HAProxy community

HAProxy Nextcloud Configuration - Internal Server Error

Hello,
I am trying to run a nextcloud (version 19.0.0.2) with nginx (version1.14.2). behind haproxy (version 1.8.19-1+rpi1) as a reverse proxy.
Right now, I am getting an internal server error on the nextcloud page. In the nextcloud logfile the following two errors are recorded:

{“reqId”:“baOWTv94XsSXJI8VUehv”,“level”:3,“time”:“2020-09-19T09:36:30+02:00”,“remoteAddr”:"",“user”:"–",“app”:“PHP”,“method”:“GET”,“url”:"/nextcloud/login",“message”:“Uninitialized string offset: 0 at /var/www/nextcloud/lib/private/Security/Normalizer/IpAddress.php#76”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0”,“version”:“19.0.2.2”}

and

“reqId”:“baOWTv94XsSXJI8VUehv”,“level”:3,“time”:“2020-09-19T09:36:30+02:00”,“remoteAddr”:"",“user”:"–",“app”:“index”,“method”:“GET”,“url”:"/nextcloud/login",“message”:{“Exception”:“Exception”,“Message”:“inet_ntop() expects parameter 1 to be string, bool given”,“Code”:0,“Trace”:[{“file”:"/var/www/nextcloud/lib/private/AppFramework/App.php",“line”:137,“function”:“dispatch”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:"->",“args”:[{“class”:“OC\Core\Controller\LoginController”},“showLoginForm”]},{“file”:"/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php",“line”:47,“function”:“main”,“class”:“OC\AppFramework\App”,“type”:"::",“args”:[“OC\Core\Controller\LoginController”,“showLoginForm”,{“class”:“OC\AppFramework\DependencyInjection\DIContainer”},{"_route":“core.login.showLoginForm”}]},{“function”:"__invoke",“class”:“OC\AppFramework\Routing\RouteActionHandler”,“type”:"->",“args”:[{"_route":“core.login.showLoginForm”}]},{“file”:"/var/www/nextcloud/lib/private/Route/Router.php",“line”:297,“function”:“call_user_func”,“args”:[{“class”:“OC\AppFramework\Routing\RouteActionHandler”},{"_route":“core.login.showLoginForm”}]},{“file”:"/var/www/nextcloud/lib/base.php",“line”:1012,“function”:“match”,“class”:“OC\Route\Router”,“type”:"->",“args”:["/login"]},{“file”:"/var/www/nextcloud/index.php",“line”:37,“function”:“handleRequest”,“class”:“OC”,“type”:"::",“args”:}],“File”:"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",“Line”:110,“Previous”:{“Exception”:“TypeError”,“Message”:“inet_ntop() expects parameter 1 to be string, bool given”,“Code”:0,“Trace”:[{“file”:"/var/www/nextcloud/lib/private/Security/Normalizer/IpAddress.php",“line”:91,“function”:“inet_ntop”,“args”:[false]},{“file”:"/var/www/nextcloud/lib/private/Security/Normalizer/IpAddress.php",“line”:108,“function”:“getIPv6Subnet”,“class”:“OC\Security\Normalizer\IpAddress”,“type”:"->",“args”:["",128]},{“file”:"/var/www/nextcloud/lib/private/Security/Bruteforce/Throttler.php",“line”:223,“function”:“getSubnet”,“class”:“OC\Security\Normalizer\IpAddress”,“type”:"->",“args”:},{“file”:"/var/www/nextcloud/core/Controller/LoginController.php",“line”:184,“function”:“getDelay”,“class”:“OC\Security\Bruteforce\Throttler”,“type”:"->",“args”:[""]},{“file”:"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",“line”:170,“function”:“showLoginForm”,“class”:“OC\Core\Controller\LoginController”,“type”:"->",“args”:[null,null]},{“file”:"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",“line”:100,“function”:“executeController”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:"->",“args”:[{“class”:“OC\Core\Controller\LoginController”},“showLoginForm”]},{“file”:"/var/www/nextcloud/lib/private/AppFramework/App.php",“line”:137,“function”:“dispatch”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:"->",“args”:[{“class”:“OC\Core\Controller\LoginController”},“showLoginForm”]},{“file”:"/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php",“line”:47,“function”:“main”,“class”:“OC\AppFramework\App”,“type”:"::",“args”:[“OC\Core\Controller\LoginController”,“showLoginForm”,{“class”:“OC\AppFramework\DependencyInjection\DIContainer”},{"_route":“core.login.showLoginForm”}]},{“function”:"__invoke",“class”:“OC\AppFramework\Routing\RouteActionHandler”,“type”:"->",“args”:[{"_route":“core.login.showLoginForm”}]},{“file”:"/var/www/nextcloud/lib/private/Route/Router.php",“line”:297,“function”:“call_user_func”,“args”:[{“class”:“OC\AppFramework\Routing\RouteActionHandler”},{"_route":“core.login.showLoginForm”}]},{“file”:"/var/www/nextcloud/lib/base.php",“line”:1012,“function”:“match”,“class”:“OC\Route\Router”,“type”:"->",“args”:["/login"]},{“file”:"/var/www/nextcloud/index.php",“line”:37,“function”:“handleRequest”,“class”:“OC”,“type”:"::",“args”:}],“File”:"/var/www/nextcloud/lib/private/Security/Normalizer/IpAddress.php",“Line”:91},“CustomMessage”:"–"},“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0”,“version”:“19.0.2.2”}

Following the first error the file (from line 75 onwards till the end of the function:

    private function getIPv6Subnet(string $ip, int $maskBits = 48): string {
            if ($ip[0] === '[' && $ip[-1] === ']') { // If IP is with brackets, for example [::1]
                    $ip = substr($ip, 1, strlen($ip) - 2);
            }
            $pos = strpos($ip, '%'); // if there is an explicit interface added to the IP, e.g. fe80::ae2d:d1e7:fe1e:9a8d%enp2s0
            if ($pos !== false) {
                    $ip = substr($ip, 0, $pos-1);
            }
            $binary = \inet_pton($ip);
            for ($i = 128; $i > $maskBits; $i -= 8) {
                    $j = \intdiv($i, 8) - 1;
                    $k = (int) \min(8, $i - $maskBits);
                    $mask = (0xff - ((2 ** $k) - 1));
                    $int = \unpack('C', $binary[$j]);
                    $binary[$j] = \pack('C', $int[1] & $mask);
            }
            return \inet_ntop($binary).'/'.$maskBits;
    }

I assume that in my haproxy.cfg is something wrong.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

     # Default SSL material locations
     ##ca-base /etc/ssl/certs
     ##crt-base /etc/ssl/private

     # Default ciphers to use on SSL-enabled listening sockets.
     # For more information, see ciphers(1SSL). This list is from:
     #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
     # An alternative list with additional directives can be obtained from
     #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
     ##ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCMRSA+AES:!aNULL:!MD5:!DSS
     ##ssl-default-bind-options no-sslv3

defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
bind :80
mode http
option httplog

     acl is_letsencrypt path -i -m beg /.well-known/acmechallange

     use_backend be_letsencrypt if is_letsencrypt
     redirect scheme https code 301 if !{ ssl_fc }

frontend https_in
bind *:443
mode tcp
option tcplog
option forwardfor

     acl tls req.ssl_hello_type 1

     tcp-request inspect-delay 5s
     tcp-request content accept if tls

     acl is_nextcloud req.ssl_sni -i jcb.spdns.de

     use_backend be_nextcloud if is_nextcloud

backend be_letsencrypt
mode http
server localhost 127.0.0.1:81

backend be_nextcloud
mode tcp
option ssl-hello-chk
server localhost 127.0.0.1:82

To rule out an ssl problem, I run the cloud on http. Not using haproxy lets the cloud work fine, just with nginx. Therefor I assume that there is no problem in the configuration.

upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
}

server {
listen 127.0.0.1:82 ssl http2;
listen [::]:82 ssl http2;
server_name localhost;

    # Configure SSL
    #
    ssl on;

    # Certificates used
    ssl_certificate /etc/letsencrypt/jcb.spdns.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/jcb.spdns.de/key.pem;

    # Not using TLSv1 will break:
    #       Android <= 4.4.40
    #       IE <= 10
    #       IE mobile <=10


    # Removing TLSv1.1 breaks nothing else!
    # There are not many clients using TLSv1.3 so far, but this can be activated with nginx v1.13
    ssl_protocols TLSv1.2 TLSv1.3;

    # Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';


    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparams/dhparams.pem;

    # Specifies a curve for ECDHE ciphers.
    # High security, but will not work with Chrome:
    #ssl_ecdh_curve secp521r1;
    # Works with Windows (Mobile), but not with Android (DavDroid):
    #ssl_ecdh_curve secp384r1;
    # Works with Android (DavDroid):
    ssl_ecdh_curve prime256v1;

    # Server should determine the ciphers, not the client
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/jcb.spdns.de/fullchain.pem;
    resolver 192.168.38.1;

    # SSL session handling
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;


    # Add headers to serve security related headers
    #
    # HSTS (ngx_http_headers_module is required)
    # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    # Usually this should be "DENY", but when hosting sites using frames, it has to be "SAMEORIGIN"
    add_header Referrer-Policy "same-origin" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;


# Path to the root of your installation
root /var/www/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;

location = /.well-known/carddav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

location = /.well-known/caldav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

location /.well-known/acme-challenge { }

location ^~ /nextcloud {
    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;


    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location /nextcloud {
        rewrite ^ /nextcloud/index.php$uri;
    }

    location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }

    location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
                    #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;

        # Raise timeout values.
        # This is especially important when the Nextcloud setup runs into timeouts (504 gateway errors)
                    fastcgi_read_timeout 600;
                    fastcgi_send_timeout 600;
                    fastcgi_connect_timeout 600;
        fastcgi_request_buffering off;

        # Pass PHP variables directly to PHP.
        # This is usually done in the php.ini. For more flexibility, these variables are configured in the nginx config.
                    # All the PHP parameters have to be set in one fastcgi_param. When using more 'fastcgi_param PHP_VALUE' directives, the last one will override all the others.
        fastcgi_param PHP_VALUE "open_basedir=/var/www:/tmp/:/var/nextcloud_data:/dev/urandom:/proc/meminfo
                            upload_max_filesize = 10G
                            post_max_size = 10G
                            max_execution_time = 3600
                            output_buffering = off";

        # Make sure that the real IP of the remote host is passed to PHP.
        fastcgi_param REMOTE_ADDR $http_x_real_ip;
    }

    location ~ ^/nextloud/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /nextcloud/index.php$uri$is_args$args;
        proxy_set_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers
        # Again use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy.
        proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        proxy_set_header X-Content-Type-Options nosniff;
        #proxy_set_header X-Frame-Options "SAMEORIGIN";
        proxy_set_header X-XSS-Protection "1; mode=block";
        proxy_set_header X-Robots-Tag none;
        proxy_set_header X-Download-Options noopen;
        proxy_set_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /nextcloud/index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

}

Maybe someone in here finds my flaw and is able help me.
Best regards
Krischan