Re: Owncloud through Haproxy makes upload not possible

Piotr Kubaj Thu, 19 Nov 2015 02:14:52 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 11/18/15 19:45, Bryan Talbot wrote:
> Hard to guess what the issue is but haproxy logging would probably
> help. However, the logging configuration is a bit of a mess as it's
> configured to be "all on" and "all off" at the same time. There are
> also other configuration oddities.

Well, I'm actually quite new to Haproxy, so I just followed some
random tutorial for domain proxy. It worked (I've got a few websites
on it), so I've just assumed it's ok.

> 4096 bit DH params will be pretty slow to handshake. Maybe that's
> okay in your circumstance though since you seem to be using this
> for a personal use and not expecting a high connection rate. You
> also have a 8 kbit RSA self signed certificate and using 256 bit
> ciphers which increase TLS overhead.
I want it to be secure, and I don't want to touch my settings for
quite a while so I just took the strongest algorithms there are, and
2x recommended values for things like private key, or DH params. The
hardware is pretty powerful and I've already checked that I don't have
a huge load.


> Is that where the logging socket is on FreeBSD now? I haven't used 
> FreeBSD in quite a while.
Yes, the default is /var/run/log.

> maxconn 4096 user daemon group daemon daemon
> 
> defaults mode    http option  httplog option  dontlognull option
> forwardfor option  http-server-close option  httpclose option
> tcplog option  dontlog-normal
> 
> 
> You have both tcp logging and http logging enabled at the same
> time. In addition, you also have all logging disabled with
> "dontlognull" and "dontlog-normal". If all your proxies are HTTP
> like you've shown, just enable httplog and remove the tcplog
> option. When troubleshooting, enable logging at least normal
> connections.
> 
> You also do not want to use both httpclose and http-server-close
> since they conflict. Remove option httpclose.
> 
> Timeouts are also missing and you should be getting warnings about
> that too.
> 
> [WARNING] 321/103152 (87887) : config : missing timeouts for proxy 
> 'https-in'. | While not properly invalid, you will certainly
> encounter various problems | with such a configuration. To fix
> this, please ensure that all following | timeouts are set to a
> non-zero value: 'client', 'connect', 'server'.
Well, it seems that the person that wrote the tutorial I used doesn't
know much about Haproxy either...

> frontend http-in bind 192.168.11.3:80 <http://192.168.11.3:80> 
> reqadd X-Forwarded-Proto:\ http redirect scheme https code 301 if
> !{ ssl_fc }
> 
> 

> 
> 
> 
> 
> 
> frontend https-in option httplog option forwardfor option
> http-server-close option httpclose
> 
> 
> Don't need to repeat all of the above since it should be set in
> defaults above (if set properly). With no "log global" you won't
> get any logs anyway and are probably seeing a warning when haproxy
> checks the config or starts.
> 
> [WARNING] 321/103109 (87884) : config : log format ignored for
> proxy 'https-in' since it has no log address.
> 
> 
> 
> 
> 
> 
> rspadd Public-Key-Pins:\ 
> pin-sha256="1Pw5h93NOsPw6j/vaTYl5VvW9cmtuZXtNP3cVz10hKo=";\ 
> max-age=15768000;\ includeSubDomains
> 
> 
> AFAIK, HPKP is only somewhat supported by only the most recent
> browser releases. I believe that it's also ignored by them for
> certificates which are self-signed or signed by a CA that is not in
> the browsers system-defined CA set. Probably doesn't cause your
> issue but who knows -- it is still experimental.
> 
> The "http-response set-header" supported in haproxy 1.5 and later
> is more powerful and easier to read than the old reqadd and rspadd
> features.
> 
> 
> 
> 
> bind 192.168.11.3:443 <http://192.168.11.3:443> ssl crt 
> /usr/local/etc/haproxy.pem ciphers AES256+EECDH:AES256+EDH
> force-tlsv12 no-sslv3
> 
> 
> Don't need to repeat these options that are already set globally.
> 
> 
> 
> 
> 
> backend 10amd64 server node1 192.168.11.3:81
> <http://192.168.11.3:81> cookie A check
> 
> 
> 
> Setting sticky cookies and not using them is probably harmless but 
> what's the point?
> 
> -Bryan
> 


Debug logs from uploading a file:
000000c1:https-in.clicls[0007:ffffffff]
000000c1:https-in.closed[0007:ffffffff]
000000c2:https-in.accept(0006)=0007 from [xxx:59266]
000000c2:https-in.clireq[0007:ffffffff]: POST
/index.php/apps/files/ajax/upload.php HTTP/1.1
000000c2:https-in.clihdr[0007:ffffffff]: Host: owncloud.anongoth.pl
000000c2:https-in.clihdr[0007:ffffffff]: User-Agent: Mozilla/5.0
(Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
000000c2:https-in.clihdr[0007:ffffffff]: Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
000000c2:https-in.clihdr[0007:ffffffff]: Accept-Language: en-US, en
000000c2:https-in.clihdr[0007:ffffffff]: Accept-Encoding: gzip, deflate
000000c2:https-in.clihdr[0007:ffffffff]: DNT: 1
000000c2:https-in.clihdr[0007:ffffffff]: requesttoken:
e6185c74050ccda163a7f6d9299933a12b9fae66e46b97d1eed750c9ecd71dd2|C4wwTFE
Op91R6xc+|c0bfb65f7efde2cfef547746306f38851c4bb5d31ef88ae1eefcdd53427d26
f811fb0b2891eda7d83bf294c7001908be9d6bed4945e3ec10d20d33a86b287e4d:LIqKt
jdfdt
000000c2:https-in.clihdr[0007:ffffffff]: OCS-APIREQUEST: true
000000c2:https-in.clihdr[0007:ffffffff]: X-Requested-With: XMLHttpReques
t
000000c2:https-in.clihdr[0007:ffffffff]: Content-Length: 62097
000000c2:https-in.clihdr[0007:ffffffff]: Content-Type:
multipart/form-data;
boundary=---------------------------3844567219113320101696717050
000000c2:https-in.clihdr[0007:ffffffff]: Cookie:
ocjqxjycd6wr=1f3mn4h9ncl9f4cl28u90lu725;
oc_sessionPassphrase=Do%2BQt88ScojKqxe7kcaU75UzgMvtjhAQY%2FCF5lb9Wg%2F0K
fEOowN%2F2vhuS3SxU3M2Gn5jdUgRvJ%2BB8VtB6Hs0tSq1djP3mQKWSbR09LNb5sGTprx%2
BmtTNQsMFRDbLrDgO
000000c2:https-in.clihdr[0007:ffffffff]: Accept-Charset: *
000000c2:https-in.clihdr[0007:ffffffff]: Connection: keep-alive
000000c2:https-in.clihdr[0007:ffffffff]: Pragma: no-cache
000000c2:https-in.clihdr[0007:ffffffff]: Cache-Control: no-cache
000000c2:owncloud.srvcls[0007:0008]
000000c2:owncloud.clicls[0007:0008]
000000c2:owncloud.closed[0007:0008]
000000c3:https-in.accept(0006)=0007 from [xxx:62671]
000000c3:https-in.clireq[0007:ffffffff]: GET
/index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1
000000c3:https-in.clihdr[0007:ffffffff]: Host: owncloud.anongoth.pl
000000c3:https-in.clihdr[0007:ffffffff]: User-Agent: Mozilla/5.0
(Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
000000c3:https-in.clihdr[0007:ffffffff]: Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
000000c3:https-in.clihdr[0007:ffffffff]: Accept-Language: en-US, en
000000c3:https-in.clihdr[0007:ffffffff]: Accept-Encoding: gzip, deflate
000000c3:https-in.clihdr[0007:ffffffff]: DNT: 1
000000c3:https-in.clihdr[0007:ffffffff]: requesttoken:
e6185c74050ccda163a7f6d9299933a12b9fae66e46b97d1eed750c9ecd71dd2|C4wwTFE
Op91R6xc+|c0bfb65f7efde2cfef547746306f38851c4bb5d31ef88ae1eefcdd53427d26
f811fb0b2891eda7d83bf294c7001908be9d6bed4945e3ec10d20d33a86b287e4d:LIqKt
jdfdt
000000c3:https-in.clihdr[0007:ffffffff]: OCS-APIREQUEST: true
000000c3:https-in.clihdr[0007:ffffffff]: X-Requested-With: XMLHttpReques
t
000000c3:https-in.clihdr[0007:ffffffff]: Cookie:
ocjqxjycd6wr=1f3mn4h9ncl9f4cl28u90lu725;
oc_sessionPassphrase=Do%2BQt88ScojKqxe7kcaU75UzgMvtjhAQY%2FCF5lb9Wg%2F0K
fEOowN%2F2vhuS3SxU3M2Gn5jdUgRvJ%2BB8VtB6Hs0tSq1djP3mQKWSbR09LNb5sGTprx%2
BmtTNQsMFRDbLrDgO
000000c3:https-in.clihdr[0007:ffffffff]: Accept-Charset: *
000000c3:https-in.clihdr[0007:ffffffff]: Connection: keep-alive
000000c3:owncloud.srvrep[0007:0008]: HTTP/1.1 200 OK
000000c3:owncloud.srvhdr[0007:0008]: X-Powered-By: PHP/5.6.14
000000c3:owncloud.srvhdr[0007:0008]: Expires: Thu, 19 Nov 1981
08:52:00 GMT
000000c3:owncloud.srvhdr[0007:0008]: Cache-Control: no-store,
no-cache, must-revalidate, post-check=0, pre-check=0
000000c3:owncloud.srvhdr[0007:0008]: Pragma: no-cache
000000c3:owncloud.srvhdr[0007:0008]: Content-Security-Policy:
default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self'
'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self'
data:; media-src *; connect-src *
000000c3:owncloud.srvhdr[0007:0008]: X-XSS-Protection: 1; mode=block
000000c3:owncloud.srvhdr[0007:0008]: X-Content-Type-Options: nosniff
000000c3:owncloud.srvhdr[0007:0008]: X-Frame-Options: Sameorigin
000000c3:owncloud.srvhdr[0007:0008]: X-Robots-Tag: none
000000c3:owncloud.srvhdr[0007:0008]: Content-Type: application/json;
charset=utf-8
000000c3:owncloud.srvhdr[0007:0008]: Connection: close
000000c3:owncloud.srvhdr[0007:0008]: Transfer-Encoding: chunked
000000c3:owncloud.srvhdr[0007:0008]: Date: Thu, 19 Nov 2015 09:54:07 GMT
000000c3:owncloud.srvhdr[0007:0008]: Server: lighttpd/1.4.37
000000c4:https-in.clicls[0007:ffffffff]
000000c4:https-in.closed[0007:ffffffff]

I've also removed rspadd all option entries from https-in. My defaults
section now is:
        mode    http
        option  httplog
        option forwardfor
        option http-server-close
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms




On 11/18/15 20:14, Janusz Dziemidowicz wrote:
> 2015-11-18 19:45 GMT+01:00 Bryan Talbot <[email protected]>:
>> AFAIK, HPKP is only somewhat supported by only the most recent
>> browser releases. I believe that it's also ignored by them for
>> certificates
which
>> are self-signed or signed by a CA that is not in the browsers
system-defined
>> CA set. Probably doesn't cause your issue but who knows -- it is
>> still experimental.
> 
> There is also one more detail people often miss about HPKP. In
> order for HPKP to work, you MUST have a backup pin, that is a pin
> for a certificate that is offline. That means at least two pins,
> otherwise this whole header is ignored. See RFC7469 section 2.5.
> Also use tools in browsers, like Chrome net internals, to verify
> that it is correctly noted by the browser.
> 

Thanks, I'll take care of it after I'm done with uploading files.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWTaDPAAoJEC9nKukRsfY+0+wQAKzCoxUHA2ffmGdsYVt11n4w
lmwDGqsMWUvKkdFHBcyj9pbQa54xBwtk1a2GVeQ9Vep7WQsPqb6yUs6wRPLATpv9
EoBNe/J4wXNdr5IiipSYCNMhdwZk+kcCLp1/rCxarOqKqK3Vr18FIDqqRpy9vrjk
rkJP9sxSbb51B9L/MK82wBIrOPB3XEkHQrFTuThnrJG6mHo6zrYKk9cuTHC4aoh4
bwiX0l+6iDhpsOa9ufIfBcce8kuyZAcQblCo8qgFTctO5+MSH9mMXIklHI6Zts0c
NWg4vbNzwCk33tDxRWlHXFF76ww8wPOHhzFmRkOOX6jEY5hXhICnDvHtpO9g2bhh
dSLSfH0+JrDXXPr0pjrI1/tGEqNUD+pw8We6pY8ReiTwvTd7pJNM9zZNiAQcmwHB
QKUnLOyDJ3ZeSUUtJlqS1UEJ/3Cck1EUHbBb4V9RFogrHIgCua6ymKcPn6nkluzV
JfyIH1jHImBgP3NhQXoitmxKz8LnGH4S3qteR29VSDJ7uwZ6gDQzw4ta5t+VbuFA
pNjboA55AyCX8NhR2nhKUDZXyFtJqxSVSUldHTQE6gXfcreHgav13pUeIudH+da0
F3pZZM7GbNqnVWF2Wrd84Eu0A22a5BhYEPtoWiL/hPp9Y7vkdOM/KhekQyV9sEJi
Kv5APH8abo0Z/LVdfh0q
=a4NK
-----END PGP SIGNATURE-----

Re: Owncloud through Haproxy makes upload not possible

Reply via email to