Accessing Nextcloud via https (Reverse Proxy) and http directly?

Hello Dear Community,

i got a nextcloud 19.0.3 Install on a FreeBSD Machine. Another Server is our reverse Proxy (Pound), https access is working, no problem.

My httpd.conf:

### httpd.servername.conf

# Dynamic Shared Object (DSO) Support
LoadModule rewrite_module libexec/apache24/
# php-fpm needs following Modules
LoadModule proxy_module libexec/apache24/
LoadModule proxy_fcgi_module libexec/apache24/

# ServerName gives the name and port that the server uses to identify itself.
# Respect jail lo0 ip

# Listen: Allows you to bind Apache to specific IP addresses and/or ports
Listen *:80

# The location and format of the access logfile (Common Logfile Format).
CustomLog "/var/log/httpd-access.log" combined
# LogLevel debug

<VirtualHost *:80>
    ServerName default
    DocumentRoot "/usr/local/www/apache24/data"

    <Directory "/usr/local/www/apache24/data">
       Options None
       AllowOverride None
       <FilesMatch "^(|index.html)$">
          Require all granted

<VirtualHost *:80>
     ServerAlias  servername
     ServerAlias localhost

     DocumentRoot "/usr/local/www/nextcloud"

     Alias /testcloud /usr/local/www/nextcloud
     <Directory "/usr/local/www/nextcloud">
        AddHandler "proxy:unix:/var/run/php-fpm-www.sock|fcgi://localhost/" .php
        Options FollowSymLinks
        AllowOverride All
        Require all granted


$CONFIG = array (
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'passwordsalt' => 'xkgjAHFo3ZKPfQhHfTSlmcInWOtFwd',
  'secret' => 'uGmu19fcEd80Vzt975/ZGVSQSN7rt4ZofnAxr+NZwa5Lim2x',
  'trusted_domains' => 
  array (
    0 => '',
    1 => 'servername',
  'datadirectory' => '/home/www/nextcloud_data',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'nextcloud',
  'installed' => true,
  'instanceid' => 'oc86wutyevry',
  'logtimezone' => 'Europe/Berlin',
  'log_type' => 'file',
  'loglevel' => '2',
  'logrotate_size' => '104847600',
  'htaccess.RewriteBase' => '/testcloud',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/testcloud',
  'default_language' => 'de',

Access via external (https) and direct internal (http) is successful. BUT i can only login to one of them, based on the parameter “overwriteprotocol”. This edits the Location Header to http/https on login.

If i login via http:
Refused to send form data to ‘https://servername/testcloud/’ because it violates the following Content Security Policy directive: “form-action ‘self’”.

if i understand this correctly this defines the valid values for an successfull login. (german:

Has Anybody tips or tricks to get this working or is it impossible due to the content security policy?

Login is a step further by removing the form action in lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php

But it redirects to the https version caused by the location header i think, so it leads to ssl_protocol_error.

diff -r nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php nextcloud.backup/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
>               if (!empty($this->allowedFormActionDomains)) {
>                       $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
>                       $policy .= ';';
>               }