Steps to reproduce
- Try to log in on a Nextcloud installation using the wrong credentials
- Repeat first step for more than 8 times approximately
- After each failed attempt, the /login page becomes increasingly slower to load and after ca. 8 times the error message "504 Gateway Time-out" appears
Expected behaviour
Failed log-in attempts should not slow down page load or cause a 504 error. I do not have the brute force or any other security app enabled.
Actual behaviour
After each failed attempt, the /login page becomes increasingly slower to load and after ca. 8 times the error message "504 Gateway Time-out" appears. Trying from a different computer the page load speed is initially OK, but it also gets increasingly slower after the several failed log-in attempts.
Server configuration
Operating system: Debian 8.9 (jessie)
Web server: Nginx 1.12
Database: MySQL 5.5
PHP version: 5.6
Nextcloud version: 12.0.3
Updated from an older Nextcloud or fresh install: Fresh install
Signing status:
No errors have been found.
List of activated apps:
Enabled:
- activity: 2.5.2
- comments: 1.2.0
- dav: 1.3.0
- federatedfilesharing: 1.2.0
- federation: 1.2.0
- files: 1.7.2
- files_pdfviewer: 1.1.1
- files_sharing: 1.4.0
- files_texteditor: 2.4.1
- files_versions: 1.5.0
- files_videoplayer: 1.1.0
- firstrunwizard: 2.1
- gallery: 17.0.0
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- nextcloud_announcements: 1.1
- notifications: 2.0.0
- oauth2: 1.0.5
- password_policy: 1.2.2
- provisioning_api: 1.2.0
- serverinfo: 1.2.0
- sharebymail: 1.2.0
- survey_client: 1.0.0
- systemtags: 1.2.0
- theming: 1.3.0
- twofactor_backupcodes: 1.1.1
- updatenotification: 1.2.0
- workflowengine: 1.2.0
Disabled:
- admin_audit
- encryption
- files_external
- files_trashbin
- user_external
- user_ldap
Nextcloud configuration:
{
"system": {
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"***REMOVED SENSITIVE VALUE***""
],
"datadirectory": "***REMOVED SENSITIVE VALUE***"",
"overwrite.cli.url": "***REMOVED SENSITIVE VALUE***"",
"dbtype": "mysql",
"version": "12.0.3.3",
"dbname": "***REMOVED SENSITIVE VALUE***"",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "ocv7ch027cah",
"mail_smtpmode": "php",
"log_rotate_size": "10485760",
"loglevel": "2",
"memcache.local": "\\OC\\Memcache\\APCu",
"trashbin_retention_obligation": "auto,90",
"activity_expire_days": 180,
"logtimezone": "Europe\/Zurich",
"skeletondirectory": ""
}
}
Are you using encryption: no
Client configuration
Browser:
We have tried with Firefox and Chrome
Operating system:
Windows 10 and Linux
Logs
Web server error log
Web server error log
2017/11/20 16:28:40 [error] 17675#17675: *2571358 upstream timed out (110: Connection timed out) while reading response header from upstream, client: ***REMOVED SENSITIVE VALUE***, server: ***REMOVED SENSITIVE VALUE***, request: "POST /login HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm-***REMOVED SENSITIVE VALUE***.sock", host: "***REMOVED SENSITIVE VALUE***"
2017/11/20 16:28:40 [error] 17674#17674: *2578190 upstream timed out (110: Connection timed out) while reading response header from upstream, client: ***REMOVED SENSITIVE VALUE***, server: ***REMOVED SENSITIVE VALUE***, request: "POST /login HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm-***REMOVED SENSITIVE VALUE***.sock", host: "***REMOVED SENSITIVE VALUE***
Nextcloud log (data/nextcloud.log)
Nextcloud log
{"reqId":"YAxR5Pg373DNgiJuO2de","level":1,"time":"2017-11-20T16:25:04+01:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"--","app":"core","method":"POST","url":"\/login","message":"Bruteforce attempt from \"***REMOVED SENSITIVE VALUE***\" detected for action \"login\".","userAgent":"Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko\/20100101 Firefox\/57.0","version":"12.0.3.3"}
{"reqId":"wU25tIiP6D8Kg1pUWmcJ","level":0,"time":"2017-11-20T16:28:31+01:00","remoteAddr":"192.168.20.153","user":"--","app":"core","method":"GET","url":"\/login","message":"Scss is disabled for \/var\/www\/***REMOVED SENSITIVE VALUE***\/core\/css\/server.scss, ignoring","userAgent":"Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko\/20100101 Firefox\/57.0","version":"12.0.3.3"}
On another installation I get this:
{"reqId":"PKP2arbPsrpgD3dbQleB","level":2,"time":"2017-11-20T17:03:17+01:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"--","app":"core","method":"POST","url":"\/login?user=***REMOVED SENSITIVE VALUE***","message":"Login failed: '***REMOVED SENSITIVE VALUE***' (Remote IP: '***REMOVED SENSITIVE VALUE***')","userAgent":"Mozilla\/5.0 (X11; Linux x86_64; rv:52.0) Gecko\/20100101 Firefox\/52.0","version":"12.0.3.3"}
Browser log
Browser log
login Failed to load resource: the server responded with a status of 504 (Gateway Time-out)
Steps to reproduce
Expected behaviour
Failed log-in attempts should not slow down page load or cause a 504 error. I do not have the brute force or any other security app enabled.
Actual behaviour
After each failed attempt, the /login page becomes increasingly slower to load and after ca. 8 times the error message "504 Gateway Time-out" appears. Trying from a different computer the page load speed is initially OK, but it also gets increasingly slower after the several failed log-in attempts.
Server configuration
Operating system: Debian 8.9 (jessie)
Web server: Nginx 1.12
Database: MySQL 5.5
PHP version: 5.6
Nextcloud version: 12.0.3
Updated from an older Nextcloud or fresh install: Fresh install
Signing status:
List of activated apps:
Nextcloud configuration:
Are you using encryption: no
Client configuration
Browser:
We have tried with Firefox and Chrome
Operating system:
Windows 10 and Linux
Logs
Web server error log
Web server error log
Nextcloud log (data/nextcloud.log)
Nextcloud log
On another installation I get this:
Browser log
Browser log