ownCloud 9.0.2 security and setup warnings are endlessly reloading #24309

Closed
LukasReschke opened this Issue Apr 27, 2016 · 27 comments

Projects

None yet

7 participants

@LukasReschke
Member

Other users have reported this as well in the bug tracker, with ownCloud Proxy I now face this as well. I'm debugging this…

@LukasReschke LukasReschke self-assigned this Apr 27, 2016
@LukasReschke LukasReschke added the bug label Apr 27, 2016
@LukasReschke
Member

Mixed Content: The page at 'https://█████.owncloudconnect.com/owncloud/settings/admin' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://█████.owncloudconnect.com/owncloud/apps/files/'. This request has been blocked; the content must be served over HTTPS.
Navigated to https://█████.owncloudconnect.com/owncloud/settings/admin

@ghost
ghost commented Apr 27, 2016 edited

Dup: #24293 ? :-)

@Xenopathic
Member

@LukasReschke Do you get a warning printed before the reload with #24126 applied?

@PVince81
Collaborator

Setting to critical as this makes the admin page unusable in such environments.

@PVince81
Collaborator
@PVince81
Collaborator

@LukasReschke any progress on the debugging front ?

@PVince81
Collaborator
PVince81 commented May 2, 2016

Likely an env issue, moving to 9.0.3 as it would still be good to find out what is going on

@cmonteroluque

@PVince81
Collaborator
PVince81 commented Jun 2, 2016

Ok, so the SSL warning might be causing a reload from what I read

@PVince81
Collaborator
PVince81 commented Jun 8, 2016

It looks like the global ajax error handler is getting a lot of false positives, and that only because it is assuming that a failed XmlHttpRequest is due to a cross-domain request trying to connect to an IDP in a SSO situation.

Anyway, I think we should backport #24126 which will at least introduce a delay and give the admin a chance to see the current messages, which can already be useful to find out what is wrong in their env.

I'll prepare a backport PR.

@PVince81
Collaborator
PVince81 commented Jun 8, 2016

PR here #25035

@icewind1991
Member

@PVince81 is this closed with #25035 ?

@PVince81
Collaborator

Kind of, yes. At least it gives admin a better chance of seeing warnings and debugging.

However it was reported again here #25058 (comment) maybe with more chance to find out about the core issue.

@PVince81 PVince81 closed this Jun 10, 2016
@fuco809
fuco809 commented Jun 21, 2016

same issue here. OC9.0.2.2 + php7 + centos7(latest patches) proxy needed and configured in config.php and additional reverse-proxy apache in front - then issue appears when using http://ocserver but when using https it works. and when accessing directly to owncloud-apache (without reverse proxy) it works too with http (and https).

@fuco809
fuco809 commented Jun 21, 2016 edited

reload_site_oc9

after login to OC i get the loop on /owncloud/apps/files/

i tried to figure out the root cause. it seems that js.js makes the reload (see screenshot)
i also tried #25058 tips with apache config and overwritehost/overwritehostport. - no effect.
i also tried OC9.0.3RC1, and there ist the 5sec delay message, but problem still exists.
any hints?

the add content button does not appear (before reload)
no_add_content

@PVince81
Collaborator

js.js makes the reload because it detected an ajax error and believes that it was a cross-site SSO redirect. Currently there is no good way to detect such situations.

In your specific case you need to find out why the ajax call causes an error in the first place, likely an issue in your env.

@fuco809
fuco809 commented Jun 21, 2016

with browser debugging mode i found this message while loading the page, but i am not sure if this is relevant.

The requested URL /core/vendor/jquery/jquery-1.10.2.js was not found on this server.

@n2five6
n2five6 commented Jun 22, 2016

We have the same problem OC 9.0.2 behind an LB.
The LB delivers the SSL-Cert (no Cert is configured on server side).

If I try to debug the error with FF, I saw also that there is something with the Content-Security-Policy. Maybe it has also to do with the .ocdata error (that we have also).

owncloud-redirect

[Wed Jun 22 15:08:20.835144 2016] [authz_core:error] [pid 3020] [client ██.██.██.██:12784] AH01630: client denied by server configuration: /srv/www/owncloud-lt/data/.ocdata

@fuco809
fuco809 commented Jun 23, 2016

for my case i found the cause and a solution. the propfind http requests are somewhere filtered (IPS,...) and without them the page allways reloads. now after fixing this, the reloads disappear and all working fine.
@n2five6 : as your screenshot shows you have at least the same problem with propfind requests.

@PVince81
Collaborator

Now thinking of it, I might have a solution to prevent the reload in case the setup checks are triggering the "global ajax error" condition. I'll add an exclusion flag for the setup checks.

@PVince81 PVince81 reopened this Jun 23, 2016
@PVince81 PVince81 assigned PVince81 and unassigned LukasReschke Jun 23, 2016
@PVince81 PVince81 added sev2-high and removed sev1-critical labels Jun 23, 2016
@PVince81
Collaborator

Fix here: #25239

Can you guys who have the reload issue try it out ?

@fuco809
fuco809 commented Jun 23, 2016 edited

applied the changes in core/js/setupchecks.js on a 9.0.3rc1 ... now the page reload (loop) dissappears, but OC not fully loading/not functionally because propfind http request times out (on my testserver).

@PVince81
Collaborator

@fuco809 thanks. Yeah, there is indeed a setup issue on your side.

Goal of my PR was mostly to avoid the annoying reload while trying to figure out how to fix the env.

@PVince81 PVince81 closed this in #25239 Jun 24, 2016
@n2five6
n2five6 commented Jun 24, 2016

@fuco809: Thanks! I looks like there will be something blocked on our LB. We opened now a support Ticket by KEMP.

@PVince81: Is there a List which HTTP-Methods are used from ownCloud?

@PVince81
Collaborator

I can't seem to find an explicitly list. Mostly the verbs commonly used by REST and Webdav APIs:

  • GET
  • POST
  • PUT
  • MOVE
  • DELETE
  • PROPPATCH
  • PROPFIND
  • REPORT
    (from the top of my head)
@ghost
ghost commented Jun 26, 2016

There are also others like MKCOL. Personally i'm using those:

https://forum.owncloud.org/viewtopic.php?f=23&t=10519&p=26878#p26878

@NestorTejero

On OwnCloud 9.1.0 we are getting the same error. Our code already contains the fix linked above, but it looks like it is just hiding the error, not going to the root cause.

We get this:

admin:1 Mixed Content: The page at 'https://owncloud.XXX.com/settings/admin' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://owncloud.XXX.com/apps/files/'. This request has been blocked; the content must be served over HTTPS.

Just for reference, we have an SSL certificate running in the server, so that the main page for OC is https://owncloud.XXX.com.

@PVince81
Collaborator

Yes, the above code only removes the useless reloading to make it possible for you to examine the network console and other possible environment errors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment