Problems with webDAV access on different browsers related to special characters in password

Hi there!

Background

I made a complete new installation of Seafile 6.05 with nginx as a reverse proxy and let’s encrypt on my Raspberry Pi 3. It works perfect but since I tried to use webDAV for synchronizing my Keepass database I ran into an error. I enabled webDAV as mentioned in the manual.

What works, what does not

  • Works: WebDAV with Chrome, Chromium, and Ubuntu Browser on Ubuntu 16.04
  • Works: WebDAV with Lightning Browser on Android 6.0.1
  • Works NOT: WebDAV with Firefox on Ubuntu 16.04
  • Works NOT: Accessing database via webDAV (HTTPS) in Keepass2Android on Android 6.0.1

Error messages

  • Firefox on Ubuntu 16.04: Does not accept even the right credentials. After aborting: 401 Access not authorized
  • Keepass2Android on Android 6.0.1: {protocol=http/1.1,code=401, message=Not Authorized, url= … }

Config files

seafdav.conf

[WEBDAV] 
enabled = true 
port = 8080 
fastcgi = true 
share_name = /seafdav

NGINX site configuration

server_tokens off; 
add_header X-Frame-Options DENY; 
add_header X-Content-Type-Options nosniff; 
 
server { 
    listen 80; 
    server_name example.com; 
    return 301 https://$server_name$request_uri; 
} 
 
server { 
    listen 443; 
    ssl on; 
    server_name example.com; 
 
    ssl_certificate /etc/nginx/ssl/example.com.pem; 
    ssl_certificate_key /etc/nginx/ssl/example.com.key; 
 
    ssl_protocols TLSv1.2; 
    ssl_prefer_server_ciphers on; 
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; 
 
    ssl_session_cache shared:SSL:50m; 
    ssl_session_timeout 5m; 
 
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; 
 
    error_page 497  https://$host:$server_port$request_uri; 
  
    client_max_body_size 10G; # set max upload size 
     
    location / { 
        fastcgi_pass    127.0.0.1:8000; 
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name; 
        fastcgi_param   PATH_INFO           $fastcgi_script_name; 
  
        fastcgi_param   SERVER_PROTOCOL $server_protocol; 
        fastcgi_param   QUERY_STRING        $query_string; 
        fastcgi_param   REQUEST_METHOD      $request_method; 
        fastcgi_param   CONTENT_TYPE        $content_type; 
        fastcgi_param   CONTENT_LENGTH      $content_length; 
        fastcgi_param   SERVER_ADDR         $server_addr; 
        fastcgi_param   SERVER_PORT         $server_port; 
        fastcgi_param   SERVER_NAME         $server_name; 
        fastcgi_param   HTTPS   on; 
        fastcgi_param   HTTP_SCHEME https; 
      
        access_log      /var/log/nginx/seahub.access.log; 
        error_log       /var/log/nginx/seahub.error.log; 
    }        
 
    location /seafhttp { 
        rewrite ^/seafhttp(.*)$ $1 break; 
        proxy_pass http://127.0.0.1:8082; 
        client_max_body_size 0; 
    } 
     
location /seafdav { 
        fastcgi_pass    127.0.0.1:8080; 
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name; 
        fastcgi_param   PATH_INFO           $fastcgi_script_name; 
 
        fastcgi_param   SERVER_PROTOCOL     $server_protocol; 
        fastcgi_param   QUERY_STRING        $query_string; 
        fastcgi_param   REQUEST_METHOD      $request_method; 
        fastcgi_param   CONTENT_TYPE        $content_type; 
        fastcgi_param   CONTENT_LENGTH      $content_length; 
        fastcgi_param   SERVER_ADDR         $server_addr; 
        fastcgi_param   SERVER_PORT         $server_port; 
        fastcgi_param   SERVER_NAME         $server_name; 
        fastcgi_param   HTTPS               on; 
        fastcgi_param   HTTP_SCHEME         https; 
 
        client_max_body_size 0; 
        proxy_connect_timeout  36000s; 
        proxy_read_timeout  36000s; 
        proxy_send_timeout  36000s; 
        send_timeout  36000s; 
 
        access_log      /var/log/nginx/seafdav.access.log; 
        error_log       /var/log/nginx/seafdav.error.log; 
    } 
 
}

Can anybody help me with that? The seafdav.error.log is empty.

Is there anyone who could help me? Something I could try? :slight_smile:

You could try testing it without your special ssl_* settings (keep the certificate though) - maybe it’s somehow related to that.
The only other thing that I could possibly think of is that we also have proxy_set_header X-Forwarded-For $remote_addr; in the main server block in the Nginx configuration.

What version of nginx are you using?

Thanks for your answer. I am using NGINX 1.6.2. Deactivating all NGINX SSL settings (except the certificate part) +reload didn’t help. Really strange problem. :confused:

I found out what the problem is in this case!

I made a little research and found this issue for webDAV on ownCloud: https://github.com/owncloud/core/issues/7894
So after that I changed my password and now it works even on Firefox and Keepass2Android.

Because I don’t know whether this a Seafile or foreign-webDAV-implementation issue, I won’t mark this topic as solved by now. I will look further into that.

For the record, my old Seafile password was: sh6xÖ:q+#mmnDf63 (16 digit, computer generated, upper and lower case, numbers and special characters which are most likely the problem).

Absolutely! Even if this were a “browser bug” (as a quick glance at the OwnCloud issue suggests), it would be good to have it tested and be able to inform the users about that situation.
Maybe someone from Seafile Ltd. can look into that!

Best regards,
Moritz

Hello.
i had same problem on my archlinux vps with enginx.
ewerything worked fine until i tried achieve A+ rating on ssl labs;)
i addded some custom ssl setings and after that my keepass app was unable to connect to the server.

after i commented this settings:

ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

and restarted nginx, ewerything started working again, but my ssl labs rating droped from A+ to A ;((

i hope this will help u and sorry for my bad english

I can affirm you that this has nothing to do with this problem. That’s because Keepass2Android is built with mono which seems to not support TLS 1.1 and 1.2 and secure ciphers. This issue has been fixed within the newest Keepass2Android beta 1.01-pre3 by using OkHttp. You can use that version of the app and enjoy your secured server.

The issue in this topic is because of the Umlaute (Ä, Ö, Ü, …) in the Seafile user password. I didn’t have time to watch further into that yet.