Nextcloud / dav account fails due to nginx bot protection

Bug Reports
#1

REPRODUCIBILITY: 100%
OS VERSION: 4.5.0.25
HARDWARE: Xperia 10II
UI LANGUAGE: Deutsch
REGRESSION: unknown

DESCRIPTION:

Creating nextcloud, caldav or carddav account or syncing fails with nginx server.

PRECONDITIONS:

Nextcloud running on nginx or behind nginx reverse proxy, bot protection enabled

STEPS TO REPRODUCE:

  1. Use a nextcloud instance with nginx and enabled bot protection.
  2. Create a new CalDav or CardDav account.
  3. Get error message “Die Netzwerkanfrage ist fehlgeschlagen”
  4. Running jolla-settings from cli results in “QNetworkReply error: 202 with HTTP code: 403”
  5. Fined your IP banned in nginx

EXPECTED RESULT:

Correct user agent needs to be set, to allow bot protection to be active.

ACTUAL RESULT:

IP is blocked by bot protection, no sync possible.

ADDITIONAL INFORMATION:

I’m not an expert in this field, so please be patient with me and the following information.
Log shows Sailfishs user agent as “Mozilla/5.0”, which causes ban by nginx.
My laptop shows up as “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0”, which works fine.

#2

Although I would say this rather a misconfiguration on the server side, I think the sailfish-browser is using special user-agents because of… cool setups… like that, so maybe it would actually be sensible to resuse something from there?

#3

Can you be more specific about ‘bot protection’? It’s not a config toggle afaict, there are all kind of modules for nginx, is it PerimeterX Bot Defender - NGINX or some other one? If you control the server you can probably whitelist specific user-agents, if not the admin could, or maybe worth bringing up upstream, but it doesn’t seem to be nginx core feature

#4

I thought of misconfiguration while writing here. But I daubt it. I’m using the nginx plugin on an OPNsense VM. I don’t change anything on this bot protection, it is enabled as a default. I need to dig into advanced options to disable it. (Took me some hours to figure out what is going on)
Also the configuration works just fine with the Android Apps on same device. Just when you try to use a sailfish account, it blocks everything suddenly.

#5

By misconfiguration I mean that a bot protection blocking that user-agent is itsself the misconfiguration :wink:

Another possible solution could be to add another optional field where users can enter a user-agent, which makes them even more useless than they already are…

#6

Sorry to be unspecific in initial post. I’m using nginx plugin on OPNsense. I thougt it is a standard for nginx. But now as I’m searching for it, it seems to be a specific feature enabled by default just in OPNsense

1 Like
#7

Yeah sounds like overzealous/paranoid default settings: Nginx Plugin :: Autoblock
nginx: Web Application Firewall — OPNsense documentation

OPNsense blocks User Agents used by Bots automatically - this cannot be configured

Yeah looks like it’s disable or nothing

#8

Disabled it for now.
There are many posts about issues with nextcloud sync. Maybe other have similar problems but don’t even identify them as such bann action.

2 Likes