New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ownCloud 9.0.2 security and setup warnings are endlessly reloading #24309

Closed
LukasReschke opened this Issue Apr 27, 2016 · 27 comments

Comments

Projects
None yet
7 participants
@LukasReschke
Member

LukasReschke commented Apr 27, 2016

Other users have reported this as well in the bug tracker, with ownCloud Proxy I now face this as well. I'm debugging this…

@LukasReschke LukasReschke self-assigned this Apr 27, 2016

@LukasReschke LukasReschke added the bug label Apr 27, 2016

@LukasReschke LukasReschke added this to the 9.0.2-current-maintenance milestone Apr 27, 2016

@LukasReschke

This comment has been minimized.

Show comment
Hide comment
@LukasReschke

LukasReschke Apr 27, 2016

Member

Mixed Content: The page at 'https://█████.owncloudconnect.com/owncloud/settings/admin' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://█████.owncloudconnect.com/owncloud/apps/files/'. This request has been blocked; the content must be served over HTTPS.
Navigated to https://█████.owncloudconnect.com/owncloud/settings/admin

Member

LukasReschke commented Apr 27, 2016

Mixed Content: The page at 'https://█████.owncloudconnect.com/owncloud/settings/admin' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://█████.owncloudconnect.com/owncloud/apps/files/'. This request has been blocked; the content must be served over HTTPS.
Navigated to https://█████.owncloudconnect.com/owncloud/settings/admin

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost commented Apr 27, 2016

Dup: #24293 ? :-)

@Xenopathic

This comment has been minimized.

Show comment
Hide comment
@Xenopathic

Xenopathic Apr 27, 2016

Member

@LukasReschke Do you get a warning printed before the reload with #24126 applied?

Member

Xenopathic commented Apr 27, 2016

@LukasReschke Do you get a warning printed before the reload with #24126 applied?

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Apr 28, 2016

Member

Setting to critical as this makes the admin page unusable in such environments.

Member

PVince81 commented Apr 28, 2016

Setting to critical as this makes the admin page unusable in such environments.

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81
Member

PVince81 commented Apr 28, 2016

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Apr 29, 2016

Member

@LukasReschke any progress on the debugging front ?

Member

PVince81 commented Apr 29, 2016

@LukasReschke any progress on the debugging front ?

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 May 2, 2016

Member

Likely an env issue, moving to 9.0.3 as it would still be good to find out what is going on

@cmonteroluque

Member

PVince81 commented May 2, 2016

Likely an env issue, moving to 9.0.3 as it would still be good to find out what is going on

@cmonteroluque

@PVince81 PVince81 modified the milestones: 9.0.3-next-maintenance, 9.0.2-current-maintenance May 2, 2016

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 2, 2016

Member

Ok, so the SSL warning might be causing a reload from what I read

Member

PVince81 commented Jun 2, 2016

Ok, so the SSL warning might be causing a reload from what I read

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 8, 2016

Member

It looks like the global ajax error handler is getting a lot of false positives, and that only because it is assuming that a failed XmlHttpRequest is due to a cross-domain request trying to connect to an IDP in a SSO situation.

Anyway, I think we should backport #24126 which will at least introduce a delay and give the admin a chance to see the current messages, which can already be useful to find out what is wrong in their env.

I'll prepare a backport PR.

Member

PVince81 commented Jun 8, 2016

It looks like the global ajax error handler is getting a lot of false positives, and that only because it is assuming that a failed XmlHttpRequest is due to a cross-domain request trying to connect to an IDP in a SSO situation.

Anyway, I think we should backport #24126 which will at least introduce a delay and give the admin a chance to see the current messages, which can already be useful to find out what is wrong in their env.

I'll prepare a backport PR.

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 8, 2016

Member

PR here #25035

Member

PVince81 commented Jun 8, 2016

PR here #25035

@icewind1991

This comment has been minimized.

Show comment
Hide comment
@icewind1991

icewind1991 Jun 10, 2016

Member

@PVince81 is this closed with #25035 ?

Member

icewind1991 commented Jun 10, 2016

@PVince81 is this closed with #25035 ?

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 10, 2016

Member

Kind of, yes. At least it gives admin a better chance of seeing warnings and debugging.

However it was reported again here #25058 (comment) maybe with more chance to find out about the core issue.

Member

PVince81 commented Jun 10, 2016

Kind of, yes. At least it gives admin a better chance of seeing warnings and debugging.

However it was reported again here #25058 (comment) maybe with more chance to find out about the core issue.

@PVince81 PVince81 closed this Jun 10, 2016

@fuco809

This comment has been minimized.

Show comment
Hide comment
@fuco809

fuco809 Jun 21, 2016

same issue here. OC9.0.2.2 + php7 + centos7(latest patches) proxy needed and configured in config.php and additional reverse-proxy apache in front - then issue appears when using http://ocserver but when using https it works. and when accessing directly to owncloud-apache (without reverse proxy) it works too with http (and https).

fuco809 commented Jun 21, 2016

same issue here. OC9.0.2.2 + php7 + centos7(latest patches) proxy needed and configured in config.php and additional reverse-proxy apache in front - then issue appears when using http://ocserver but when using https it works. and when accessing directly to owncloud-apache (without reverse proxy) it works too with http (and https).

@fuco809

This comment has been minimized.

Show comment
Hide comment
@fuco809

fuco809 Jun 21, 2016

reload_site_oc9

after login to OC i get the loop on /owncloud/apps/files/

i tried to figure out the root cause. it seems that js.js makes the reload (see screenshot)
i also tried #25058 tips with apache config and overwritehost/overwritehostport. - no effect.
i also tried OC9.0.3RC1, and there ist the 5sec delay message, but problem still exists.
any hints?

the add content button does not appear (before reload)
no_add_content

fuco809 commented Jun 21, 2016

reload_site_oc9

after login to OC i get the loop on /owncloud/apps/files/

i tried to figure out the root cause. it seems that js.js makes the reload (see screenshot)
i also tried #25058 tips with apache config and overwritehost/overwritehostport. - no effect.
i also tried OC9.0.3RC1, and there ist the 5sec delay message, but problem still exists.
any hints?

the add content button does not appear (before reload)
no_add_content

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 21, 2016

Member

js.js makes the reload because it detected an ajax error and believes that it was a cross-site SSO redirect. Currently there is no good way to detect such situations.

In your specific case you need to find out why the ajax call causes an error in the first place, likely an issue in your env.

Member

PVince81 commented Jun 21, 2016

js.js makes the reload because it detected an ajax error and believes that it was a cross-site SSO redirect. Currently there is no good way to detect such situations.

In your specific case you need to find out why the ajax call causes an error in the first place, likely an issue in your env.

@fuco809

This comment has been minimized.

Show comment
Hide comment
@fuco809

fuco809 Jun 21, 2016

with browser debugging mode i found this message while loading the page, but i am not sure if this is relevant.

The requested URL /core/vendor/jquery/jquery-1.10.2.js was not found on this server.

fuco809 commented Jun 21, 2016

with browser debugging mode i found this message while loading the page, but i am not sure if this is relevant.

The requested URL /core/vendor/jquery/jquery-1.10.2.js was not found on this server.

@n2five6

This comment has been minimized.

Show comment
Hide comment
@n2five6

n2five6 Jun 22, 2016

We have the same problem OC 9.0.2 behind an LB.
The LB delivers the SSL-Cert (no Cert is configured on server side).

If I try to debug the error with FF, I saw also that there is something with the Content-Security-Policy. Maybe it has also to do with the .ocdata error (that we have also).

owncloud-redirect

[Wed Jun 22 15:08:20.835144 2016] [authz_core:error] [pid 3020] [client ██.██.██.██:12784] AH01630: client denied by server configuration: /srv/www/owncloud-lt/data/.ocdata

n2five6 commented Jun 22, 2016

We have the same problem OC 9.0.2 behind an LB.
The LB delivers the SSL-Cert (no Cert is configured on server side).

If I try to debug the error with FF, I saw also that there is something with the Content-Security-Policy. Maybe it has also to do with the .ocdata error (that we have also).

owncloud-redirect

[Wed Jun 22 15:08:20.835144 2016] [authz_core:error] [pid 3020] [client ██.██.██.██:12784] AH01630: client denied by server configuration: /srv/www/owncloud-lt/data/.ocdata

@fuco809

This comment has been minimized.

Show comment
Hide comment
@fuco809

fuco809 Jun 23, 2016

for my case i found the cause and a solution. the propfind http requests are somewhere filtered (IPS,...) and without them the page allways reloads. now after fixing this, the reloads disappear and all working fine.
@n2five6 : as your screenshot shows you have at least the same problem with propfind requests.

fuco809 commented Jun 23, 2016

for my case i found the cause and a solution. the propfind http requests are somewhere filtered (IPS,...) and without them the page allways reloads. now after fixing this, the reloads disappear and all working fine.
@n2five6 : as your screenshot shows you have at least the same problem with propfind requests.

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 23, 2016

Member

Now thinking of it, I might have a solution to prevent the reload in case the setup checks are triggering the "global ajax error" condition. I'll add an exclusion flag for the setup checks.

Member

PVince81 commented Jun 23, 2016

Now thinking of it, I might have a solution to prevent the reload in case the setup checks are triggering the "global ajax error" condition. I'll add an exclusion flag for the setup checks.

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 23, 2016

Member

Fix here: #25239

Can you guys who have the reload issue try it out ?

Member

PVince81 commented Jun 23, 2016

Fix here: #25239

Can you guys who have the reload issue try it out ?

@fuco809

This comment has been minimized.

Show comment
Hide comment
@fuco809

fuco809 Jun 23, 2016

applied the changes in core/js/setupchecks.js on a 9.0.3rc1 ... now the page reload (loop) dissappears, but OC not fully loading/not functionally because propfind http request times out (on my testserver).

fuco809 commented Jun 23, 2016

applied the changes in core/js/setupchecks.js on a 9.0.3rc1 ... now the page reload (loop) dissappears, but OC not fully loading/not functionally because propfind http request times out (on my testserver).

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 23, 2016

Member

@fuco809 thanks. Yeah, there is indeed a setup issue on your side.

Goal of my PR was mostly to avoid the annoying reload while trying to figure out how to fix the env.

Member

PVince81 commented Jun 23, 2016

@fuco809 thanks. Yeah, there is indeed a setup issue on your side.

Goal of my PR was mostly to avoid the annoying reload while trying to figure out how to fix the env.

@PVince81 PVince81 closed this in #25239 Jun 24, 2016

@n2five6

This comment has been minimized.

Show comment
Hide comment
@n2five6

n2five6 Jun 24, 2016

@fuco809: Thanks! I looks like there will be something blocked on our LB. We opened now a support Ticket by KEMP.

@PVince81: Is there a List which HTTP-Methods are used from ownCloud?

n2five6 commented Jun 24, 2016

@fuco809: Thanks! I looks like there will be something blocked on our LB. We opened now a support Ticket by KEMP.

@PVince81: Is there a List which HTTP-Methods are used from ownCloud?

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jun 24, 2016

Member

I can't seem to find an explicitly list. Mostly the verbs commonly used by REST and Webdav APIs:

  • GET
  • POST
  • PUT
  • MOVE
  • DELETE
  • PROPPATCH
  • PROPFIND
  • REPORT
    (from the top of my head)
Member

PVince81 commented Jun 24, 2016

I can't seem to find an explicitly list. Mostly the verbs commonly used by REST and Webdav APIs:

  • GET
  • POST
  • PUT
  • MOVE
  • DELETE
  • PROPPATCH
  • PROPFIND
  • REPORT
    (from the top of my head)
@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jun 26, 2016

There are also others like MKCOL. Personally i'm using those:

https://forum.owncloud.org/viewtopic.php?f=23&t=10519&p=26878#p26878

ghost commented Jun 26, 2016

There are also others like MKCOL. Personally i'm using those:

https://forum.owncloud.org/viewtopic.php?f=23&t=10519&p=26878#p26878

@NestorTejero

This comment has been minimized.

Show comment
Hide comment
@NestorTejero

NestorTejero Sep 12, 2016

On OwnCloud 9.1.0 we are getting the same error. Our code already contains the fix linked above, but it looks like it is just hiding the error, not going to the root cause.

We get this:

admin:1 Mixed Content: The page at 'https://owncloud.XXX.com/settings/admin' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://owncloud.XXX.com/apps/files/'. This request has been blocked; the content must be served over HTTPS.

Just for reference, we have an SSL certificate running in the server, so that the main page for OC is https://owncloud.XXX.com.

NestorTejero commented Sep 12, 2016

On OwnCloud 9.1.0 we are getting the same error. Our code already contains the fix linked above, but it looks like it is just hiding the error, not going to the root cause.

We get this:

admin:1 Mixed Content: The page at 'https://owncloud.XXX.com/settings/admin' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://owncloud.XXX.com/apps/files/'. This request has been blocked; the content must be served over HTTPS.

Just for reference, we have an SSL certificate running in the server, so that the main page for OC is https://owncloud.XXX.com.

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Sep 12, 2016

Member

Yes, the above code only removes the useless reloading to make it possible for you to examine the network console and other possible environment errors.

Member

PVince81 commented Sep 12, 2016

Yes, the above code only removes the useless reloading to make it possible for you to examine the network console and other possible environment errors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment