[Owncloud] apache reverse proxy with ssl offload not possible (possible security problem)
Phillip Sengel
phillip at sengel.org
Thu May 2 18:01:38 UTC 2013
On 28.04.2013 20:00, Stefan Herbrechtsmeier wrote:
> Am 28.04.2013 19:03, schrieb Phillip Sengel:
>> Hello Owncloud List,
>>
>> I am running my owncloud on a webserver inside a private network. It
>> is hosted here solely via http (port 80). Clients on the internal
>> network access it without ssl protection.
>>
>> Another webserver is running on a host which is facing both the
>> internet as well as the private network. This instance provides
>> reverse proxy functionality into the internal owncloud installation
>> for external clients. It is configured to communicate to the clients
>> only via https (port 443).
>>
>> Problem:
>> When I access owncloud from the internet via the OC login page or via
>> a shared link which is password protected I will be redirected to
>> http protocol.
>>
>> Troubleshooting done so far:
>>
>> Shared Link with password protection:
>> For the shared link it was quite easy to find out the reason: looking
>> at the html source of the shared link authentication page I found out
>> it has the full quallified URL in the form action like this:
>>
>> <form
>> action="http://cloud.external.com/public.php?service=files&t=79797979797979797979797979797979"
>> method="post">
>>
>> This cannot be dealt by the reverse proxy unless you implement html
>> rewriting here.
>> Considering the common practice to set up a http vhost "silently"
>> redirecting to https the password would be transmitted not ssl
>> secured without the user noticing it. Maybe recent browsers will show
>> a warning message that the form information will be transfered
>> unprotected as my firefox did, but still I would concider this a
>> security problem.
>>
>> According to the owncloud documentation there are built in mechanisms
>> to auto-detect hostname, protocol and webroot. But they can fail in
>> some situations:
>> http://doc.owncloud.org/server/5.0/admin_manual/configuration/configuration_reverseproxy.html
>>
>> So I have tried to work around my problem by setting the
>> "overwrite..." directives in config.php. But that will not work for
>> my setup because it will rewrite the protocol also for the internal
>> clients.
>
> Have you set the "overwritecondaddr" to the regulate expression of
> your proxy ip address to only overwrite requests from the proxy?
>
> Kind regards,
> Stefan
>
>
Thanks Stefan,
that fixes the issue.
How about reverse proxy servers which will do "transparent" proxy-ing? I
want to do web analysis against the logs of the apache installation
which is effectively serving owncloud, but currently all client IPs are
masqueraded as the internal IP of the reverse proxy. Would the
overwrite... method still work after configuring the reverse proxy to go
transparent?
best regards
Phillip
More information about the Owncloud
mailing list