Pfsense HAproxy Owncloud ldap totp owncloud

ldellus · December 22, 2022, 7:15am

Hi,

Long Topic subject but needed to cover my problem.

I have an owncloud instance running on my lan behind a reverse proxy based on pfsense and HAproxy. Works great, I can access my owncloud server from anywhere, but it’s not that secured. My users are managed by an Active Directory based on Turnkey AD, and I’m now trying to add TOTP + OAuth2 to owncloud. I followed the instructions, but it doesn’t work. I get to input my 2FA code, I authorize the connection, then it fails with " Login Error Failed to retrieve user info" on the browser windows, and “Error while trying to log in to OAuth2-enabled server” on the owncloud desktop client. I forgot to say that I’m trying to secure my owncloud clients.

I don’t know what’s wrong. I disabled ldap in owncloud to see if this is the problem, I created a local user in owncloud, same problem. I’m thinking HAProxy might interfere and I’m seeking guidance in this great forum.

Many Thanks, Merry Christmas and Happy New Year All!

Laurent

LTS_Tom · December 22, 2022, 11:40am

You will have to figure out what other ports that are needed for that plugin. You can use pftop to look at all the connections.

ldellus · December 22, 2022, 6:34pm

Hi Tom,

This is my pftop outup when trying to authorize my client. The source is my client IP and the destination is my pfsense HAproxy. The source port number is changing all the time so I’m not sure what to do.

TCP

PR DIR SRC DEST STATE AGE EXP PKTS BYTES
tcp In 192.168.1.143:56691 192.168.1.254:443 ESTABLISHED:ESTABLISHED 27:17:33 23:59:48 35160 2967666
tcp In 192.168.1.143:54358 192.168.1.254:10443 ESTABLISHED:ESTABLISHED 00:19:00 24:00:00 3842 948984
tcp In 192.168.1.143:54700 192.168.1.254:443 TIME_WAIT:TIME_WAIT 00:01:34 00:00:32 40 15846
tcp In 192.168.1.143:54729 192.168.1.254:443 ESTABLISHED:ESTABLISHED 00:00:06 23:59:56 34 15580
tcp In 192.168.1.143:54706 192.168.1.254:443 FIN_WAIT_2:FIN_WAIT_2 00:01:32 00:00:28 31 12720
tcp In 192.168.1.143:54736 192.168.1.254:443 ESTABLISHED:ESTABLISHED 00:00:04 23:59:57 28 12576
tcp In 192.168.1.143:54701 192.168.1.254:443 FIN_WAIT_2:FIN_WAIT_2 00:01:34 00:00:32 16 2124
tcp In 192.168.1.143:54730 192.168.1.254:443 ESTABLISHED:ESTABLISHED 00:00:06 23:59:54 10 1626

UDP

pfTop: Up State 1-9/9 (491), View: default, Order: bytes
PR DIR SRC DEST STATE AGE EXP PKTS BYTES
udp In 192.168.1.143:59922 192.168.1.254:53 SINGLE:MULTIPLE 00:00:09 00:00:22 4 874
udp In 192.168.1.143:68 192.168.1.254:67 SINGLE:MULTIPLE 00:00:04 00:00:26 2 691
udp In 192.168.1.143:55037 192.168.1.254:53 SINGLE:MULTIPLE 00:00:24 00:00:06 2 299
udp In 192.168.1.143:60700 192.168.1.254:53 SINGLE:MULTIPLE 00:00:07 00:00:23 2 294
udp In 192.168.1.143:52548 192.168.1.254:53 SINGLE:MULTIPLE 00:00:04 00:00:26 2 177
udp In 192.168.1.143:53085 192.168.1.254:53 SINGLE:MULTIPLE 00:00:04 00:00:26 2 163
udp In 192.168.1.143:58366 192.168.1.254:53 SINGLE:MULTIPLE 00:00:04 00:00:26 2 140
udp In 192.168.1.143:53807 192.168.1.254:53 SINGLE:MULTIPLE 00:00:04 00:00:26 2 136
udp In 192.168.1.143:62023 192.168.1.254:53 SINGLE:MULTIPLE 00:00:04 00:00:26 2 136

Thanks,

Laurent

LTS_Tom · December 23, 2022, 2:29pm

I see 443 and one connection to 10443, maybe that is it. If not ask the developers what ports.

ldellus · December 24, 2022, 10:36am

10443 is my pfsense management port. I had to assign it because HAProxy uses 443.

ldellus · December 24, 2022, 5:29pm

Problem solved. I did the following:

In config file /etc/apache2/sites-enabled/owncloud.conf I added the line:
SetEnvIf Authorization “(.*)” HTTP_AUTHORIZATION=$1
In config file /var/www/owncloud/config/config.php I added the following array:
‘trusted_proxies’ =>
array (
0 => ‘Replace with your HAProxy IP’
),

Voila!