1.0 - firstrunwizard: 2.1 - gallery: 17.0.0 - groupfolders: 1.0.2 - impersonate: 1.0.1 - issuetemplate: 0.2.1 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - nextcloud_announcements: 1.1 - notes: 2.2.0 - notifications: 2.0.0 - oauth2: 1.0.5 - password_policy: 1.2.2 - provisioning_api: 1.2.0 - richdocuments: 1.12.33 - serverinfo: 1.2.0 - sharebymail: 1.2.0 - socialsharing_email: 1.0.1 - spreed: 2.0.1 - survey_client: 1.0.0 - systemtags: 1.2.0 - theming: 1.3.0 - twofactor_backupcodes: 1.1.1 - updatenotification: 1.2.0 - workflowengine: 1.2.0

Disabled:

  • admin_audit
  • encryption
  • files_external
  • user_external
  • user_ldap
</details>

**The content of config/config.php:**
<details>
	<summary>Config report</summary>

{
"instanceid": "ocx4xxpub6of",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"ms07.de"
],
"datadirectory": "/var/www/htdocs/testnc/data",
"overwrite.cli.url": "https://ms07.de/testnc",
"dbtype": "sqlite3",
"version": "12.0.0.29",
"installed": true,
"updater.release.channel": "beta",
"maintenance": false,
"loglevel": 2,
"mail_smtpmode": "sendmail",
"mail_smtpauthtype": "LOGIN",
"mail_from_address": "testnc",
"mail_domain": "ms07.de",
"theme": "",
"htaccess.RewriteBase": "/testnc/"
}

</details>

**Are you using external storage, if yes which one:** files_external is disabled

**Are you using encryption:** no

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...

### Client configuration
**Browser:** Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0

**Operating system:**

### Logs
#### Web server error log
<details>
	<summary>Web server error log</summary>
	```
	Insert your webserver log here
	```
</details>

#### Nextcloud log (data/nextcloud.log)
<details>
	<summary>Nextcloud log</summary>
	```
	Insert your Nextcloud log here
	```
</details>

#### Browser log
<details>
	<summary>Browser log</summary>
	```
	Insert your browser log here, this could for example include:

	a) The javascript console log
	b) The network log
	c) ...
	```
</details>
@MorrisJobke
Copy link
Member

The 403 and 404 files are not used anymore. As a side note: if you update the htaccess.RewriteBase you also need to run the htaccess update command in occ to properly write the updated .htaccess file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MorrisJobke @michag86