haproxy.cfg.tmpl

global
  log /dev/log local0 info
  log /dev/log local0 notice
  ca-base /etc/ssl/certs
  maxconn 4096
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

defaults
  log global
  mode http
  option forwardfor
  option httpclose
  option http-server-close
  option httplog
  option dontlognull
  retries 3
  compression algo gzip
  compression type text/html text/plain text/css application/javascript
  timeout connect 5000
  timeout client 50000
  timeout server 500000

frontend http-in
  bind *:80
{{ range $host, $container := groupBy $ "Env.AUTOCONFIG_HOST" }}
  redirect location https://{{ $host }}/mail/config-v1.1.xml code 301 if { hdr_beg(host) -i autoconfig }
{{end}}
  redirect scheme https code 301

frontend https-in
mode http
  bind    *:443 ssl no-sslv3 crt /etc/haproxy/certs
  reqadd  X-Forwarded-Proto:\ https
  rspadd  Strict-Transport-Security:\ max-age=15768000
  rspidel X-Powered-By

  acl acme path_beg /.well-known/acme

{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
  {{ $reverseProxyFor := (first (groupByKeys $containers "Env.REVERSE_PROXY_FOR")) }}
  {{ if $reverseProxyFor }}:12:17:52 +0000] "GET /login HTTP/1.1" 200 9114 "-" "Mozilla/5.0 (Linux) mirall/2.5.2git (Nextcloud)"

in NC ( app)

10.0.241.4 - 12/Jun/2019:12:17:59 +0000 "POST /index.php" 303, 10.0.241.4 - 12/Jun/2019:12:17:52 +0000 "GET /index.php" 200, 10.0.241.4 - 12/Jun/2019:12:17:57 +0000 "POST /index.php" 303, 10.0.241.4 - 12/Jun/2019:12:17:57 +0000 "GET /index.php" 200, 10.0.241.4 - 12/Jun/2019:12:17:59 +0000 "GET /index.php" 302

On the client 2.5.2

[OCC::AccessManager::createRequest 2 "" "https://dock.ekimia.fr/status.php" has X-Request-ID "fd0e0377-370b-45ee-807b-66611c2fd6a1" [OCC::AbstractNetworkJob::start OCC::CheckServerJob created for "https://dock.ekimia.fr" + "status.php" "OCC::OwncloudSetupWizard" [OCC::CheckServerJob::finished No SSL session identifier / session ticket is used, this might impact sync performance negatively. [OCC::CheckServerJob::finished status.php returns: QJsonDocument({"edition":"","installed":true,"maintenance":false,"needsDbUpgrade":false,"productname":"Nextcloud","version":"15.0.4.0","versionstring":"15.0.4"}) QNetworkReply::NetworkError(NoError) Reply: QNetworkReplyHttpImpl(0x560151ad9910) [OCC::DetermineAuthTypeJob::start Determining auth type for QUrl("https://dock.ekimia.fr/remote.php/webdav/") [OCC::AccessManager::createRequest 2 "" "https://dock.ekimia.fr/remote.php/webdav/" has X-Request-ID "844ed18d-b8e9-4845-90b4-9c106b8b5b05" [OCC::AbstractNetworkJob::start OCC::SimpleNetworkJob created for "https://dock.ekimia.fr" + "" "OCC::Account" [OCC::AccessManager::createRequest 6 "PROPFIND" "https://dock.ekimia.fr/remote.php/webdav/" has X-Request-ID "0101c3d3-9fc1-4eb1-a2b0-08b1cce06444" [OCC::AbstractNetworkJob::start OCC::SimpleNetworkJob created for "https://dock.ekimia.fr" + "" "OCC::Account" [OCC::DetermineAuthTypeJob::checkBothDone Auth type for QUrl("https://dock.ekimia.fr/remote.php/webdav/") is 3 [OCC::WebViewPage::initializePage Url to auth at: "https://dock.ekimia.fr/index.php/login/flow"

Links

Flow login doc https://docs.nextcloud.com/server/15/developer_manual/client_apis/LoginFlow/index.html

a similar issue https://github.com/nextcloud/desktop/issues/279
Edited 1 week ago by ekimia

    ekimia @freechelmi changed the description 1 week ago
    ekimia @freechelmi added To Do label 1 week ago
    ekimia @freechelmi changed the description 3 times within 3 minutes 1 week ago
    ekimia @freechelmi changed the description 6 times within 9 minutes 1 week ago

  use_backend {{ $host }}-acme if acme { hdr(host) -i {{ $host }} }
  {{end}}
{{end}}
  use_backend letsencrypt-web if acme
{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
  use_backend webhook if { path_beg /XxosJDdRpo7Rww87VkJGzv1QLegnhh-uniq-libresh }
{{end}}
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
  use_backend {{ $host}} if { hdr(host) -i {{ $host }} }
  use_backend {{ $host}} if { hdr(host) -i {{ $host }}:443 }
{{end}}

{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
  {{ $reverseProxyFor := (first (groupByKeys $containers "Env.REVERSE_PROXY_FOR")) }}
  {{ if $reverseProxyFor }}
backend {{ $host }}-acme
  server Server {{ $reverseProxyFor }}:80
  {{end}}
backend {{ $host }}
  option http-server-close
  cookie SERVERID insert nocache indirect
  {{ range $container := $containers }}
    {{ $networkLen := len $container.Networks }}
    {{ if $reverseProxyFor }}
  http-request set-header Host {{ $host }}
  server Server {{ $reverseProxyFor }}:443 ssl sni str({{ $host }}) ca-file ca-certificates.crt
    {{ else }}
      {{ if eq $networkLen 1 }}
        {{ $network := index $container.Networks 0 }}
  server Server {{ $network.IP }}:80 cookie Server
      {{ else }}
        {{ range $network := $container.Networks }}
          {{ if eq $network.Name "lb_web" }}
  server Server {{ $network.IP }}:80 cookie Server
          {{end}}
        {{end}}
      {{end}}
    {{end}}
  {{end}}
{{end}}

backend letsencrypt-web
  cookie SERVERID insert nocache indirect
  server Server letsencrypt-web:80 cookie Server
{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
backend webhook
  cookie SERVERID insert nocache indirect
  server Server webhook:80 cookie Server
{{end}}