503 on root if already logged in (chrome/ium only) #555
Description
Steps to reproduce
- Install Nextcloud on your own subdomain (e.g. docs.rpadovani.com) - using nginx and postgresql
- Login in the website in a tab
- Open a new tab
- Go to the root of website (type docs.rpadovani.com)
Expected behaviour
Redirection to https://docs.rpadovani.com/apps/files/
Actual behaviour
503 error
If I write anything after the / (like https://docs.rpadovani.com/ThisURLDOESNNOTEXIST) redirection works fine
If I write https://docs.rpadovani.com in a tab where I already logged in, redirection works. Only new tabs are broken
Server configuration
Operating system: Ubuntu 16.04.1
Web server: nginx 1.10.0 with this configuration:
upstream php-handler {
server unix:/var/run/php/php7.0-fpm.sock;
}
server {
listen 80;
listen [::]:80;
server_name docs.rpadovani.com;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name docs.rpadovani.com;
ssl_certificate /etc/letsencrypt/live/docs.rpadovani.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/docs.rpadovani.com/privkey.pem;
# Security options by cipherli.st
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# add_header X-Frame-Options DENY;
# Following https://weakdh.org/sysadmin.html
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /usr/share/nginx/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
Database: postgresql 9.5
PHP version: PHP 7.0.8-0ubuntu0.16.04.1
Nextcloud version: 9.0.53 (stable)
Updated from an older Nextcloud/ownCloud or fresh install: fresh install
Where did you install Nextcloud from: source
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- activity: 2.2.1
- admin_audit: 1.0.0
- calendar: 1.3.1
- comments: 0.2
- contacts: 1.3.1.0
- dav: 0.1.6
- documents: 0.12.0
- federatedfilesharing: 0.1.0
- federation: 0.0.4
- files: 1.4.4
- files_pdfviewer: 0.8.1
- files_sharing: 0.9.1
- files_texteditor: 2.1
- files_trashbin: 0.8.0
- files_versions: 1.2.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- gallery: 14.5.0
- news: 8.8.0
- notifications: 0.2.3
- password_policy: 1.0.0
- provisioning_api: 0.4.1
- systemtags: 0.2
- templateeditor: 0.1
- theming: 0.1.0
- updatenotification: 0.1.0
Disabled:
- bookmarks
- encryption
- external
- files_external
- user_external
- user_ldap
- user_saml
The content of config/config.php:
Config report
{
"system": {
"instanceid": "och9eg6xraef",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"docs.rpadovani.com"
],
"datadirectory": "\/opt\/nextcloud",
"overwrite.cli.url": "https:\/\/docs.rpadovani.com",
"dbtype": "pgsql",
"version": "9.0.53.0",
"dbname": "nextcloud",
"dbhost": "localhost:5432",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"appstore.experimental.enabled": true,
"memcache.local": "\\OC\\Memcache\\Redis",
"redis": {
"host": "localhost",
"port": 6379
},
"memcache.locking": "\\OC\\Memcache\\Redis"
}
}
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Chrome/Chromium also on a fresh installation or in incognito mode
Logs
Web server error log
Web server error log
/var/log/nginx/error.log says nothing. /var/log/nginx/access.log:
37.182.xxx.xxx - - [25/Jul/2016:12:39:08 +0000] "GET / HTTP/1.1" 503 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36"
nothing
Browser log
Browser log
console.log nothings,
network does a request to docs.rpadovani.com
**GENERAL**
Request URL:https://docs.rpadovani.com/
Request Method:GET
Status Code:503 Service Unavailable
Remote Address:151.80.148.178:443
**Response Headers**
Cache-Control:no-store, no-cache, must-revalidate
Connection:keep-alive
Content-Security-Policy:default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Content-Type:text/html; charset=UTF-8
Date:Mon, 25 Jul 2016 12:41:23 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/1.10.0 (Ubuntu)
Set-Cookie:nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie:nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Transfer-Encoding:chunked
**Request Headers**
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8,it;q=0.6
Cache-Control:max-age=0
Connection:keep-alive
Cookie:oc_sessionPassphrase=xxx; och9eg6xraef=xxx; oc_username=rpadovani; oc_token=xxx; oc_remember_login=1; nc_sameSiteCookielax=true
DNT:1
Host:docs.rpadovani.com
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36