On 28.04.2013 20:00, Stefan Herbrechtsmeier wrote:
Am 28.04.2013 19:03, schrieb Phillip Sengel:
Hello Owncloud List,
I am running my owncloud on a webserver inside a private network. It
is hosted here solely via http (port 80). Clients on the internal
network access it without ssl protection.
Another webserver is running on a host which is facing both the
internet as well as the private network. This instance provides
reverse proxy functionality into the internal owncloud installation
for external clients. It is configured to communicate to the clients
only via https (port 443).
Problem:
When I access owncloud from the internet via the OC login page or via
a shared link which is password protected I will be redirected to
http protocol.
Troubleshooting done so far:
Shared Link with password protection:
For the shared link it was quite easy to find out the reason: looking
at the html source of the shared link authentication page I found out
it has the full quallified URL in the form action like this:
<form
action="http://cloud.external.com/public.php?service=files&t=79797979797979797979797979797979";
method="post">
This cannot be dealt by the reverse proxy unless you implement html
rewriting here.
Considering the common practice to set up a http vhost "silently"
redirecting to https the password would be transmitted not ssl
secured without the user noticing it. Maybe recent browsers will show
a warning message that the form information will be transfered
unprotected as my firefox did, but still I would concider this a
security problem.
According to the owncloud documentation there are built in mechanisms
to auto-detect hostname, protocol and webroot. But they can fail in
some situations:
http://doc.owncloud.org/server/5.0/admin_manual/configuration/configuration_reverseproxy.html
So I have tried to work around my problem by setting the
"overwrite..." directives in config.php. But that will not work for
my setup because it will rewrite the protocol also for the internal
clients.
Have you set the "overwritecondaddr" to the regulate expression of
your proxy ip address to only overwrite requests from the proxy?
Kind regards,
Stefan
Thanks Stefan,
that fixes the issue.
How about reverse proxy servers which will do "transparent" proxy-ing? I
want to do web analysis against the logs of the apache installation
which is effectively serving owncloud, but currently all client IPs are
masqueraded as the internal IP of the reverse proxy. Would the
overwrite... method still work after configuring the reverse proxy to go
transparent?
best regards
Phillip
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
