[Owncloud] apache reverse proxy with ssl offload not possible (possible security problem)

Stefan Herbrechtsmeier stefan at herbrechtsmeier.net
Sun Apr 28 18:00:26 UTC 2013 

Am 28.04.2013 19:03, schrieb Phillip Sengel:
> Hello Owncloud List,
>
> I am running my owncloud on a webserver inside a private network. It 
> is hosted here solely via http (port 80). Clients on the internal 
> network access it without ssl protection.
>
> Another webserver is running on a host which is facing both the 
> internet as well as the private network. This instance provides 
> reverse proxy functionality into the internal owncloud installation 
> for external clients. It is configured to communicate to the clients 
> only via https (port 443).
>
> Problem:
> When I access owncloud from the internet via the OC login page or via 
> a shared link which is password protected I will be redirected to http 
> protocol.
>
> Troubleshooting done so far:
>
> Shared Link with password protection:
> For the shared link it was quite easy to find out the reason: looking 
> at the html source of the shared link authentication page I found out 
> it has the full quallified URL in the form action like this:
>
> <form 
> action="http://cloud.external.com/public.php?service=files&t=79797979797979797979797979797979" 
> method="post">
>
> This cannot be dealt by the reverse proxy unless you implement html 
> rewriting here.
> Considering the common practice to set up a http vhost "silently" 
> redirecting to https the password would be transmitted not ssl secured 
> without the user noticing it. Maybe recent browsers will show a 
> warning message that the form information will be transfered 
> unprotected as my firefox did, but still I would concider this a 
> security problem.
>
> According to the owncloud documentation there are built in mechanisms 
> to auto-detect hostname, protocol and webroot. But they can fail in 
> some situations: 
> http://doc.owncloud.org/server/5.0/admin_manual/configuration/configuration_reverseproxy.html
>
> So I have tried to work around my problem by setting the 
> "overwrite..." directives in config.php. But that will not work for my 
> setup because it will rewrite the protocol also for the internal clients.

Have you set the "overwritecondaddr" to the regulate expression of your 
proxy ip address to only overwrite requests from the proxy?

Kind regards,
   Stefan

More information about the Owncloud mailing list