cannot disable webdav

[ghost]

Steps to reproduce

Expected behaviour

I cannot access files via webdav (davs://) which is great.

But...! I cannot access files via nextcloud.com file's app. This is because new nextcloud (12) uses webdav always. I don't know if there is a way to distinguish web vs other clients. I tried the following but I can use (davs://) with [caja] so I think is not restricting too much

previously (old nextcloud versions) I succeeded using nginx reverse proxy with

location /remote.php/webdav {
  return 404;
}

Actual behaviour

Tell us what happens instead

Server configuration

Operating system: Debian 9

Web server: apache

Database: mariadb

PHP version: 7.0

Nextcloud version: (see Nextcloud admin page) 12.0.5

Where did you install Nextcloud from: nextcloud.com

Signing status:

Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.

No errors have been found.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Enabled:

• admin_audit: 1.2.0
• comments: 1.2.0
• dav: 1.3.1
• federatedfilesharing: 1.2.0
• files: 1.7.2
• files_accesscontrol: 1.2.5
• files_pdfviewer: 1.1.1
• files_sharing: 1.4.0
• files_texteditor: 2.4.1
• files_trashbin: 1.2.0
• files_versions: 1.5.0
• files_videoplayer: 1.1.0
• logreader: 2.0.0
• lookup_server_connector: 1.0.0
• nextcloud_announcements: 1.1
• notifications: 2.0.0
• oauth2: 1.0.5
• password_policy: 1.2.2
• provisioning_api: 1.2.0
• serverinfo: 1.2.0
• sharebymail: 1.2.0
• survey_client: 1.0.0
• systemtags: 1.2.0
• theming: 1.3.0
• twofactor_backupcodes: 1.1.1
• updatenotification: 1.2.0
• user_ldap: 1.2.1
• workflowengine: 1.2.0
  Disabled:
• activity
• encryption
• federation
• files_external
• firstrunwizard
• gallery
• user_external

Nextcloud configuration:

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
"system": {
"default_language": "es",
"instanceid": "occ3ad5ad6d8",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_proxies": masked,
"forwarded_for_headers": [
"HTTP_X_FORWARDED",
"HTTP_FORWARDED_FOR"
],
"trusted_domains": [
"masked",
"masked"
],
"datadirectory": "/media/data",
"overwrite.cli.url": "http://masked/owncloud",
"dbtype": "mysql",
"version": "12.0.5.3",
"appstoreenabled": false,
"apps_paths": [
{
"path": "/var/www/html/nextcloud/apps",
"url": "/apps",
"writable": false
}
],
"dbname": "masked",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"ldapIgnoreNamingRules": false,
"loglevel": 0,
"maintenance": false,
"theme": "",
"singleuser": false,
"trashbin_retention_obligation": "auto",
"updater.secret": "REMOVED SENSITIVE VALUE",
"ldapProviderFactory": "\OCA\User_LDAP\LDAPProviderFactory"
}
}

Are you using external storage, if yes which one: local/smb/sftp/...

local

Are you using encryption: yes/no

no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

yes (see config.php)

Client configuration

Browser:

firefox (debian 9)

Operating system:

debian 9

[nickvergessen]

Well if you only want to allow webdav from browsers, you can do this via a regex. You just need to put all browsers you want to allow into it.

[ghost]

finally got it working with /^Mozilla\/5\.0.*$/i (which means that all browsers compatible with mozilla can access files (firefox, chrome, internet explorer, etc.). Tested with davs client and nextcloud is denying access. Perfect

Meanwhile this app suggests /^Mozilla\/5\.0 (.?)$/i but I tried, is not working and I don't get this regex. When I want to say "the rest of string" I usually use .*

[nickvergessen]

Can you create a nee issue for that? Thanks!

[nickvergessen]

Fixed in nextcloud/server#8297

[ghost]

Nice! thanks!

tested /^Mozilla\/5\.0 (.*)$/i and it works. I still don't know why you put the parenthesis

[neufeind]

Would it be possible to have a clear distinction between browser-based requests and those via WebDAV/sync-clients? White-listing certain user-agents is kind of a "hack".
One option that seems to work more or less: Restrict the HTTP-methods to GET/POST for remote.php. That way advanced webdav-methods (like PROPFIND) will be denied. I tried that the sync-client refuses to sync then. But even that is more a "workaround".

How about an option that notes in the login-session if you logged in via browser or WebDAV/sync-client?

[ghost]

... And today I discovered that the user agent hack is not enough to stop nextcloud client usage :( because acts like a browser (nginx access.log when I start a configured nextcloud client)

192.168.1.2 - user [18/Apr/2018:12:49:31 +0200] "GET /status.php HTTP/1.1" 200 149 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"
192.168.1.2 - user [18/Apr/2018:12:49:31 +0200] "GET /status.php HTTP/1.1" 200 149 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"
192.168.1.2 - user [18/Apr/2018:12:49:31 +0200] "PROPFIND /remote.php/webdav/ HTTP/1.1" 207 377 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"
192.168.1.2 - user [18/Apr/2018:12:49:32 +0200] "GET /ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 1604 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"
192.168.1.2 - user [18/Apr/2018:12:49:32 +0200] "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1" 200 952 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"
192.168.1.2 - user [18/Apr/2018:12:49:32 +0200] "GET /ocs/v1.php/cloud/activity?page=0&pagesize=100&format=json HTTP/1.1" 200 228 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"
192.168.1.2 - user [18/Apr/2018:12:49:33 +0200] "PROPFIND /remote.php/dav/files/C9B5D9B1-C5CD-4876-BD9A-C505C286C4F7/ HTTP/1.1" 207 33271 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"
192.168.1.2 - user [18/Apr/2018:12:49:33 +0200] "GET /ocs/v2.php/apps/notifications/api/v1/notifications?format=json HTTP/1.1" 200 74 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"

[GoetheG]

So it is possible do disable WebDAV usage or not?

[nickvergessen]

Well If you disable all webdav usage, the normal web interface will also not work anymore, because it also uses the same endpoint.

But as mentioned above, you can simply define a rule which only allows the browsers you want to allow and then webdav clients are blocked while the web UI still works.

[OWClocal]

Im sorry but, with Nextcloud 16 it is still not possible to disable webdav access.

Does anybody has a solution to "just" hide the settings-bar at the left bottom ?