Basic Auth from other website on same domain triggers brute force protection #12720
Labels
Comments
|
GitMate.io thinks possibly related issues are #3971 (Brute Force), #437 (brute force protection for Nextcloud APIs), #478 (Consider brute-force protection on the Server-to-Server Sharing Endpoint), #703 (brute force protection - whitelist (proxy server for example)), and #12140 (Expired tokens should not trigger bruteforce protection). |
|
there is not much we can do about that. Your browser probably sends the same basic auth credentials (which are not valid for Nextcloud). thus invoking the brute force protection |
skjnldsv
added
the
0. Needs triage
|
closing then |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If there is a existing basic authentication to another web application on the same host (and domain), the credentials from the basic authentication are logged as failed logins.
I don't know if there is a configuration to avoid this.
Steps to reproduce
Expected behaviour
No failed logins are logged
Actual behaviour
Failed logins are logged for the user, that was used for basic authentication.
Server configuration
Operating system:
Ubuntu 16.04
Web server:
Apache 2.4
Database:
MySQL
PHP version:
PHP 7.0
Nextcloud version: (see Nextcloud admin page)
14.0.4
Updated from an older Nextcloud/ownCloud or fresh install:
updated from 11.0.x
Where did you install Nextcloud from:
zip
Signing status:
No errors have been found.
The text was updated successfully, but these errors were encountered: