Update to Nextcloud 15.0.8, Contacts to 3.1.1, and Calendar to 1.6.5 #1577
Conversation
|
Nice work. I think the connection needs to be over 127.0.0.1. I can't find where we've dealt with this before, but I'm pretty sure we had an issue that when using a public IP address fail2ban can be overly aggressive. Here's what happens: If there's a brute force attack on Nextcloud, and Nextcloud is connecting to Dovecot to check logins, then fail2ban will block the source IP address to the Dovecot connection. When the connection to Dovecot is to 127.0.0.1, then the source address is the same, and 127.0.0.1 is whitelisted. But when the connection is to the PRIMARY_HOSTNAME, which resolves to the public IP address, then the source address of the Dovecot connection is going to be the public IP address, which is not whitelisted. fail2ban will then block any connections from the box to itself at the public IP address, which will block all Nextcloud logins --- instead of just logins from the offending IP address. We could also consider using Nextcloud's new sql login backend if one of the password strategies is compatible with what we're storing in the database for Dovecot. But if we can figure out IMAP that would be better so we make fewer changes. |
|
@JoshData A few things. It looks like the backend imap connection method in user_external was changed from php-imap (which didn't have tls>1.0 support and is (being?) deprecated) and is now using some code form roundcube to do the imap support. Problem is there is no support for 'novalidate-cert' in the new code. From the thread nextcloud/user_external#52 it sounds like they are just recommending using 127.0.0.1:143 which in testing does work, but is not my preferred way to go while it is still relatively secure. To your point about potentially banning MIAB itself, I don't think that would occur. MIAB IP is already one of the ignoreip in fail2ban. So we shouldnt ban MIAB IP failing dovecot lookups, it would still ban the public IP from the miab-owncloud fail2ban rule. I checked on https://github.com/PanCakeConnaisseur/user_backend_sql_raw and https://github.com/nextcloud/user_sql but they don't support sqlite. We can definitely hold off to see if anything comes from nextcloud/user_external#52 to support a 'novalidate-cert' mode since Nextcloud 14 is still supported. I couldn't find when it supposed to be end of life, but atleast we have a few choices with a path forward. |
|
If 127.0.0.1 works, then let's just use that. |
|
PR updated. |
|
Smart idea to allow non-TLS connections only from 127.0.0.1! I'll try it out when I get a chance. |
jvolkenant
changed the title
|
Fixed a typo with the Nextcloud version number. Conveniently 15.0.8 was just released. |
|
Thanks for the PR! I've installed this and it seems to work fine 😄 The admin console does show some warnings:
I think we should fix the first one. I'm not sure why the third one requires the paths to be exposed. |
I'll add it to the PR.
I noticed this as well, but images on my Nextcloud seemed to work fine without it.
I'll update the PR with these changes in the next few days. |
|
Adding the /cloud/ocm-provider/ and /cloud/ocs-provider/ sections might take a bit to figure out. |
|
I'm sure there is a more compact way to add oc[sm]-provider support but it works |
Nextcloud 15 no longer includes users_external in Nextcloud core so it now needs to be installed to apps like Contacts and Calendar.
It has been reported here: nextcloud/server#12506 that upgrades might fail if user_external is enabled for upgrades between 14->15 so a check has been added for that.
Because of the updates to user_external, the config.php syntax was changed. I was not able to get auth working when pointed to 127.0.0.1 thus the change to $PRIMARY_HOSTNAME (perhaps they removed the novalidate-cert style setting?) No mention of that option here: https://github.com/nextcloud/user_external
I tested on a fresh install ok. Test in your dev and let me know how things go.