Nextcloud OIDC integration
-
@andreasdueren Not that adding 127.0.1.1 to the proxies did the trick but rebooting the app will reset this section in the config file.
@andreasdueren said in Nextcloud OIDC integration:
@andreasdueren Not that adding 127.0.1.1 to the proxies did the trick but rebooting the app will reset this section in the config file.
What proxy are you referring to here?
-
@andreasdueren said in Nextcloud OIDC integration:
@andreasdueren Not that adding 127.0.1.1 to the proxies did the trick but rebooting the app will reset this section in the config file.
What proxy are you referring to here?
@Joseph In the config file:
'trusted_proxies' => array ( 0 => '172.18.0.1', ), -
Just checked the logs (they are absolutely full):
LocalServerException Host "127.0.1.1" (my.tld.onl:80) violates local access rules Could not reach the provider at URL https://my.tld.onl/openid/.well-known/openid-configuration@andreasdueren said in Nextcloud OIDC integration:
Just checked the logs (they are absolutely full):
LocalServerException Host "127.0.1.1" (my.tld.onl:80) violates local access rules Could not reach the provider at URL https://my.tld.onl/openid/.well-known/openid-configuration@joseph said in Nextcloud OIDC integration:
@andreasdueren can you tell me what made you add
127.0.1.1? Not sure what that IP isThe console complained about it
-
@Joseph So this is weird. Even a fresh install of NC in a new, clean Cloudron is throwing the same error. Any idea why that would be?
-
Did you apply any extra configs to Nextcloud? It is still unclear to me who prints this
LocalServerExceptionand why Nextcloud would refuse to connect to that endpoint. Have you looked in the Nextcloud forum/issue tracker about this?Given that you mentioned, that curl to that endpoint from within the nextcloud container works fine, it is somethign within Nextcloud it seems.
-
Did you apply any extra configs to Nextcloud? It is still unclear to me who prints this
LocalServerExceptionand why Nextcloud would refuse to connect to that endpoint. Have you looked in the Nextcloud forum/issue tracker about this?Given that you mentioned, that curl to that endpoint from within the nextcloud container works fine, it is somethign within Nextcloud it seems.
@nebulon Nope, new Nextcloud, not even logged in yet
-
Best to reach out at support@cloudron.io , it seems hard to debug . Atleast, fresh instances on all our servers and demo instances seem to work fine.
@Joseph Is this something you're interested in debugging? Otherwise I'll just wipe the machine and install fresh
-
@Joseph Is this something you're interested in debugging? Otherwise I'll just wipe the machine and install fresh
-
@andreasdueren thanks for the access! I am making a new package to fix the issue.
For those interested, here is the technical information:
-
On some VPS providers, when you create a VM with hostname
my.foo.com, it will put an entry in /etc/hosts of the server with 127.0.1.1 . -
Starting Cloudron 8, we started using Docker for the DNS resolution. Docker reads /etc/hosts and starts resolving my.foo.com to 127.0.1.1 .
-
This meant that for apps (which are running in containers) using the domain name my.foo.com (like OIDC service) does not work. This is because it's resolving to 127.0.1.1.
-
To workaround this, we added ExtraHosts to container config. Docker simply adds entries to /etc/hosts of the container. Now, when apps try to resolve my.foo.com they will resolve to 172.18.0.1 because /etc/hosts has more priority than DNS look up.
-
This works for all apps... except nextcloud has decided to implement some DNS pinning protection which I think is to prevent against DNS Rebinding attacks. This code looks up DNS directly (thus skipping /etc/hosts lookup) and thus ends up with 127.0.1.1
It blocks the access thinking it's an attack. -
Luckily, there is a config
dns_pinningto disable this functionality.
-
-
@andreasdueren thanks for the access! I am making a new package to fix the issue.
For those interested, here is the technical information:
-
On some VPS providers, when you create a VM with hostname
my.foo.com, it will put an entry in /etc/hosts of the server with 127.0.1.1 . -
Starting Cloudron 8, we started using Docker for the DNS resolution. Docker reads /etc/hosts and starts resolving my.foo.com to 127.0.1.1 .
-
This meant that for apps (which are running in containers) using the domain name my.foo.com (like OIDC service) does not work. This is because it's resolving to 127.0.1.1.
-
To workaround this, we added ExtraHosts to container config. Docker simply adds entries to /etc/hosts of the container. Now, when apps try to resolve my.foo.com they will resolve to 172.18.0.1 because /etc/hosts has more priority than DNS look up.
-
This works for all apps... except nextcloud has decided to implement some DNS pinning protection which I think is to prevent against DNS Rebinding attacks. This code looks up DNS directly (thus skipping /etc/hosts lookup) and thus ends up with 127.0.1.1
It blocks the access thinking it's an attack. -
Luckily, there is a config
dns_pinningto disable this functionality.
-
-
@girish So I should add
'dns_pinning' => false,to the config file? -
@girish Works perfectly now, thanks!
-
Migration of a smaller instance seems to work smoothly so far.
-
@girish Since my installation is user not managed by Cloudron so I can't enable OIDC (but not just this, I can't curl the OIDC Server eventhough it's the same Cloudron server),i just want to let know the issue that I experience lately, after I updated Nextcloud including latest update with DNS Pinning, after update I can't login since the LDAP and Group Backend disabled automaticall after update, so i have to enable manually in Nextcloud Apps, the config in Nextcloud Setting for LDAP/AD Integration is a bit different than previously before update but anywhow I can still login back normally. Please be aware of this issue. Thanks
-
@girish Proposition to change the OpenID Identifier from "Cloudron" to "OpenID" or "SSO" since we can't have the branding from the Cloudron instance
-
@girish Since my installation is user not managed by Cloudron so I can't enable OIDC (but not just this, I can't curl the OIDC Server eventhough it's the same Cloudron server),i just want to let know the issue that I experience lately, after I updated Nextcloud including latest update with DNS Pinning, after update I can't login since the LDAP and Group Backend disabled automaticall after update, so i have to enable manually in Nextcloud Apps, the config in Nextcloud Setting for LDAP/AD Integration is a bit different than previously before update but anywhow I can still login back normally. Please be aware of this issue. Thanks
@firmansi the auth mechanism is chosen at install time. if you go behind cloudron's back and make changes to the app configuration, this will eventually not work. in your situation, you have installation nextcloud without LDAP/OIDC and then later configuring it inside the app manually. This won't work and is not supported. The way to fix this is like this:
- take backup of your nextcloud. download the backup configuration of this new backup
- install new nextcloud with cloudron user management
- import the backup from setup 1 . app -> backups -> import
It will work after this.
-
Do you mean I simply back up in Cloudron? From my understanding, if I do the back up from Cloudron, then when I do the import, it will adjust to the old one without user management managed by Cloudron, please let me know if my assumption is wrong
-
@firmansi the auth mechanism is chosen at install time. if you go behind cloudron's back and make changes to the app configuration, this will eventually not work. in your situation, you have installation nextcloud without LDAP/OIDC and then later configuring it inside the app manually. This won't work and is not supported. The way to fix this is like this:
- take backup of your nextcloud. download the backup configuration of this new backup
- install new nextcloud with cloudron user management
- import the backup from setup 1 . app -> backups -> import
It will work after this.
