#StackBounty: #nginx #iis #freenas #nextcloud Nextcloud in a FreeNAS jail served by NGINX behind a reverse proxy by IIS

Bounty: 50

My environment

  • Windows 10 pro host pc at IP 192.168.2.11
  • FreeNAS running in VMWare Workstation on host pc at IP 192.168.2.13
  • Nextcloud instance in a FreeNAS jail at IP 192.168.2.37 (installed by following these instructions and removing the settings related to SSL). The back-end for Nextcloud uses NGINX and PGSQL.

What am I trying to achieve?

I created a Nextcloud instance within a FreeNAS jail, this Nextcloud instance works fine when approached via LAN over HTTP. I want to put it on WAN over HTTPS using IIS with a reverse proxy. The SSL certificate is controlled by IIS. The domain I’m trying to use to redirect to the Nextcloud server is nextcloud.MyRedactedDomain.com.

The result

Note 1: I used an incognito window to rule out bad caching of a previous redirect status result or anything of the like.

Note 2: I entered the url nextcloud.MyRedactedDomain.com and it redirected me to nextcloud.MyRedactedDomain.com/login so it seems that Nextcloud is doing something…

Note 3: There is no index.php present in the URL, this was present when I used the FreeNAS plugin. I only followed the instructions and it was not there from the beginning. It’s also not there when I approach it on LAN (which works fine). Manually inserting it in the URL yields the same error.

500 - Internal server error

What have I done so far?

  • All this worked before when I used the provided Nextcloud plugin for FreeNAS. However it stopped working when I tried to update the plugin. I’ve read that using the plugin is terrible for when you try to update Nextcloud, so now I’m trying to manually create a jail and install it (see the link at ‘My environment’).
  • I’ve tried messing about in NGINX’s nginx.conf file: removing headers, adding headers, removing deny rules altogether, copying config from the old instance, adding some proxy headers that were present in the old config. All to no avail.
  • I’ve tried several reverse proxy settings in Nextcloud’s config.php by following these instructions. I even tried using some settings that weren’t needed in the working plugin instance: overwritewebroot, overwritecondaddr and trusted_proxies. I also switched around IP’s in the proxy settings.

Settings

IIS’ web.config rules that affect the Nextcloud server:

<rule name="HTTPS redirect" enabled="true" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTPS}" pattern="^OFF$" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
<rule name="NextCloud reverse proxy" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTP_HOST}" pattern=nextcloud.MyRedactedDomain.com" />
    </conditions>
    <action type="Rewrite" url="http://192.168.2.37/{REQUEST_URI}" />
</rule> 

Nextcloud’s config.php as it is now:

<?php
$CONFIG = array (
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'memcache.local' => '\OC\Memcache\APCu',
  'instanceid' => 'REDACTED',
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED',
  'trusted_domains' => 
  array (
    0 => '192.168.2.37',
  ),
  'trusted_proxies' = ['192.168.2.11'],
  'datadirectory' => '/usr/local/www/nextcloud/data',
  'dbtype' => 'pgsql',
  'version' => '19.0.1.1',
  'dbname' => 'REDACTED',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'REDACTED',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'overwrite.cli.url' => 'https://nextcloud.MyRedactedDomain.com',
  'overwritehost'     => 'nextcloud.MyRedactedDomain.com',
  'overwriteprotocol' => 'https',
  'overwritecondaddr' => '^192.168.2.37$',
);

NGINX’s nginx.conf as it is now:

user www;
worker_processes 4;
worker_rlimit_nofile 51200;
error_log /var/log/nginx/error.log;

events {
  worker_connections 1024;
}

http {
  include mime.types;
  default_type application/octet-stream;
  log_format main '$remote_addr - $remote_user [$time_local] "$request" ';
  access_log /var/log/nginx/access.log main;
  sendfile on;
  keepalive_timeout 65;

  upstream php-handler {
    server 127.0.0.1:9000;
  }

  server {
    listen 80;

    # HEADERS SECURITY RELATED
    add_header Referrer-Policy "no-referrer";

    # HEADERS
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header X-Frame-Options "SAMEORIGIN";

    # PATH TO THE ROOT OF YOUR INSTALLATION
    root /usr/local/www/nextcloud/;

    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }

    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # BUFFERS TIMEOUTS UPLOAD SIZES
    client_max_body_size 16400M;
    client_body_buffer_size 1048576k;
    send_timeout 3000;

    # ENABLE GZIP BUT DO NOT REMOVE ETag HEADERS
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
      rewrite ^ /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      deny all;
    }

    location ~ ^/(?:.|autotest|occ|issue|indie|db_|console) {
      deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+).php(?:$|/) {
      fastcgi_split_path_info ^(.+.php)(/.*)$;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param modHeadersAvailable true;
      fastcgi_param front_controller_active true;
      fastcgi_pass php-handler;
      fastcgi_intercept_errors on;
      fastcgi_request_buffering off;
      fastcgi_keep_conn off;
      fastcgi_buffers 16 256K;
      fastcgi_buffer_size 256k;
      fastcgi_busy_buffers_size 256k;
      fastcgi_temp_file_write_size 256k;
      fastcgi_send_timeout 3000s;
      fastcgi_read_timeout 3000s;
      fastcgi_connect_timeout 3000s;
    }

    location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
      try_files $uri/ =404;
      index index.php;
    }

    # ADDING THE CACHE CONTROL HEADER FOR JS AND CSS FILES
    # MAKE SURE IT IS BELOW PHP BLOCK
    location ~ .(?:css|js|woff2?|svg|gif)$ {
      try_files $uri /index.php$uri$is_args$args;
      add_header Cache-Control "public, max-age=15778463";
      # HEADERS
      add_header X-Content-Type-Options nosniff;
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Robots-Tag none;
      add_header X-Download-Options noopen;
      add_header X-Permitted-Cross-Domain-Policies none;
      add_header X-Frame-Options "SAMEORIGIN";
      # OPTIONAL: DONT LOG ACCESS TO ASSETS
      access_log off;
    }

    location ~ .(?:png|html|ttf|ico|jpg|jpeg)$ {
      try_files $uri /index.php$uri$is_args$args;
      # OPTIONAL: DONT LOG ACCESS TO OTHER ASSETS
      access_log off;
    }
  }
}

NGINX’s error log (this is an accumilation of several attempts and adjustments to the config files):

2020/08/12 02:35:30 [error] 63641#101838: *50 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597224931108 HTTP/1.1", host: "192.168.2.37"
2020/08/12 02:41:12 [error] 64301#102558: *126 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597225273075 HTTP/1.1", host: "192.168.2.37"
2020/08/12 03:02:22 [error] 64302#101573: *542 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597226542349 HTTP/1.1", host: "192.168.2.37"
2020/08/12 05:46:30 [emerg] 7894#100667: unknown directive "includeSubDomains" in /usr/local/etc/nginx/nginx.conf:54
2020/08/12 05:54:49 [emerg] 8245#102122: unknown directive "proxy_cach_valid" in /usr/local/etc/nginx/nginx.conf:55
2020/08/12 05:55:16 [emerg] 8274#102086: invalid time value "lm" in /usr/local/etc/nginx/nginx.conf:55
2020/08/12 06:15:00 [error] 8986#102424: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:15:05 [error] 8987#101058: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:17:06 [error] 9060#101663: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:17:11 [error] 9060#101663: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:18:42 [error] 9113#102196: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:18:46 [error] 9112#101641: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:19:13 [error] 9112#101641: *3 rewrite or internal redirection cycle while processing "/index.php//index.php/204", client: 192.168.2.11, server: , request: "GET //index.php/204 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:22:20 [crit] 9260#100919: *1 connect() to unix:/var/run/nextcloud-php-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.2.11, server: _, request: "GET // HTTP/1.1", upstream: "fastcgi://unix:/var/run/nextcloud-php-fpm.sock:", host: "192.168.2.37"
2020/08/12 06:22:25 [error] 9260#100919: *1 open() "/usr/local/www/nextcloud/favicon.ico" failed (2: No such file or directory), client: 192.168.2.11, server: _, request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:22:25 [crit] 9260#100919: *1 connect() to unix:/var/run/nextcloud-php-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.2.11, server: _, request: "GET //favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/var/run/nextcloud-php-fpm.sock:", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:28:45 [error] 9489#100770: *7 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597238925594 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:31:00 [error] 9489#100770: *78 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239060928 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:34:38 [error] 9489#100770: *109 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239279292 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:36:20 [error] 9862#102189: *6 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239381044 HTTP/1.1", host: "192.168.2.37"

IIS’ log snippet (errors only from the same settings as posted above):

2020-08-14 07:35:50 192.168.2.11 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=3f4ff15f-436f-4004-bb55-360f94826d4e&SERVER-STATUS=302 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 302 0 0 81
2020-08-14 07:35:50 192.168.2.11 GET /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=b0b256ce-9bb6-42b7-b098-c3ab117246f7&SERVER-STATUS=200 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 200 0 0 135
2020-08-14 07:35:50 192.168.2.11 GET /favicon.ico X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=1a8b782f-0381-4118-912e-5503406c0d84&SERVER-STATUS=302 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 https://nextcloud.MyRedactedDomain.com/login 302 0 0 81
2020-08-14 07:35:50 192.168.2.11 GET /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=a70275c4-a20e-4c50-b994-933afecb9f2f&SERVER-STATUS=200 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 200 0 0 130


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.