AH01630: client denied by server configuration: /var/www/nextcloud/config

[lazyteddy]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Report

This is the first time I'm doing this, please be gentle ;-)

The client is trying to access /var/www/nextcloud/config, which is explicitly denied all access via the .htaccess file in that particular directory.
I noticed this because I also have fail2ban running on the server, and my own IP address kept getting locked out of apache. I noticed the following line in my error.log:

AH01630: client denied by server configuration: /var/www/nextcloud/config

Client configuration

Client version: 2.5.0git

Operating system: Ubuntu 18.04 with GNOME

OS language: English

Qt version used by client package (Linux only, see also Settings dialog):

Client package (From Nextcloud or distro) (Linux only): Launchpad PPA

Installation path of client: /usr/bin/nextcloud

Server configuration

Operating system:

Web server: Apache

Database: MySQL 5.7.24

PHP version: 7.0.32

Nextcloud version: 14.03

Storage backend (external storage):

Logs

Please use Gist (https://gist.github.com/) or a similar code paster for longer
logs.

Template for output < 10 lines

1. Client logfile: Output of nextcloud --logwindow or nextcloud --logfile log.txt
   (On Windows using cmd.exe, you might need to first cd into the Nextcloud directory)
   (See also https://docs.nextcloud.com/desktop/2.3/troubleshooting.html#log-files)

2. Web server error log:

3. Server logfile: nextcloud log (data/nextcloud.log):

[rullzer]

The only acess I see is to

<server>/ocs/v1.php/config

[Skomli]

I see this also every 15 Minutes with this client, V2.5 on Ubuntu 18.04.

[rullzer]

Could you post your log output of the client. And your webserver config?

[lazyteddy]

As for the log, I can't do that right away, since I downgraded to 2.3.3, but the server config file in question is probably the one in the config directory itself:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

Somebody on diaspora* found this one after I posted something there:
https://pod.lazyteddy.eu/posts/48948

I'll try to get a logfile later today.

[Skomli]

If you mean the file .owncloudsync.log on the client machine I noticed something weird. The last entries are this:

#=#=#=# Syncrun started 2018-11-14T18:00:58
#=#=#=#=# Propagation starts 2018-11-14T18:00:58 (last step: 889 msec, total: 889 msec)
#=#=#=# Syncrun finished 2018-11-14T18:00:59 (last step: 29 msec, total: 919 msec)

I've confirmed in /var/log/apt/history.log that a few minutes later I upgraded the client to 2.5.0git on this machine. Since then no log entries any more. But syncing seems fine.

On the server side, this is my config:

<?php
$CONFIG = array (
  'instanceid' => 'XXX',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' =>
  array (
    0 => 'XXX',
  ),
  'datadirectory' => 'XXX',
  'overwrite.cli.url' => 'XXX',
  'version' => '14.0.4.2',
  'dbtype' => 'mysql',
  'dbname' => 'XXX',
  'dbhost' => 'XXX',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XXX',
  'dbpassword' => 'XXX',
  'logtimezone' => 'Europe/Berlin',
  'default_language' => 'de',
  'htaccess.RewriteBase' => '/',
  'share_folder' => '/XXX',
  'cron.lockfile.location' => 'XXX',
  'tempdirectory' => 'XXX',
  'installed' => true,
  'mail_domain' => 'XXX',
  'trashbin_retention_obligation' => '30,60',
  'versions_retention_obligation' => '15,30',
  'log_rotate_size' => 104857600,
  'activity_expire_days' => 90,
  'mail_from_address' => 'XXX',
  'mail_smtpmode' => 'smtp',
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\TXT',
    6 => 'OC\\Preview\\MarkDown',
  ),
  'loglevel' => 2,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'token_auth_enforced' => true,
  'auth.bruteforce.protection.enabled' => true,
  'updater.release.channel' => 'stable',
  'theme' => '',
  'mail_smtpsecure' => 'tls',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'XXX',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'XXX',
  'mail_smtppassword' => 'XXX',
  'sentry.dsn' => 'XXX',
  'sentry.public-dsn' => 'XXX',
);

No errors there and nothing special in the logs either, but this from Apache:

[Sat Nov 24 07:08:38.511169 2018] [authz_core:error] [pid 17589:tid 140163210172160] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:16:38.526937 2018] [authz_core:error] [pid 17589:tid 140163210172160] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:24:38.545834 2018] [authz_core:error] [pid 17589:tid 140163193386752] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:32:38.539323 2018] [authz_core:error] [pid 17590:tid 140163184994048] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:48:38.519454 2018] [authz_core:error] [pid 17590:tid 140163201779456] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config
[Sat Nov 24 07:56:38.515436 2018] [authz_core:error] [pid 17589:tid 140163201779456] [client 2a02:810d:abbf:XXX] AH01630: client denied by server configuration: XXX/config

(So it's every 8 Minutes and not 15.)

Since this is over IPv6 the client ip in question is exactly the ip of this ubuntu machine with the 2.5-client.

[Skomli]

Should have started the client with the debug parameters, but I finally figured it out. :)

I noticed a TIMEOUT in the client logs every 8 Minutes and on reconnect I saw the denied-line in the Apache Logs. I had this vhost running with HTTP/2, so I downgraded to HTTP/1.1 to test this out. And the TIMEOUTs are gone in the client. So far so good.

But every time I start the client there is one new entry in the Apache logs. This does not happen, when I pause the sync and let it continue later.

I attach the client debug log from startup here:
debug.log

Server is running Ubuntu 18.04.1 with Apache 2.4.29-1ubuntu4.4.

[jasonhansel]

I see this also; I'm just using the nextcloud:apache docker image, so I don't think this is a configuration issue.

[TwistedLucidity]

I have just upgraded from NC13 -> 14 -> 15. As soon as I went to 14 I started to see the error and my fail2ban kicked in.
At first I thought it was the admin checks but after seeing this, I think not.
Edit: a bit of playing around (and upgrading the client to 2.5.1git) and it seems like the access attempt happens on client start; as mentioned earlier. I've not noticed during actual syncs (which I had to force).

[Alphakilo]

I'm getting the same here.
Can reproduce all the time on my Fedora desktop on one folder, happened once on my iOS App (v. 2.22.7.4). So maybe the issue is with nextcloud/server?

@Skomli Disabling HTTP/2 worked for you?

Server version: 15.0.2

Client version:

$ sudo dnf info nextcloud-client
Last metadata expiration check: 3:20:52 ago on Tue Jan 15 16:18:07 2019.
Installed Packages
Name         : nextcloud-client
Version      : 2.5.1
Release      : 1.fc29
Arch         : x86_64
Size         : 7.5 M
Source       : nextcloud-client-2.5.1-1.fc29.src.rpm
Repo         : @System
From repo    : updates-testing

Client log:

Nextcloud client logoutput

Please be aware that the follow log snippet is redacted. The actual usernames, filenames and paths have been replaced by `[*PLACEHOLDERS*]`

[OCC::WebFlowCredentials::stillValid 	"Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::SyncJournalDb::setErrorBlacklistEntry 	Setting blacklist entry for  "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf" 1 "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: " 1547581567 0 1526897146 "fd2c68402c70140160404c8560187d09" "" 0
[OCC::PropagateItemJob::done 	Could not complete propagation of "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf" by OCC::PropagateDownloadFile(0x613330a540f0) with status 3 and error: "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityWidget::slotItemCompleted 	Item  "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf"  retrieved resulted in  "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityWidget::slotItemCompleted 	Item  "[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf"  retrieved resulted in error  "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::ActivityListModel::addErrorToActivityList 	Error successfully added to the notification list:  "Error transferring https://sub.mydomain.tld/remote.php/dav/files/[*USER*]/[*ENCRYPTEDFOLDER*]/[*SUBFOLDER*]/20.09 (27.09).pdf - server replied: "
[OCC::WebFlowCredentials::slotFinished 	request finished

Webserver cfg:

Apache2 Config

# Settings for mod_md
# https://github.com/icing/mod_md 

MDomain sub.mydomain.tld
MDMustStaple on
MDPrivateKeys RSA 4096
MDRequireHttps permanent
MDCAChallenges http-01

MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

ServerName sub.mydomain.tld
ExtendedStatus on

<VirtualHost *:80>
    ServerName sub.mydomain.tld
    Redirect permanent / https://sub.mydomain.tld/
</VirtualHost>

<VirtualHost _default_:443>
    Protocols h2 http/1.1
    ServerName sub.mydomain.tld
    ServerAdmin admin@mydomain.tld

    SSLEngine On

    Header setifempty feature-policy: "geolocation 'self'; midi 'none'; sync-xhr 'none'; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; fullscreen 'self'; payment 'none'"
    Header set Referrer-Policy: "strict-origin-when-cross-origin"
    Header set Expect-CT "max-age=0, enforce, report-uri=https://[*REDACTED*].report-uri.com/r/d/ct/enforce"

    Alias / "/var/www/nextcloud/"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All

        <IfModule mod_dav.c>
        Dav off
        </IfModule>

        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud

    </Directory>

    <Location /server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from localhost
    </Location>
</VirtualHost>

# Recommendations by Mozilla, via https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.34&openssl=1.1.1a&hsts=yes&profile=modern
# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

Webserver Log:

[Tue Jan 15 19:17:55.077441 2019] [authz_core:error] [pid 4040:tid 140370015000320] [client *.*.*.50:39056] AH01630: client denied by server configuration: /var/www/nextcloud/config

[Alphakilo]

Forgot to ping @rullzer for additional logs.
Let me know if you need more.

[thbergler]

Any news on that?
Or workarounds to solve that problem?

[usrjense]

To avoid locking from fail2ban you may add

ignoreregex = var/www/nextcloud/config

into /etc/fail2ban/filter.d/apache-auth.conf

For me it worked.

[ChristophWurst]

I came to the following findings:

1. The Require all denied from the .htaccess in config is the reason for Apache's log entry
2. There is no client request to /config, but curl <host>/ocs/v1.php/config?format=json triggers the log
3. It might be a rewrite rule that results in a request being rewritten to /config

[b-pfl]

I came to the following findings:

1. The `Require all denied` from the `.htaccess` in `config` is the reason for Apache's log entry

2. There is no client request to `/config`, but `curl <host>/ocs/v1.php/config?format=json` triggers the log

3. It might be a rewrite rule that results in a request being rewritten to `/config`

I can confirm this behavior on my sever. The requests sent are (twice!):
GET /ocs/v1.php/config?format=json HTTP/1.0
GET /ocs/v1.php/config?format=json HTTP/1.0

This happens for instance with clients with the User Agent "Mozilla/5.0 (Macintosh) mirall/2.5.2git (build 20190319) (Nextcloud)" and "Mozilla/5.0 (Windows) mirall/2.5.1final (build 20181204) (Nextcloud)".

It does not feel like a rewrite rule is applied, is it? access.log lists 200 as status message.

[ChristophWurst]

It does not feel like a rewrite rule is applied, is it? access.log lists 200 as status message.

Rewrite, not redirect.

[MorrisJobke]

This seem to be a configuration issue with apache. Those are the rewrite rules:

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT}  DavClnt
  RewriteRule ^$         /remote.php/webdav/          [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/robots.txt
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

On every request to the nextcloud server, that is like this <host>/ANY.php/config. I can reproduce with those: /ocs/v1.php/config, /ocs/v2.php/config, /remote.php/config, /index.php/config... Somehow Apache first tries to get the filesystem access directly and then redirects to the called PHP script.

This behavior is (most likely) caused by the option PT:

The target (or substitution string) in a RewriteRule is assumed to be a file path, by default. The use of the [PT] flag causes it to be treated as a URI instead. That is to say, the use of the [PT] flag causes the result of the RewriteRule to be passed back through URL mapping, so that location-based mappings, such as Alias, Redirect, or ScriptAlias, for example, might have a chance to take effect.

If, for example, you have an Alias for /icons, and have a RewriteRule pointing there, you should use the [PT] flag to ensure that the Alias is evaluated.

See https://httpd.apache.org/docs/current/rewrite/flags.html#flag_pt

has anybody an idea how to exclude the directory config from this check to avoid the log spamming?

[MorrisJobke]

Maybe @kesselb or @rakekniven have some idea.

[bekon16]

Any progress? I have the same problem with fail2ban.

[jsaraiva]

I was having this problem with NC 16.
I solved it by editing the Apache vhost file, and adding the "Satisfy any" (and maybe the "Require all granted") line to the Directory section.
More details at https://docs.nextcloud.com/server/16/admin_manual/installation/source_installation.html#additional-apache-configurations

Don't know if this applies to earlier versions of NC.

[bekon16]

Thanks for info, "Satisfy any" does the job.

[ghost]

@bekon16 Did you use "Require all" AND "Satisfy any" or just the last one?

[bekon16]

@bekon16 Did you use "Require all" AND "Satisfy any" or just the last one?

Probably last one, i dont remember exactly, but i have reverted this, because all data files was accessible without any authentication - not sure only it was related to my apache config or not - but be careful when you use it in yours configuration.

Here is reported issue related to this:
#6449

[ghost]

Thank you. This fits my expectation and close the gap.
I use only "Require all" and it seems to work.
But I want to be sure :-)

[san3Xian]

see this also;
here are my server informations

root@ncServer:/var/log/apache2                                                                                                                                                                                  
➤ cat nextcloud_error.log.1
[Sun Feb 23 12:33:53.135749 2020] [access_compat:error] [pid 6516] [client 127.0.0.1:44388] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 13:03:43.056532 2020] [access_compat:error] [pid 3522] [client 127.0.0.1:46046] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 19:20:44.817497 2020] [access_compat:error] [pid 12263] [client 127.0.0.1:41154] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 21:46:57.886302 2020] [access_compat:error] [pid 12310] [client 127.0.0.1:49772] AH01797: client denied by server configuration: /var/www/nextcloud/config
[Sun Feb 23 21:50:25.513269 2020] [access_compat:error] [pid 12271] [client 127.0.0.1:49926] AH01797: client denied by server configuration: /var/www/nextcloud/config

➤ cat nextcloud_access.log.1 | grep -E "(12:33:53)|(13:03:43)|(19:20:44)|(21:46:57)|(21:50:25)"
127.0.0.1 - admin [23/Feb/2020:12:33:53 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:12:33:53 +0800] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 4668 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 4668 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:13:03:43 +0800] "GET /remote.php/dav/avatars/admin/128.png HTTP/1.1" 200 34504 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:19:20:44 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:46:57 +0800] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 8467 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:46:57 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"
127.0.0.1 - admin [23/Feb/2020:21:50:25 +0800] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 4297 "-" "Mozilla/5.0 (Windows) mirall/2.6.2stable-Win64 (build 20191224) (Nextcloud)"

➤ cat config/.htaccess 
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

➤  a2query -m | grep php && dpkg -l | grep apache2
php7.4 (enabled by maintainer script)
ii  apache2                                      2.4.41-1+ubuntu16.04.1+deb.sury.org+5                    amd64        Apache HTTP Server
ii  apache2-bin                                  2.4.41-1+ubuntu16.04.1+deb.sury.org+5                    amd64        Apache HTTP Server (modules and other binary files)
ii  apache2-data                                 2.4.41-1+ubuntu16.04.1+deb.sury.org+5                    all          Apache HTTP Server (common files)
ii  apache2-utils                                2.4.41-1+ubuntu16.04.1+deb.sury.org+5                    amd64        Apache HTTP Server (utility programs for web servers)
rc  libapache2-mod-php7.0                        7.0.33-0ubuntu0.16.04.7                                  amd64        server-side, HTML-embedded scripting language (Apache 2 module)
rc  libapache2-mod-php7.3                        7.3.12-1+ubuntu16.04.1+deb.sury.org+1                    amd64        server-side, HTML-embedded scripting language (Apache 2 module)
ii  libapache2-mod-php7.4                        7.4.2-6+ubuntu16.04.1+deb.sury.org+1                     amd64        server-side, HTML-embedded scripting language (Apache 2 module)

➤ sudo -u www-data php ./occ status
  - installed: true
  - version: 18.0.0.10
  - versionstring: 18.0.0
  - edition: 

[kesselb]

I spent some time today to understand what the PT flag is supposed to do. I still have no idea why it's there in the first place. If one of you has a test system:

Change RewriteRule . index.php [PT,E=PATH_INFO:$1] to RewriteRule . index.php [E=PATH_INFO:$1]

And let us know if you run into weird issues ;) Keep in mind the change is not update safe and the integrity check might complain.

[WarpinWolf]

Hm,
apparently this is a PITA since some time.

I was able to track down when this error message happened in my set-up. Apparently every time I did restart the Linux nexctloud client the following sequence of requests have been issued:

tail -f nextcloud-ssl-access.log | grep mirall

xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:25 +0100] "GET /status.php HTTP/1.1" 200 5014 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:25 +0100] "PROPFIND /remote.php/webdav/ HTTP/1.1" 207 1210 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 6405 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/config?format=json HTTP/1.1" 200 1195 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 1506 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:26 +0100] "GET /remote.php/dav/avatars/nextcloud/128.png HTTP/1.1" 200 28393 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1" 200 948 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "GET /ocs/v2.php/cloud/activity?start=0&count=100&format=json HTTP/1.1" 200 18976 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"
xxx.xxx.xxx.xxx - nextcloud [29/Oct/2020:13:38:27 +0100] "PROPFIND /remote.php/dav/files/nextcloud/ HTTP/1.1" 207 44867 "-" "Mozilla/5.0 (Linux) mirall/2.6.5git (Nextcloud)"

And at the same time I did receive an error log entry:
[Thu Oct 29 13:38:26.397012 2020] [access_compat:error] [pid 20310] [client 77.21.95.34:47200] AH01797: client denied by server configuration: /var/www/nextcloud/config

Apache 2.4, Debian 9

sites http conf:

:
        DocumentRoot /var/www/nextcloud
:
<Directory /var/www/nextcloud>
        Options Indexes FollowSymLinks MultiViews
        Require all granted  # <------ this means that all basically all access is granted for everybody
        AllowOverride All # <--------- this means that .htaccess files in directories are respected
</Directory>
: 

So lets look at the .htaccess in /var/www/nextcloud/config

:
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>
:

I do interpret this as follows:

• if the module authz_core is active (which it is), then access is denied for everybody using the "NEW" directives
• if the modules access_compat is active (which is, too), then access is denied for everybody using the "OLD" directives

Apparently Apache seems to have some issues with mixing old and new directives (google: access_compat:error AH01797)

So I tried:

a2dismod access_compat
systemctl restart apache2

The result was that the error still happened when restarting the Linux nextcloud client, but this time reported from a different module (which is to be expected - we expressly stated that we do NOT want anybody to access this data).

[Thu Oct 29 13:55:28.787665 2020] [authz_core:error] [pid 19091] [client 77.21.95.34:46576] AH01630: client denied by server configuration: /var/www/nextcloud/config

So I would assume that the request of "GET /ocs/v1.php/config?format=json" should either not happen, or we should somehow allow this.

Any clues anybody?

[OneAceGuy]

I thought it was SUPPOSED to happen like this, that the error generated proves that the security we want (no direct access to the data/ folder) is in place and data is accessible only after authenticated. I am basing assumption off of @tflidd comment here: https://help.nextcloud.com/t/client-denied-by-server-configuration-ocdata/13250/4

[OneAceGuy]

@WarpinWolf What you say makes sense. I just don't think it is a problem with Nextcloud app, but maybe the desktop client. Reading the earlier comments here and on other related threads (here and here) it appeared some folks were recommending granting access at the webserver, effectively disabling .htaccess. Probably not a good idea.

I also encountered this issue yesterday, but simply modified fail2ban as described by others to avoid getting my IP banned. For me the issue was with fail2ban, not with Nextcloud. If fail2ban is disable, yes the errors are still raised in the log, but it does not impact functionality or performance of Nextcloud. I know not a great answer, but I need my production instance up and running, not disabled because of an aggressive fail2ban policy.

I appreciate your additional investigation and look forward to hearing from someone with more experience and insights that can answer the questions you posed.

[kesselb]

@WarpinWolf your assumption is wrong. I would really appreciate if you could stop commenting on this issue. Your comments are not helpful and misleading.

If you are interested in the actual problem I suggest to read this issue carefully from the beginning.

[kesselb]

nextcloud/desktop#2619 is going to remove the request to /ocs/v1.php/config?format=json. You are welcome to try the new version. Instructions are over there. Only a build for linux is available afaik.

That should fix the problem for most people but the crazy rewrite rule (that rewrites /ocs/v1.php/config?format=json to /config) is still there and may needs another fix.

[er-vin]

nextcloud/desktop#2619 is going to remove the request to /ocs/v1.php/config?format=json. You are welcome to try the new version. Instructions are over there. Only a build for linux is available afaik.

That should fix the problem for most people but the crazy rewrite rule (that rewrites /ocs/v1.php/config?format=json to /config) is still there and may needs another fix.

Note however that as @nickvergessen pointed out, said patch breaks support for the "copy internal link" feature in the client. So I guess the alternative I proposed earlier of having another way to get the host part is likely a better path.

[allexzander]

@er-vin Do you mind sharing what the alternative was?

[galandilias]

When the solution will be available on Windows desktop client? After adding f2b to my setup I am suffering the same thing as you all now :/

[llucax]

No news for a few months now, any plan to address this somehow?

[wedeen]

I have the same on 1 location, the other don't have this. It is not good, the sync stop because fail2ban block this ip everytime a specific computer is started.
I tried the client reinstall but it happens again. What is the reason, what can I do. I don't want to edit fail2ban because it should ban if real bad person try to break in
can we get soon an update to fix it?

[allexzander]

@wedeen Try with this build:

• https://cloud.nextcloud.com/s/PaCNcerNFNQzzgG for Windows
• https://cloud.nextcloud.com/s/aRnYbSjTm2KDx8S - for macOS
• https://cloud.nextcloud.com/s/M9yLegni8JetAwT - for Linux
  Do not install it on all your machines or you will have to manually install 3.3.0 when it is released. Just try it with one device.

[nodiscc]

@wedeen I suggest not installing untrusted/unsigned builds (this is very bad practice).

As long as this problem is present I whitelisted this particular path in /etc/apache2/jail.d/apache.conf

# fail2ban apache jails
[apache-auth]
enabled  = true
port     = http,https
# workaround for https://github.com/nextcloud/server/issues/15688
ignoreregex = /var/www/cloud.example.org/config

[mtaipe]

Based on @WarpinWolf analysis, disabling the module helped but I had to commenting the line "Satisfy Any" after the line "Require all granted" , then no more error logs.

a2dismod access_compat
systemctl restart apache2

Combining old and new directives is discouraged, so I think is safe to comment that "Satisfy Any" after disabling access_compat, I think "Require all granted" will do the same job, please correct me if I am wrong.

After that change, no more error logs when tried:
curl SERVER/ocs/v1.php/config?format=json

source: https://httpd.apache.org/docs/trunk/upgrading.html#run-time