ownCloud 9.0.2 security and setup warnings are endlessly reloading

[LukasReschke]

Other users have reported this as well in the bug tracker, with ownCloud Proxy I now face this as well. I'm debugging this…

[LukasReschke]

Mixed Content: The page at 'https://█████.owncloudconnect.com/owncloud/settings/admin' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://█████.owncloudconnect.com/owncloud/apps/files/'. This request has been blocked; the content must be served over HTTPS.
Navigated to https://█████.owncloudconnect.com/owncloud/settings/admin

[ghost]

Dup: #24293 ? :-)

[RobinMcCorkell]

@LukasReschke Do you get a warning printed before the reload with #24126 applied?

[PVince81]

Setting to critical as this makes the admin page unusable in such environments.

[PVince81]

CC @cmonteroluque FYI

[PVince81]

@LukasReschke any progress on the debugging front ?

[PVince81]

Likely an env issue, moving to 9.0.3 as it would still be good to find out what is going on

@cmonteroluque

[PVince81]

Ok, so the SSL warning might be causing a reload from what I read

[PVince81]

It looks like the global ajax error handler is getting a lot of false positives, and that only because it is assuming that a failed XmlHttpRequest is due to a cross-domain request trying to connect to an IDP in a SSO situation.

Anyway, I think we should backport #24126 which will at least introduce a delay and give the admin a chance to see the current messages, which can already be useful to find out what is wrong in their env.

I'll prepare a backport PR.

[PVince81]

PR here #25035

[icewind1991]

@PVince81 is this closed with #25035 ?

[PVince81]

Kind of, yes. At least it gives admin a better chance of seeing warnings and debugging.

However it was reported again here #25058 (comment) maybe with more chance to find out about the core issue.

[fuco809]

same issue here. OC9.0.2.2 + php7 + centos7(latest patches) proxy needed and configured in config.php and additional reverse-proxy apache in front - then issue appears when using http://ocserver but when using https it works. and when accessing directly to owncloud-apache (without reverse proxy) it works too with http (and https).

[fuco809]

after login to OC i get the loop on /owncloud/apps/files/

i tried to figure out the root cause. it seems that js.js makes the reload (see screenshot)
i also tried #25058 tips with apache config and overwritehost/overwritehostport. - no effect.
i also tried OC9.0.3RC1, and there ist the 5sec delay message, but problem still exists.
any hints?

the add content button does not appear (before reload)

[PVince81]

js.js makes the reload because it detected an ajax error and believes that it was a cross-site SSO redirect. Currently there is no good way to detect such situations.

In your specific case you need to find out why the ajax call causes an error in the first place, likely an issue in your env.

[fuco809]

with browser debugging mode i found this message while loading the page, but i am not sure if this is relevant.

The requested URL /core/vendor/jquery/jquery-1.10.2.js was not found on this server.

[n2five6]

We have the same problem OC 9.0.2 behind an LB.
The LB delivers the SSL-Cert (no Cert is configured on server side).

If I try to debug the error with FF, I saw also that there is something with the Content-Security-Policy. Maybe it has also to do with the .ocdata error (that we have also).

[Wed Jun 22 15:08:20.835144 2016] [authz_core:error] [pid 3020] [client ██.██.██.██:12784] AH01630: client denied by server configuration: /srv/www/owncloud-lt/data/.ocdata

[fuco809]

for my case i found the cause and a solution. the propfind http requests are somewhere filtered (IPS,...) and without them the page allways reloads. now after fixing this, the reloads disappear and all working fine.
@n2five6 : as your screenshot shows you have at least the same problem with propfind requests.

[PVince81]

Now thinking of it, I might have a solution to prevent the reload in case the setup checks are triggering the "global ajax error" condition. I'll add an exclusion flag for the setup checks.

[PVince81]

Fix here: #25239

Can you guys who have the reload issue try it out ?

[fuco809]

applied the changes in core/js/setupchecks.js on a 9.0.3rc1 ... now the page reload (loop) dissappears, but OC not fully loading/not functionally because propfind http request times out (on my testserver).

[PVince81]

@fuco809 thanks. Yeah, there is indeed a setup issue on your side.

Goal of my PR was mostly to avoid the annoying reload while trying to figure out how to fix the env.

[n2five6]

@fuco809: Thanks! I looks like there will be something blocked on our LB. We opened now a support Ticket by KEMP.

@PVince81: Is there a List which HTTP-Methods are used from ownCloud?

[PVince81]

I can't seem to find an explicitly list. Mostly the verbs commonly used by REST and Webdav APIs:

• GET
• POST
• PUT
• MOVE
• DELETE
• PROPPATCH
• PROPFIND
• REPORT
  (from the top of my head)

[ghost]

There are also others like MKCOL. Personally i'm using those:

https://forum.owncloud.org/viewtopic.php?f=23&t=10519&p=26878#p26878

[NestorTejero]

On OwnCloud 9.1.0 we are getting the same error. Our code already contains the fix linked above, but it looks like it is just hiding the error, not going to the root cause.

We get this:

admin:1 Mixed Content: The page at 'https://owncloud.XXX.com/settings/admin' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://owncloud.XXX.com/apps/files/'. This request has been blocked; the content must be served over HTTPS.

Just for reference, we have an SSL certificate running in the server, so that the main page for OC is https://owncloud.XXX.com.

[PVince81]

Yes, the above code only removes the useless reloading to make it possible for you to examine the network console and other possible environment errors.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.