Forum

I've set up owncloud and am using it for a few weeks now, and everything worked perfectly fine, up until about today. I've never set MaxUploadSize and could upload files of any size to my heart's content. However, today I noticed the server starts to ban me left and right whenever I upload a file with a size bigger than 1 MB, no matter if it's via the webinterface or the webdav. I now have set MaxUploadSize = 1024 (which should let me upload a gigabyte) in both the port 80 as well as the port 443 binding, but even after a restart of hiawatha and php-fpm, it bans me again when I try to upload a 6mb file.

I'm at a loss. While I did upgrade hiawatha from 10.2 to 10.3 recently, and rebooted inbetween, I could still upload afterwards. The only real thing that did change was that I rebooted the server on the weekend, and it couldn't get an IPv4. After a reboot via the management console (it's a VPS on QEMU-KVM) it got the IPs back.

What am I missing?

I did some more testing, it seems to block and ban at exactly 2 MB. But from what I can see, neither the defaults nor the configs have anything with a 2MB limit. There's also no .hiawatha file in any of the directories that could overwrite the settings.

# Hiawatha main configuration file
#

# VARIABLES
# With 'set', you can declare a variable. Make sure the name of the
# variable doesn't conflict with any of the configuration options.
# The variables are case-sensitive and cannot be redeclared.
#
#set LOCALHOST = 127.0.0.0/8


# GENERAL SETTINGS
#
ServerId = http
ConnectionsTotal = 1000
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log


# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
    Port = 80
    Interface = <IP>
    MaxUploadSize = 1024
}
#
Binding {
    Port = 443
    TLScertFile = <SSL-Cert>
    Interface = <IP>
    MaxRequestSize = 2048
    TimeForRequest = 30
    MaxUploadSize = 1024
}


# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
CGIhandler = /usr/bin/perl:pl
#CGIhandler = /usr/bin/php-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
#CGIextension = cgi
#TriggerOnCGIstatus = no
#
FastCGIserver {
    FastCGIid = PHP7
    ConnectTo = /run/php-fpm/php-fpm.sock
    Extension = php
    SessionTimeout = 30
}


UrlToolkit {
    ToolkitID = wordpress
    RequestURI exists Return
    Match [^?]*(\?.*)? Rewrite /index.php$1
}

UrlToolkit {
    ToolkitID = subdomains
}

# URL TOOLKIT
# This URL toolkit rule was made for the Banshee PHP framework,
# which can be downloaded from http:/www.banshee-php.org/
#
#UrlToolkit {
#   ToolkitID = banshee
#   RequestURI isfile Return
#   Match ^/(css|files|fonts|images|js)($|/) Return
#   Match ^/(favicon.ico|robots.txt)$ Return
#   Match [^?]*(\?.*)? Rewrite /index.php$1
#}


# DIRECTORY SETTINGS
# You can specify some settings per directory.
#
#Directory {
#   DirectoryID = static
#   Path = /css, /fonts, /images, /js
#   ExpirePeriod = 2 weeks
#}
#
#Directory {
#   DirectoryID = files
#   Path = /files
#   ShowIndex = yes
#   StartFile = index.html
#   ExecuteCGI = no
#}


# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = <IP>
WebsiteRoot = /srv/http/hiawatha
StartFile = index.php
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
UseFastCGI=PHP7

include enabled/

VHost:

VirtualHost {
    Hostname = <hostname>
    WebsiteRoot = <root>
    StartFile = index.php
    RequireTLS = yes
    AccessLogfile = /var/log/hiawatha/hostname.access.log
    ErrorLogfile = /var/log/hiawatha/hostname.error.log
    TimeForCGI = 86400
    UseFastCGI = PHP7
    Alias = /oc:/usr/share/webapps/owncloud
    EnablePathInfo = yes
    FollowSymlinks = yes
    AllowDotFiles = yes
    WebDAVapp = yes
    UseToolkit = subdomains
}

Could it be in the PHP configuration? Perhaps the upload_max_filesize setting?

No, there's php-fpm running in the background and whenever I restart hiawatha, it works again (php-fpm runs untouched). Also, I doubt I'd see the following in system.log if it was php-related:

<my IP>|Tue 21 Jun 2016 07:10:21 +0200|Maximum request size reached
<my IP>|Tue 21 Jun 2016 07:10:21 +0200|Client banned because of sending a too large request

Could it be those requests where sent via HTTP instead of HTTPS? Try adding the MaxRequestSize setting to the port 80 binding.

Increasing the MaxRequestSize on HTTPS alone works, the previous limit was 2 MB. So apparently this is an OwnCloud problem. I'm still puzzled as to why it magically worked before though.

Thank you