Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

504 Gateway Time-out after several failed log-in attempts #7228

Closed
CamZie opened this issue Nov 20, 2017 · 5 comments
Closed

504 Gateway Time-out after several failed log-in attempts #7228

CamZie opened this issue Nov 20, 2017 · 5 comments

Comments

@CamZie
Copy link

CamZie commented Nov 20, 2017

Steps to reproduce

  1. Try to log in on a Nextcloud installation using the wrong credentials
  2. Repeat first step for more than 8 times approximately
  3. After each failed attempt, the /login page becomes increasingly slower to load and after ca. 8 times the error message "504 Gateway Time-out" appears

Expected behaviour

Failed log-in attempts should not slow down page load or cause a 504 error. I do not have the brute force or any other security app enabled.

Actual behaviour

After each failed attempt, the /login page becomes increasingly slower to load and after ca. 8 times the error message "504 Gateway Time-out" appears. Trying from a different computer the page load speed is initially OK, but it also gets increasingly slower after the several failed log-in attempts.

Server configuration

Operating system: Debian 8.9 (jessie)

Web server: Nginx 1.12

Database: MySQL 5.5

PHP version: 5.6

Nextcloud version: 12.0.3

Updated from an older Nextcloud or fresh install: Fresh install

Signing status:

No errors have been found.

List of activated apps:

Enabled:
  - activity: 2.5.2
  - comments: 1.2.0
  - dav: 1.3.0
  - federatedfilesharing: 1.2.0
  - federation: 1.2.0
  - files: 1.7.2
  - files_pdfviewer: 1.1.1
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_versions: 1.5.0
  - files_videoplayer: 1.1.0
  - firstrunwizard: 2.1
  - gallery: 17.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.1
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - survey_client: 1.0.0
  - systemtags: 1.2.0
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - workflowengine: 1.2.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - files_trashbin
  - user_external
  - user_ldap

Nextcloud configuration:

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***""
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***"",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***"",
        "dbtype": "mysql",
        "version": "12.0.3.3",
        "dbname": "***REMOVED SENSITIVE VALUE***"",
        "dbhost": "localhost",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "ocv7ch027cah",
        "mail_smtpmode": "php",
        "log_rotate_size": "10485760",
        "loglevel": "2",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "trashbin_retention_obligation": "auto,90",
        "activity_expire_days": 180,
        "logtimezone": "Europe\/Zurich",
        "skeletondirectory": ""
    }
}

Are you using encryption: no

Client configuration

Browser:
We have tried with Firefox and Chrome
Operating system:
Windows 10 and Linux

Logs

Web server error log

Web server error log 
2017/11/20 16:28:40 [error] 17675#17675: *2571358 upstream timed out (110: Connection timed out) while reading response header from upstream, client: ***REMOVED SENSITIVE VALUE***, server: ***REMOVED SENSITIVE VALUE***, request: "POST /login HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm-***REMOVED SENSITIVE VALUE***.sock", host: "***REMOVED SENSITIVE VALUE***"
2017/11/20 16:28:40 [error] 17674#17674: *2578190 upstream timed out (110: Connection timed out) while reading response header from upstream, client: ***REMOVED SENSITIVE VALUE***, server: ***REMOVED SENSITIVE VALUE***, request: "POST /login HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm-***REMOVED SENSITIVE VALUE***.sock", host: "***REMOVED SENSITIVE VALUE***

Nextcloud log (data/nextcloud.log)

Nextcloud log 
{"reqId":"YAxR5Pg373DNgiJuO2de","level":1,"time":"2017-11-20T16:25:04+01:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"--","app":"core","method":"POST","url":"\/login","message":"Bruteforce attempt from \"***REMOVED SENSITIVE VALUE***\" detected for action \"login\".","userAgent":"Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko\/20100101 Firefox\/57.0","version":"12.0.3.3"}
{"reqId":"wU25tIiP6D8Kg1pUWmcJ","level":0,"time":"2017-11-20T16:28:31+01:00","remoteAddr":"192.168.20.153","user":"--","app":"core","method":"GET","url":"\/login","message":"Scss is disabled for \/var\/www\/***REMOVED SENSITIVE VALUE***\/core\/css\/server.scss, ignoring","userAgent":"Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko\/20100101 Firefox\/57.0","version":"12.0.3.3"}

On another installation I get this:

{"reqId":"PKP2arbPsrpgD3dbQleB","level":2,"time":"2017-11-20T17:03:17+01:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"--","app":"core","method":"POST","url":"\/login?user=***REMOVED SENSITIVE VALUE***","message":"Login failed: '***REMOVED SENSITIVE VALUE***' (Remote IP: '***REMOVED SENSITIVE VALUE***')","userAgent":"Mozilla\/5.0 (X11; Linux x86_64; rv:52.0) Gecko\/20100101 Firefox\/52.0","version":"12.0.3.3"}

Browser log

Browser log 
login Failed to load resource: the server responded with a status of 504 (Gateway Time-out)
@MorrisJobke
Copy link
Member

Failed log-in attempts should not slow down page load or cause a 504 error. I do not have the brute force or any other security app enabled.

This is the default behaviour. We have brute force protection build in and the timeout of your web server should be at least 30 seconds + the usual amount to account for that. The brute force penalty is between 1 and 30 seconds depending on the amount of invalid logins from that IP.

If you really don't mind the security of your instance you could turn it of, but we do not recommend to do so: https://github.com/nextcloud/server/blob/master/config/config.sample.php#L232-L239

@RandieM
Copy link
Contributor

RandieM commented Nov 22, 2017

@MorrisJobke does "30 seconds + the usual amount" mean the NGNIX default (which is 60s) plus 30 additional seconds?

@CamZie
Copy link
Author

CamZie commented Nov 22, 2017

Thank you very much for the detailed answer.

I did not think that this behaviour was intentional, because the penalty time does not reset upon successful log-in. In another thread I read that this is a security measure, but from the customer's point of view this looks like the service is just slow for a couple of days. Would it not make sense if penalized IP addresses could at least be removed via the front-end by an administrator?

@MorrisJobke
Copy link
Member

@CamZie yes there is an Open issue for the unlocking.

@MorrisJobke MorrisJobke mentioned this issue Nov 23, 2017
Merged
@MorrisJobke
Copy link
Member

@CamZie yes there is an Open issue for the unlocking.

#3058 - fix is in #7263

@nextcloud-bot nextcloud-bot mentioned this issue Aug 16, 2018
Closed
@nextcloud-bot nextcloud-bot mentioned this issue Sep 18, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MorrisJobke @RandieM @CamZie