Issues with Nextcloud on Apache/Debian/PHP-FPM

Question

I have currently two issues with a fresh debian-setup in context of Nextcloud on Apache.

Nextcloud version: 12.0.4 Operating system: Debian 9.3.0 Apache version: 2.4.25 PHP version: PHP-FPM 7.0.27

On my Apache I generally use Basic Auth. So if you browse to h****://my.server.com you will be challenged by an Basic Auth request. I run Nextcloud on h****://myserver/cloud. There I disabled Basic Auth. In Detail:

h****://my.server.com (serves a basic index.html with some info. Auth by Basic Auth) h****://my.server.com/cloud (nextcloud. No Basic Auth) h****://my.server.com/otherservice (other services. Auth by Basic Auth - not yet implemented for reduced complexity at this moment)

I use PHP-FPM and therefore mod_proxy_fcgi, not mod_php. Also I use fail2ban for security for apache-auth and nextcloud.

You'll find my Config-Files at the bottom.

Issue 1

For the cloud directory I disabled Basic Auth by using “Satisfy any” + “Allow from all” as recommended. Generally this is working. If I browse (in a fresh browser) to h****://my.server.com/cloud I get no Basic Auth request and can login normaly to Nextcloud. The login is fast and nice. BUT if I first browse to h****://my.server.com and type in my Basic Auth login and after THAT navigate to h****://my.server.com/cloud the login is very slow. This is because Nextcloud is trying to use the Basic Auth data I typed in before on the website root. I also enabled logging vor nextcloud to a file (log level 2). There I can see that on refresh of the login-page it tries to login with my basic auth user.

This is problematic in many ways. At first it makes the login very slow and uncomfortable. But also I want to use fail2ban to secure nextcloud. But if the log is beeing spammed by this failed login attempts from the basic auth info this don't really works.

Also this means if i create the same user as used for Basic Auth with the same password in nextcloud as a workaround, that i can't logout and login to another user if I authed before to basic auth on the root page. As soon as i do I'm logged in again because of the basic auth data.

My question is: How can I tell nextcloud to stop trying to use my basic-Auth-Data from other directories on my apache?

Issue 2

If I use the Nextcloud-App or eg Davdroid for Android some php-Urls are not translated correctly. See this example:

access.log of Apache

80.187.97.128 - - [21/Jan/2018:16:01:10 +0100] "GET /cloud/index.php/avatar/daily/512 HTTP/1.1" 200 1380

error.log of Apache

[Sun Jan 21 16:01:12.727830 2018] [auth_basic:error] [pid 19050] [client 80.187.97.128:30481] AH01617: user daily: authentication failure for "/avatar/daily/512": Password Mismatch

AS you can see /cloud/index.php/avatar/daily/512 is being accessed but somehow translated into /avatar/daily/512. It should be translated to /cloud/avatar/daily/512. Nevertheless that everything seems to work in the webclient I don't think it's Android or App related. I think it just is pointing out a generel configuration problem. This behaviour also triggers fail2ban because it affects basic auth in result of I only excluded /cloud from Basic Auth. And this leads to bans what is kind of anoying.

Any help would be much apreciated!!

Here are my config.files

01_redirect_https.conf (in apache2\\sites-enabled)

<IfModule mod_proxy.c>
        ProxyRequests Off
        ProxyVia On

        <Proxy *>
                AddDefaultCharset off
                Allow from all
        </Proxy>
</IfModule>

ServerAdmin myserver@mydomain.de
Listen 80

<VirtualHost *:80>
        RewriteEngine On
        RewriteCond %{HTTPS} !on
        RewriteCond %{REQUEST_URI} !^/server-status
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

        <Location /server-status/>
                 SetHandler server-status
                 Order Deny,Allow
                 Deny from all
                 Satisfy Any
                 Allow from 127.0.0.1
        </Location>

</VirtualHost>

02_https.conf (in apache2\\sites-enabled)

<IfModule ssl_module>

Alias "/cloud" "/var/www/html/cloud/"
Alias "/" "/var/www/html/"

<VirtualHost *:443>
        DocumentRoot "/var/www/html"
        ServerName my.server.com
        ServerAlias myserver

        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/ssl/apache2/my.server.com.crt
        SSLCertificateKeyFile /etc/ssl/apache2/my.server.com.key
        SSLOptions StrictRequire
        SSLProtocol all -SSLv2
        FilterProvider gzdeflate DEFLATE "%{Content_Type} = 'text'"

        <IfModule mod_proxy_fcgi.c>
                <Proxy "unix:/var/run/php/php7.0-fpm.sock|fcgi://php7.0-fpm">
                        # we must declare a (any) parameter in here
                        # or it won't register the proxy ahead of time
                        ProxySet disablereuse=off
                </Proxy>

                <FilesMatch "^/(.*\.php(/.*)?)$">
                        SetHandler proxy:fcgi://php7.0-fpm
                </FilesMatch>
        </IfModule>

        <IfModule mod_authnz_external.c>
                AddExternalAuth pwauth /usr/sbin/pwauth
                SetExternalAuthMethod pwauth pipe
                AddExternalGroup unixgroup /usr/sbin/unixgroup
                SetExternalGroupMethod unixgroup environment
        </IfModule>

        <Directory /var/www/html>
                SSLRequireSSL
                Options Indexes FollowSymLinks
                Order deny,allow
                Allow from all
                AuthType Basic
                AuthName "This is private"
                AuthBasicProvider external
                AuthExternal pwauth
                GroupExternal unixgroup
                Require user daily
        </Directory>

        Include sites-available/05_cloud.include

</VirtualHost>

</IfModule>

05_cloud.include (in apache2/includes)

<Location /cloud>
        SSLRequireSSL
        SetEnvIf REQUEST_URI ^/cloud/* noauth =1
        Satisfy any
</Location>

<Directory /var/www/html/cloud/>

        # according to Nextcloud Manual FPM can't read .htaccess php settins so including it here
        include /var/www/html/cloud/.htaccess

        Options +FollowSymlinks
        AllowOverride All

        <IfModule mod_dav.c>
                Dav off
        </IfModule>

        SetEnv HOME /var/www/html/cloud
        SetEnv HTTP_HOME /var/www/html/cloud

        Satisfy Any

</Directory>

And here my config.php(in /var/www/html/cloud/config/)

<?php
$CONFIG = array (
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' =>
  array (
    0 => 'myserver',
    1 => 'my.server.com',
  ),
  'datadirectory' => '/mnt/raid1/cloud/data',
  'overwrite.cli.url' => 'https://my.server.com/cloud/',
  'overwritehost' => 'my.server.com',
  'overwritewebroot' => '/cloud',
  'dbtype' => 'mysql',
  'version' => '12.0.4.3',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'cloud',
  'dbpassword' => 'xxx',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'log_type' => 'file',
  'logtimezone' => 'Europe/Berlin',
  'logfile' => '/var/log/nextcloud/cloud.log',
  'loglevel' => 2,
  'mail_from_address' => 'test',
  'mail_smtpmode' => 'php',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_domain' => 'mydomain.de',
  'auth.bruteforce.protection.enabled' => true,
);

Answer 1

You need to set the PHP settings in the PHP-FPM config files, not inside apache config. PHP-FPM cannot access anything from apache.