Accessing nextcloud through reverse proxy not allowed to login because it violates the CSP

Issue:

  • When accessing my nextcloud instance via reverse proxy url I cannot login with the below error.
  • Please note I broke the https links in the snippet below due to link quantity restriction for new posters but they actually show as proper links

Refused to send form data to ‘https:cloud.mydomainredacted.shop/login’ because it violates the following Content Security Policy directive: “form-action ‘self’ https:cloud.mydomainredacted.shop/ https:cloud.mydomainredacted.shop/login”.

Configuration:

  • Nginx reverse proxy passes connection to nginx web server hosting nextcloud content
  • Nextcloud runs in podman pod using the official nextcloud-fpm docker container
  • A local nginx instance runs within the same pod serving the nextcloud content

Nextcloud:

  • Official Nextcloud-fpm docker container and official nginx container
  • Nextcloud version: 25.0.2
  • Local Nginx version: 1.22.1
  • Nginx Config File: https://pastebin.com/yAj1j2Vp

Reverse Proxy:

Oracle Linux
Nginx Version:1.14.1
Nginx Config File: https://pastebin.com/Npe6HgDD

Troubleshooting / Findings:

  • Accessing the Nextcloud local Nginx instance via IP directly fully works as normal
  • Accessing Nextcloud via the reverse proxy will work if I already have an active logged in session
  • When using the reverse proxy with no active session or logging out and attempting a new login via the reverse proxy url is unsuccessful due to the aforementioned error
  • Increased debug didn’t reveal additional info in the nextcloud log
  • Is this the first time you’ve seen this error? Yes
  • I did add my domain and mydomain/login to the csp php file in nextcloud which is what you are seeing in the directive from above thinking this may help but it made no change

Browser debug tools inspecting the content security policy headers:

default-src ‘none’;base-uri ‘none’;manifest-src ‘self’;script-src ‘nonce-K1FxTEdITXlhODJRNmFrWlB3d3YyYSt1cXluMlFubVBEWVJUL3cydzM4OD06cVgvSllRbFlLcWpaditaTlYyRmhsT1BabTJHeEl5bmFmTllnbW5UUmk0ND0=’ https:cloud.redacted-domain.shop/;style-src ‘self’ https:cloud.redacted-domain.shop/ ‘unsafe-inline’;img-src ‘self’ https:cloud.redacted-domain.shop/ data: blob:;font-src ‘self’ https://cloud.redacted-domain.shop/ data:;connect-src ‘self’ https:cloud.redacted-domain.shop/;media-src ‘self’ https:cloud.redacted-domain.shop/;frame-src ‘self’ nc:;frame-ancestors ‘self’;form-action ‘self’ https:cloud.redacted-domain.shop/ https:cloud.redacted-domain.shop/login

The output of your Nextcloud log in Admin > Logging:
-No logging is produced here when the issue is reproduced

The output of your config.php file in /path/to/nextcloud:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'objectstore' =>
  array (
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' =>
    array (
      'bucket' => 'redacted',
      'key' => 'redacted',
      'secret' => 'redacted',
      'region' => '',
      'hostname' => 's3.us-east-005.backblazeb2.com',
      'port' => '443',
      'objectPrefix' => 'urn:oid:',
      'autocreate' => true,
      'use_ssl' => true,
      'use_path_style' => false,
      'legacy_auth' => false,
    ),
  ),
  'passwordsalt' => 'redacted',
  'secret' => 'redacted',
  'trusted_domains' =>
  array (
    0 => 'redacted-ip',
    1 => 'redacted-ip',
    2 => 'cloud.redacted-domain.shop',
  ),
  'trusted_proxies' =>
  array (
    0 => 'redacted-ip',
    1 => 'redacted-ip',
    2 => 'cloud.redacted-domain.shop',
  ),
  'datadirectory' => '/var/www/html/data',
  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
    1 => 'HTTP_X_FORWARDED',
  ),
  'dbtype' => 'mysql',
  'version' => '25.0.2.3',
  'overwrite.cli.url' => 'https://cloud.redacted-domain.shop',
  'overwriteprotocol' => 'https',
  'dbname' => 'redacted',
  'dbhost' => '127.0.0.1',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'redacted',
  'dbpassword' => 'redacted',
  'installed' => true,
  'instanceid' => 'redacted',
  'overwritecondaddr' => '^redacted-ip$',
  'maintenance' => false,
);

Output of Nginx Reverse Proxy access log when submitting the blocked login attempt

redacted workstation ip  - - [15/Jan/2023:07:49:25 +0000] "POST /login HTTP/2.0" 303 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" "-"

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for
-No errors generated when reproducing this event

If any additional info / logs / testing might be needed please let me know I’m happy to check and test whatever to get this reverse proxy issue resolved so I can complete my implementation.

Similar to someone else’s thread I’ve found that this only seems to be an issue in Chrome/Edge but firefox has no issue. Not sure how to troubleshoot this issue further and could use any guidance / suggestions on what to check next.