Hello Dear Community,
i got a nextcloud 19.0.3 Install on a FreeBSD Machine. Another Server is our reverse Proxy (Pound), https access is working, no problem.
My httpd.conf:
###
### httpd.servername.conf
###
# Dynamic Shared Object (DSO) Support
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
# php-fpm needs following Modules
LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
# ServerName gives the name and port that the server uses to identify itself.
# Respect jail lo0 ip
ServerName 127.1.0.1
# Listen: Allows you to bind Apache to specific IP addresses and/or ports
Listen *:80
# The location and format of the access logfile (Common Logfile Format).
CustomLog "/var/log/httpd-access.log" combined
# LogLevel debug
<VirtualHost *:80>
ServerName default
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
Options None
AllowOverride None
<FilesMatch "^(|index.html)$">
Require all granted
</FilesMatch>
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName domain.de
ServerAlias servername
ServerAlias localhost
DocumentRoot "/usr/local/www/nextcloud"
Alias /testcloud /usr/local/www/nextcloud
<Directory "/usr/local/www/nextcloud">
AddHandler "proxy:unix:/var/run/php-fpm-www.sock|fcgi://localhost/" .php
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
config.php
<?php
$CONFIG = array (
'apps_paths' =>
array (
0 =>
array (
'path' => '/usr/local/www/nextcloud/apps',
'url' => '/apps',
'writable' => true,
),
1 =>
array (
'path' => '/usr/local/www/nextcloud/apps-pkg',
'url' => '/apps-pkg',
'writable' => false,
),
),
'logfile' => '/var/log/nextcloud/nextcloud.log',
'memcache.local' => '\\OC\\Memcache\\APCu',
'passwordsalt' => 'xkgjAHFo3ZKPfQhHfTSlmcInWOtFwd',
'secret' => 'uGmu19fcEd80Vzt975/ZGVSQSN7rt4ZofnAxr+NZwa5Lim2x',
'trusted_domains' =>
array (
0 => 'domain.de',
1 => 'servername',
),
'datadirectory' => '/home/www/nextcloud_data',
'dbtype' => 'mysql',
'version' => '19.0.3.1',
'overwrite.cli.url' => 'http://localhost',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:/tmp/mysql.sock',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => 'nextcloud',
'installed' => true,
'instanceid' => 'oc86wutyevry',
'logtimezone' => 'Europe/Berlin',
'log_type' => 'file',
'loglevel' => '2',
'logrotate_size' => '104847600',
'htaccess.RewriteBase' => '/testcloud',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/testcloud',
'default_language' => 'de',
);
Access via external (https) and direct internal (http) is successful. BUT i can only login to one of them, based on the parameter “overwriteprotocol”. This edits the Location Header to http/https on login.
If i login via http:
Refused to send form data to ‘https://servername/testcloud/’ because it violates the following Content Security Policy directive: “form-action ‘self’”.
if i understand this correctly this defines the valid values for an successfull login. (german: https://wiki.selfhtml.org/wiki/Sicherheit/Content_Security_Policy)
Has Anybody tips or tricks to get this working or is it impossible due to the content security policy?
Edit:
Login is a step further by removing the form action in lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
But it redirects to the https version caused by the location header i think, so it leads to ssl_protocol_error.
diff -r nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php nextcloud.backup/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
518a519,523
> if (!empty($this->allowedFormActionDomains)) {
> $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
> $policy .= ';';
> }
>