Issue:
- When accessing my nextcloud instance via reverse proxy url I cannot login with the below error.
- Please note I broke the https links in the snippet below due to link quantity restriction for new posters but they actually show as proper links
Refused to send form data to ‘https:cloud.mydomainredacted.shop/login’ because it violates the following Content Security Policy directive: “form-action ‘self’ https:cloud.mydomainredacted.shop/ https:cloud.mydomainredacted.shop/login”.
Configuration:
- Nginx reverse proxy passes connection to nginx web server hosting nextcloud content
- Nextcloud runs in podman pod using the official nextcloud-fpm docker container
- A local nginx instance runs within the same pod serving the nextcloud content
Nextcloud:
- Official Nextcloud-fpm docker container and official nginx container
- Nextcloud version: 25.0.2
- Local Nginx version: 1.22.1
- Nginx Config File: https://pastebin.com/yAj1j2Vp
Reverse Proxy:
Oracle Linux
Nginx Version:1.14.1
Nginx Config File: https://pastebin.com/Npe6HgDD
Troubleshooting / Findings:
- Accessing the Nextcloud local Nginx instance via IP directly fully works as normal
- Accessing Nextcloud via the reverse proxy will work if I already have an active logged in session
- When using the reverse proxy with no active session or logging out and attempting a new login via the reverse proxy url is unsuccessful due to the aforementioned error
- Increased debug didn’t reveal additional info in the nextcloud log
- Is this the first time you’ve seen this error? Yes
- I did add my domain and mydomain/login to the csp php file in nextcloud which is what you are seeing in the directive from above thinking this may help but it made no change
Browser debug tools inspecting the content security policy headers:
default-src ‘none’;base-uri ‘none’;manifest-src ‘self’;script-src ‘nonce-K1FxTEdITXlhODJRNmFrWlB3d3YyYSt1cXluMlFubVBEWVJUL3cydzM4OD06cVgvSllRbFlLcWpaditaTlYyRmhsT1BabTJHeEl5bmFmTllnbW5UUmk0ND0=’ https:cloud.redacted-domain.shop/;style-src ‘self’ https:cloud.redacted-domain.shop/ ‘unsafe-inline’;img-src ‘self’ https:cloud.redacted-domain.shop/ data: blob:;font-src ‘self’ https://cloud.redacted-domain.shop/ data:;connect-src ‘self’ https:cloud.redacted-domain.shop/;media-src ‘self’ https:cloud.redacted-domain.shop/;frame-src ‘self’ nc:;frame-ancestors ‘self’;form-action ‘self’ https:cloud.redacted-domain.shop/ https:cloud.redacted-domain.shop/login
The output of your Nextcloud log in Admin > Logging:
-No logging is produced here when the issue is reproduced
The output of your config.php file in /path/to/nextcloud
:
<?php
$CONFIG = array (
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'objectstore' =>
array (
'class' => '\\OC\\Files\\ObjectStore\\S3',
'arguments' =>
array (
'bucket' => 'redacted',
'key' => 'redacted',
'secret' => 'redacted',
'region' => '',
'hostname' => 's3.us-east-005.backblazeb2.com',
'port' => '443',
'objectPrefix' => 'urn:oid:',
'autocreate' => true,
'use_ssl' => true,
'use_path_style' => false,
'legacy_auth' => false,
),
),
'passwordsalt' => 'redacted',
'secret' => 'redacted',
'trusted_domains' =>
array (
0 => 'redacted-ip',
1 => 'redacted-ip',
2 => 'cloud.redacted-domain.shop',
),
'trusted_proxies' =>
array (
0 => 'redacted-ip',
1 => 'redacted-ip',
2 => 'cloud.redacted-domain.shop',
),
'datadirectory' => '/var/www/html/data',
'forwarded_for_headers' =>
array (
0 => 'HTTP_X_FORWARDED_FOR',
1 => 'HTTP_X_FORWARDED',
),
'dbtype' => 'mysql',
'version' => '25.0.2.3',
'overwrite.cli.url' => 'https://cloud.redacted-domain.shop',
'overwriteprotocol' => 'https',
'dbname' => 'redacted',
'dbhost' => '127.0.0.1',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'redacted',
'dbpassword' => 'redacted',
'installed' => true,
'instanceid' => 'redacted',
'overwritecondaddr' => '^redacted-ip$',
'maintenance' => false,
);
Output of Nginx Reverse Proxy access log when submitting the blocked login attempt
redacted workstation ip - - [15/Jan/2023:07:49:25 +0000] "POST /login HTTP/2.0" 303 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" "-"
Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for
-No errors generated when reproducing this event