503 on root if already logged in (chrome/ium only)

[rpadovani]

Steps to reproduce

1. Install Nextcloud on your own subdomain (e.g. docs.rpadovani.com) - using nginx and postgresql
2. Login in the website in a tab
3. Open a new tab
4. Go to the root of website (type docs.rpadovani.com)

Expected behaviour

Redirection to https://docs.rpadovani.com/apps/files/

Actual behaviour

503 error

If I write anything after the / (like https://docs.rpadovani.com/ThisURLDOESNNOTEXIST) redirection works fine

If I write https://docs.rpadovani.com in a tab where I already logged in, redirection works. Only new tabs are broken

Server configuration

Operating system: Ubuntu 16.04.1

Web server: nginx 1.10.0 with this configuration:

upstream php-handler {
    server unix:/var/run/php/php7.0-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name docs.rpadovani.com;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name docs.rpadovani.com;

    ssl_certificate /etc/letsencrypt/live/docs.rpadovani.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/docs.rpadovani.com/privkey.pem;

    # Security options by cipherli.st
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    # add_header X-Frame-Options DENY;

    # Following https://weakdh.org/sysadmin.html
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        #  includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Database: postgresql 9.5

PHP version: PHP 7.0.8-0ubuntu0.16.04.1

Nextcloud version: 9.0.53 (stable)

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: source

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.2.1
  - admin_audit: 1.0.0
  - calendar: 1.3.1
  - comments: 0.2
  - contacts: 1.3.1.0
  - dav: 0.1.6
  - documents: 0.12.0
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_pdfviewer: 0.8.1
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 14.5.0
  - news: 8.8.0
  - notifications: 0.2.3
  - password_policy: 1.0.0
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - theming: 0.1.0
  - updatenotification: 0.1.0
Disabled:
  - bookmarks
  - encryption
  - external
  - files_external
  - user_external
  - user_ldap
  - user_saml

The content of config/config.php:

Config report

{
    "system": {
        "instanceid": "och9eg6xraef",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "docs.rpadovani.com"
        ],
        "datadirectory": "\/opt\/nextcloud",
        "overwrite.cli.url": "https:\/\/docs.rpadovani.com",
        "dbtype": "pgsql",
        "version": "9.0.53.0",
        "dbname": "nextcloud",
        "dbhost": "localhost:5432",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "appstore.experimental.enabled": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "localhost",
            "port": 6379
        },
        "memcache.locking": "\\OC\\Memcache\\Redis"
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Chrome/Chromium also on a fresh installation or in incognito mode

Logs

Web server error log

Web server error log

/var/log/nginx/error.log says nothing. /var/log/nginx/access.log:

37.182.xxx.xxx - - [25/Jul/2016:12:39:08 +0000] "GET / HTTP/1.1" 503 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36"

#### Nextcloud log (data/nextcloud.log)

nothing

Browser log

Browser log

console.log nothings,

network does a request to docs.rpadovani.com

**GENERAL**
Request URL:https://docs.rpadovani.com/
Request Method:GET
Status Code:503 Service Unavailable
Remote Address:151.80.148.178:443

**Response Headers**
Cache-Control:no-store, no-cache, must-revalidate
Connection:keep-alive
Content-Security-Policy:default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Content-Type:text/html; charset=UTF-8
Date:Mon, 25 Jul 2016 12:41:23 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/1.10.0 (Ubuntu)
Set-Cookie:nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie:nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Transfer-Encoding:chunked

**Request Headers**
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8,it;q=0.6
Cache-Control:max-age=0
Connection:keep-alive
Cookie:oc_sessionPassphrase=xxx; och9eg6xraef=xxx; oc_username=rpadovani; oc_token=xxx; oc_remember_login=1; nc_sameSiteCookielax=true
DNT:1
Host:docs.rpadovani.com
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

[rpadovani]

Taking a closer look, Chrome does not send nc_sameSiteCookiestrict, while Firefox does

[rpadovani]

Related to: #237