False Positive Nextcloud behind Nginx proxy and LePresidente/http-generic-403-bf

[reinerj]

We are running NC behind a proxy and getting a false positive

# cscli alerts inspect 26557 -d

################################################################################################

 - ID           : 26557
 - Date         : 2024-08-09T15:47:48Z
 - Machine      : 37b9a9b95c884
 - Simulation   : false
 - Reason       : LePresidente/http-generic-403-bf
 - Events Count : 6
 - Scope:Value  : Ip:x.x.x.x
 - Country      : DE
 - AS           : XXX
 - Begin        : 2024-08-09 15:47:47.997429634 +0000 UTC
 - End          : 2024-08-09 15:47:48.020577211 +0000 UTC
 - UUID         : 4e636551-30f8-4eba-b3bf-875be844ed38


 - Events  :

- Date: 2024-08-09 15:47:47 +0000 UTC
╭─────────────────┬──────────────────────────────────────────────────────────────╮
│       Key       │                             Value                            │
├─────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber       │ 15735                                                        │
│ ASNOrg          │ xxxx                                                    │
│ IsInEU          │ true                                                         │
│ IsoCode         │ DE                                                           │
│ SourceRange     │ x.x.x.x                                                │
│ datasource_path │ /nextcloud.proxy                                             │
│ datasource_type │ docker                                                       │
│ http_args_len   │ 0                                                            │
│ http_path       │ /apps/text/session/514236/sync                               │
│ http_status     │ 403                                                          │
│ http_user_agent │ Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)              │
│                 │ AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6        │
│                 │ Safari/605.1.15                                              │
│ http_verb       │ POST                                                         │
│ log_type        │ http_access-log                                              │
│ service         │ http                                                         │
│ source_ip       │ x.x.x.x                                                │
│ timestamp       │ 2024-08-09T15:47:47Z                                         │
╰─────────────────┴──────────────────────────────────────────────────────────────╯

Run Nextcloud behind an NGinx proxy

Should be not blocked as it is a false

[LaurenceJJones]

Hey 👋🏻

Could you provide the logs that were generated by Nginx that causes this so we can create a whitelist expression and test case around it?

[florianwgnr]

I just experienced the same problem, here are my explanation and logs:

The problem occurs when a user has opened a text document (e.g. markdown file) within Nextcloud and is not logged on anymore (or the session expired). The text editor tries to sync multiple time but every call fails with 403.

Log for a single document (note: the document id can vary) with expired session (causing the ban):

x.x.x.x - - [21/Aug/2024:21:06:52 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 403 2 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [21/Aug/2024:21:06:52 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 403 2 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [21/Aug/2024:21:06:52 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 403 2 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [21/Aug/2024:21:06:52 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 403 2 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [21/Aug/2024:21:06:52 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 403 2 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"

Log for a single document (note: the document id can vary) with valid session:

x.x.x.x - - [21/Aug/2024:21:06:52 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 200 1410 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [21/Aug/2024:21:06:53 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 200 1410 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [21/Aug/2024:21:06:57 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 200 1410 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
x.x.x.x - - [21/Aug/2024:21:06:58 +0200] "POST /apps/text/session/589302/sync HTTP/2.0" 200 1410 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"