About CSP policy in apache2 sites-conf

Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 30.0.2.2
  • Operating system and version (e.g., Ubuntu 24.04):
    • Ubuntu 24.04
  • Web server and version (e.g, Apache 2.4.25):
    • Apache/2.4.62
  • PHP version (e.g, 8.3):
    • 8.3-fpm
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • Today
  • Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)
    • Bare Metal
  • Are you using Cloudflare, mod_security, or similar? (Yes / No)
    • Yes i’m using cloudflare but DNS only not proxy

Summary of the issue you are facing:

I tried to hardening conf security by adding those line
RewriteEngine On

RewriteRule .* - [E=CSP_NONCE:${RANDOM}]

Header set Content-Security-Policy “default-src ‘self’; style-src ‘self’ ‘nonce-%{CSP_NONCE}e’; script-src ‘self’ ‘nonce-%{CSP_NONCE}e’;”

but it gave me no login sign
what is appropriate CSP policy on sites config apache2 for nextcloud?
ps. sorry for my bad english

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

no log releted to the problems

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

content.js:79 The source list for the Content Security Policy directive 'script-src' contains an invalid source: ''nonce-${RANDOM}''. It will be ignored.
(anonymous) @ content.js:79
(anonymous) @ content.js:79
inject @ content.js:79
r @ content.js:70
(anonymous) @ content.js:70
jn @ content.js:15
hs @ content.js:67
(anonymous) @ content.js:83
then @ content.js:15
(anonymous) @ content.js:75
Pt @ content.js:9
t @ content.js:10
e @ content.js:1
i @ content.js:1
(anonymous) @ content.js:1
n @ content.js:1
(anonymous) @ content.js:83
(anonymous) @ content.js:83
(anonymous) @ content.js:83
content.js:79 The source list for the Content Security Policy directive 'script-src-elem' contains an invalid source: ''nonce-${RANDOM}''. It will be ignored.
(anonymous) @ content.js:79
(anonymous) @ content.js:79
inject @ content.js:79
r @ content.js:70
(anonymous) @ content.js:70
jn @ content.js:15
hs @ content.js:67
(anonymous) @ content.js:83
then @ content.js:15
(anonymous) @ content.js:75
Pt @ content.js:9
t @ content.js:10
e @ content.js:1
i @ content.js:1
(anonymous) @ content.js:1
n @ content.js:1
(anonymous) @ content.js:83
(anonymous) @ content.js:83
(anonymous) @ content.js:83
content.js:79 The source list for the Content Security Policy directive 'style-src' contains an invalid source: ''nonce-${RANDOM}''. It will be ignored.
(anonymous) @ content.js:79
(anonymous) @ content.js:79
inject @ content.js:79
r @ content.js:70
(anonymous) @ content.js:70
jn @ content.js:15
hs @ content.js:67
(anonymous) @ content.js:83
then @ content.js:15
(anonymous) @ content.js:75
Pt @ content.js:9
t @ content.js:10
e @ content.js:1
i @ content.js:1
(anonymous) @ content.js:1
n @ content.js:1
(anonymous) @ content.js:83
(anonymous) @ content.js:83
(anonymous) @ content.js:83
content.js:79 The source list for the Content Security Policy directive 'script-src' contains an invalid source: ''nonce-${RANDOM}''. It will be ignored.
(anonymous) @ content.js:79
(anonymous) @ content.js:79
inject @ content.js:79
r @ content.js:70
(anonymous) @ content.js:70
jn @ content.js:15
hs @ content.js:67
(anonymous) @ content.js:83
then @ content.js:15
(anonymous) @ content.js:75
Pt @ content.js:9
t @ content.js:10
e @ content.js:1
i @ content.js:1
(anonymous) @ content.js:1
n @ content.js:1
(anonymous) @ content.js:83
(anonymous) @ content.js:83
(anonymous) @ content.js:83
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic' 'nonce-${RANDOM}' blob:".

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic' 'nonce-${RANDOM}' blob:".

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic' 'nonce-${RANDOM}' blob:".

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic' 'nonce-${RANDOM}' blob:".

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic' 'nonce-${RANDOM}' blob:".

login:24 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic' 'nonce-${RANDOM}' blob:". Either the 'unsafe-inline' keyword, a hash ('sha256-SZCtzZ7LCFH8hfvPjAfOXfkEt4EufjtpVKURw1yEKek='), or a nonce ('nonce-...') is required to enable inline execution.

login:24 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-${RANDOM}'". Either the 'unsafe-inline' keyword, a hash ('sha256-SZCtzZ7LCFH8hfvPjAfOXfkEt4EufjtpVKURw1yEKek='), or a nonce ('nonce-...') is required to enable inline execution.

login:53 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-${RANDOM}'". Either the 'unsafe-inline' keyword, a hash ('sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

[Sat Nov 30 19:46:12.377653 2024] [rewrite:trace2] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc5650a0/initial] init rewrite engine with requested uri /index.php/login, referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377679 2024] [rewrite:trace3] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc5650a0/initial] applying pattern '.*' to uri '/index.php/login', referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377685 2024] [rewrite:trace5] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc5650a0/initial] setting env variable 'CSP_NONCE' to '${RANDOM}', referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377689 2024] [rewrite:trace3] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc5650a0/initial] applying pattern '^/?(.*)' to uri '/index.php/login', referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377694 2024] [rewrite:trace4] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc5650a0/initial] RewriteCond: input='on' pattern='!=on' => not-matched, referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377697 2024] [rewrite:trace1] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc5650a0/initial] pass through /index.php/login, referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377790 2024] [rewrite:trace2] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc55d0a0/subreq] init rewrite engine with requested uri /login, referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377796 2024] [rewrite:trace3] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc55d0a0/subreq] applying pattern '.*' to uri '/login', referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377803 2024] [rewrite:trace5] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc55d0a0/subreq] setting env variable 'CSP_NONCE' to '${RANDOM}', referer: https://nextcloud.*/
[Sat Nov 30 19:46:12.377806 2024] [rewrite:trace1] [pid 2437101:tid 2437105] mod_rewrite.c(505): [remote 192.168.10.1:61453] 192.168.10.1 - - [nextcloud.*/sid#7990dd1dbd40][rid#7990dc55d0a0/subreq] pass through /login, referer: https://nextcloud.*/

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "default_phone_region": "TH",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.2.2",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "data-fingerprint": "802e1df29f697d7759d1bed3b17ec883",
        "maintenance": false,
        "app_install_overwrite": [
            "breezedark"
        ],
        "memories.db.triggers.fcu": true,
        "memories.exiftool": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/exiftool-amd64-glibc",
        "memories.vod.path": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/go-vod-amd64",
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\Movie"
        ],
        "preview_max_memory": 16000,
        "preview_max_filesize_image": 100,
        "memories.vod.disable": false,
        "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
        "memories.vod.vaapi": true,
        "memories.vod.vaapi.low_power": true,
        "memories.gis_type": 1,
        "theme": "",
        "loglevel": 2
    }
}

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

  • Use the preformatted text formatting option in the editor for all log entries and configuration output.
  • If screenshots are useful, feel free to include them.
    • If possible, also include key error output in text form so it can be searched for.
  • Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.