Multiple issues when using a reverse proxy

[anonimal]

Hello everyone,

The intent of this ticket is to elaborate on some issues that are possibly admin-related (not sure at this point) and to encourage the opening of a new ticket which will aim to provide better (if any at all) documentation regarding the preparation and implementation of a successful reverse proxy configuration when using owncloud. I hope that this ticket will save hours of troubleshooting for future Apache reverse proxy users.

I can say with at least some assurance that the issues presented may be simply a matter of extended mapping (and lack thereof). Reading https://doc.owncloud.org/server/7.0/admin_manual/configuration/reverse_proxy_configuration.html was not helpful, even after applying appropriate parameters. I could not find any other specific literature related to preparing a reverse proxy for owncloud (with Apache, a simple ProxyPass* / does not work at this point in time).

Steps to reproduce

1. Setup reverse proxy:
   
   internet <=> http://external.tld/owncloud/ <=> http://internal.owncloud.server/
   
   also Alias'd:
   
   internet <=> http://external.tld/owncloud/ <=> http://internal.owncloud.server/owncloud/
2. Login to http://external.tld/owncloud/

Expected behaviour

Identical functionality to a non-reverse-proxy'd owncloud instance.

Actual behaviour

w/Firefox 40.0.2

1. "Log in" button stays inactive. Unable to login. (see browser log below)

w/Firefox 38.2.0 (Tor Browser 5.0.1)

1. Some font spacing and icon placement varies in position for no explicable reason:

Files (direct connection)

Files (reverse proxy)

Bookmarks (direct connection)

Bookmarks (reverse proxy)

1. In "Documents" app, when creating new document or clicking on already uploaded document, the top left cloud's URL drops /owncloud/ so it now directs to http://external.tld instead of http://external.tld/owncloud/

Server configuration

Operating system:
Arch
Web server:
Apache 2.4.16

Relevant modules enabled (in addition to those required by owncloud):

mod_proxy
mod_proxy_http
mod_proxy_html
mod_xml2enc

Apache vhost configuration excerpt for http://external.tld/

<VirtualHost *:80>
  ...
  ProxyPass /owncloud/ http://internal.owncloud.server/
  ProxyPassReverse /owncloud/ http://internal.owncloud.server/

  ProxyPass /index.php/ http://internal.owncloud.server/index.php/
  ProxyPassReverse /index.php/ http://internal.owncloud.server/index.php/

  ProxyPass /core/ http://internal.owncloud.server/core/
  ProxyPassReverse /core/ http://internal.owncloud.server/core/

  ProxyPass /apps/ http://internal.owncloud.server/apps/
  ProxyPassReverse /apps/ http://internal.owncloud.server/apps/

  <Location /owncloud/>
    ProxyPassReverse /
    ProxyHTMLEnable On
    ProxyHTMLURLMap http://internal.owncloud.server /owncloud/
    ProxyHTMLURLMap / /owncloud/
    ProxyHTMLURLMap /owncloud/ /owncloud/
    ProxyHTMLURLMap /index.php/ /index.php/
    ProxyHTMLURLMap /core/ /core/
    ProxyHTMLURLMap /apps/ /apps/
  </Location>
  ...
</VirtualHost>

Apache vhost configuration excerpt for http://internal.owncloud.server/

<IfModule mod_alias.c>
  Alias /owncloud /usr/share/webapps/owncloud/
</IfModule>

<Directory /usr/share/webapps/owncloud/>
  Options FollowSymlinks
  AllowOverride all
  Require all granted
  php_admin_value open_basedir "/srv/http/:/tmp/:/usr/share/pear/:/usr/share/webapps/owncloud/:/etc/webapps/owncloud:/dev/urandom"
</Directory>

<VirtualHost *:80>
  ...
  DocumentRoot /usr/share/webapps/owncloud
  ...
</VirtualHost>

Note: removing any one or more of the previous ProxyPass* rules in http://external.tld/ reduces owncloud's functionality or renders certain aspects of owncloud to be non-functional (see the end of the ticket). This was discovered only after hours of troubleshooting.

Database:
MariaDB 10.0.21
PHP version:
5.6.12
ownCloud version: (see ownCloud admin page)
8.1.1.3
Updated from an older ownCloud or fresh install:
Fresh
List of activated apps:

Enabled:
 - bookmarks: 0.4
 - calendar: 0.7.2
 - contacts: 0.4.0.0
 - direct_menu: 0.3
 - documents: 0.10.1
 - files: 1.1.10
 - files_archive: 0.2
 - files_locking: 
 - files_odfviewer: 0.1
 - files_pdfviewer: 0.7
 - files_sharing: 0.6.2
 - files_texteditor: 0.4
 - files_trashbin: 0.6.3
 - files_versions: 1.0.6
 - files_videoviewer: 0.1.3
 - galleryplus: 13.0.0
 - provisioning_api: 0.2
 - templateeditor: 0.1
 - updater: 0.6
 - user_migrate: 0.1

The content of config/config.php:
Default
Are you using external storage, if yes which one: local/smb/sftp/...
No
Are you using encryption: yes/no
No
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
No

Client configuration

Browsers tested:
Firefox 40.0.2
Firefox 38.2.0 (Tor Browser 5.0.1)
Operating system:
Arch

Logs

Web server error log

No errors reported

ownCloud log (data/owncloud.log)

No errors reported

Browser log

w/Firefox 40.0.2

SyntaxError: missing } after property list moment-with-locales.js:3402:26
ReferenceError: moment is not defined js.js:1085:1

w/Firefox 38.2.0 (Tor Browser 5.0.1)

No errors reported

When /core/ /apps/ and /index.php/ are not ProxyPass*'d and ProxyHTMLURLMap'd

w/Firefox 40.0.2

Same as above 

w/Firefox 38.2.0 (Tor Browser 5.0.1)

Firefox can't establish a connection to the server at http://external.tld/index.php/apps/files/ajax/scan.php?force=false&dir=&requesttoken=W39Ja%2BIhUZZF4PrryX5HyYvfkCJhtF. eventsource.js:58:0
TypeError: result.data is undefined filelist.js:1156:0
TypeError: remote is undefined external.js:24:6

And in web console when clicking on "Documents" app:

GET  XHR  http://external.tld/core/img/breadcrumb.svg [HTTP/1.1 404 Not Found]
GET  http://external.tld/apps/documents/css/3rdparty/webodf/wodotexteditor.css [HTTP/1.1 404 Not Found]

And eternal spinners of death for "Documents" and "Gallery" "Contacts" apps.

Web server error log (when /core/ /apps/ and /index.php/ are not ProxyPass*'d and ProxyHTMLURLMap'd)

1. scan.php is never called (/owncloud/ is not prepended in URL) so files are never shown.
2. Other urls without prepended /owncloud/ (these returned 200 though never made it to http://internal.owncloud.server):

external.tld - "GET /index.php/avatar/user/128?requesttoken=n40rPM3IhHjSe0H%2BFqQf1tQNVpjx%2BT HTTP/1.1" 200 35671 "http://external.tld/owncloud/index.php/apps/files/" "useragent"
external.tld - "GET /index.php/apps/documents/ajax/mimes.php HTTP/1.1" 200 35680 "http://external.tld/owncloud/index.php/apps/files/" "useragent"
external.tld - "GET /index.php/apps/galleryplus/config?slideshow=1 HTTP/1.1" 200 35674 "http://external.tld/owncloud/index.php/apps/files/" "useragent"
external.tld - "GET /index.php/apps/files/ajax/list.php?dir=%2F&sort=name&sortdirection=asc HTTP/1.1" 200 35675 "http://external.tld/owncloud/index.php/apps/files/" "useragent"
external.tld - "GET /index.php/apps/files_sharing/api/externalShares HTTP/1.1" 200 35688 "http://external.tld/owncloud/index.php/apps/files/" "useragent"
external.tld - "GET /index.php/apps/files/ajax/scan.php?force=false&dir=&requesttoken=n40rPM3IhHjSe0H%2BFqQf1tQNVpjx%2BT HTTP/1.1" 200 35675 "http://external.tld/owncloud/index.php/apps/files/" "useragent"
external.tld - "GET /index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" 200 35686 "http://external.tld/owncloud/index.php/apps/files/" "useragent"

Notable error in http://internal.owncloud.server logs:

internal.owncloud.server - "GET /core/img/places/home.svg HTTP/1.1" 404 1199 "http://external.tld/owncloud/index.php/apps/files/" "useragent"

Notes

These results are also returned with an HTTPS reverse proxy, even though SSL Apache rules are omitted above.

Current Conclusions

1. A solid example of extended mapping is needed.
2. When /core/ /apps/ and /index.php/ are not applied, 404'd urls are not prepended with /owncloud/. Every other asset appears to have /owncloud/ successfully prepended.
3. Even with /core/ /apps/ and /index.php/ applied, perhaps https://github.com/owncloud/core/blob/master/core/vendor/moment/min/moment-with-locales.js#L3734 is a mod_xml2enc issue? If that's the case and internationalization is the problem, then I could start looking at packet dumps to rule out that scenario. I hope the solution is easier than staring at dumps though, I've already spent too many hours on these issues as it is 😭

[karlitschek]

Thanks for debugging this. This needs to be fixed.

[PVince81]

@LukasReschke proxy stuff

[LukasReschke]

Reverse Proxies do work fine if they are properly configured. In fact, I do host multiple such environments on my own.

That said:

1. Why do you use ProxyHTMLURLMap? - This is plain wrong and will explode with any decent modern application.
2. https://doc.owncloud.org/server/7.0/admin_manual/configuration/reverse_proxy_configuration.html is for ownCloud 7, please always use the latest documentation.

In fact, you do not need to do any magic configuration on your reverse proxy. You just need a plain dumb redirect and then proper settings within your config.php. In fact, something like the following works fine:

<VirtualHost *:443>
    ServerName cloud.smartworksg.ch
    ServerAlias cloud.smartworksg.ch
    ProxyPreserveHost On
    SSLEngine On

    SSLCertificateFile /etc/ssl/certs/cloud.smartworksg.ch.crt
    SSLCertificateKeyFile /etc/ssl/private/cloud.smartworksg.ch.key
    SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    ProxyPass / http://10.0.2.5/
    ProxyPassReverse / http://10.0.2.5/
</VirtualHost>

That said, yes, it might fail if you have ownCloud installed in /owncloud/ and want it reversed as /, but then again this can be easily mitigated by installing ownCloud on an own subdomain instead a subfolder. - But with https://doc.owncloud.org/server/8.1/admin_manual/configuration_server/reverse_proxy_configuration.html even that should run.

My sum-up: Not a bug but configuration error.

[anonimal]

@LukasReschke

1. Because there is no documentation on how to correctly reverse proxy with owncloud and Apache when using a subfolder and, like I clearly said above;

   with Apache, a simple ProxyPass* / does not work at this point in time

   I had to try to find a working solution when using http://external.tld/owncloud/.
2. Did you bother to compare the differences between the 7.0 and 8.1 reverse proxy documentation? They are identical except for a few english wording choices. For this ticket, I grabbed the first returned search result for "owncloud reverse proxy configuration" but I obviously read the latest docs before opening a new ticket.
3. Yes, it does fail: mapping / to /owncloud/, or vice versa, even with a subdomain, does not work. I don't see why I would need a subdomain to accurately reverse proxy with owncloud but when creating a new subdomain and mapping / to /, owncloud works and this solution becomes an easy fix.

Subdomain solution (in reference to the originally posted configuration)

1. Remove all previous ProxyPass* directives and directive from external.tld.
2. Remove the /owncloud/ alias from the internal server.
3. Create owncloud.external.tld and new ProxyPass* / directives to internal /
4. Visit http://owncloud.external.tld

Conclusion

If owncloud reverse proxy will only work with subdomains, I think that this point should be noted in the documentation. I'm wary to close this issue until it becomes "official" to not use a subfolder when using a reverse proxy (e.g., documentation updated), or otherwise noted (e.g., someone wants to tackle the issue as to why reverse proxy will not work with a subfolder).

Regardless of the outcome, thank you all for the input so far.

[anonimal]

Note: https://doc.owncloud.org/server/8.1/admin_manual/configuration_server/harden_server.html#use-a-dedicated-domain-for-owncloud does recommend to use a subdomain for good reason, but not for our purpose.

@LukasReschke a question that's somewhat on-topic: https works well but, when I login, I'm redirected to http://owncloud.external.tld/index.php?redirect_url=%2Findex.php%2Fapps%2Ffiles%2F.

Adding 'overwriteprotocol' => 'https', solves the redirect but them I always have to use https to login which is not conducive to the environment that I'm working in (https is optional as it is on a private network).

In other words: is it possible to not be redirected from https to http without having to use 'overwriteprotocol' => 'https' and if so, how is one able to achieve this via the config (if at all)?

Other apps that I'm running maintain the https with ease, so I'm somewhat certain that this is an owncloud issue.

[anonimal]

Can anyone help answer my question, please? I'll open a new feature request ticket if you think it should go in that direction, but I know there are many open tickets as it is.

[PVince81]

Are you still having issues with this in 8.2.2 ?

[anonimal]

Hi @PVince81, I've stopped using owncloud since 8.1 so I cannot confirm. I can try to reproduce next week if no one else is able to reproduce.