Apache reverseproxy - logon issue related to CSP and configuration

Support intro

Nextcloud version : 17.0.4
Operating system and version: Debian buster
Apache: Apache/2.4.38
PHP version (eg, 7.1): 7.3

Is this the first time you’ve seen this error? (Y/N): yes, after upgrade


I have issue related to logon problems: “Refused to send form data to ‘http://redacted/’ because it violates the following Content Security Policy directive: “form-action ‘self’”.”
I have read all topics related to this issue (here and on github) and i couldn’t find solution.

In nextcloud config i have:

  'overwrite.cli.url' => 'https://redacted',

  'overwritehost' => 'redacted',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^redacted_reverse_proxy_ip$',

My configuration looks like this:

VM Apache2 reverseproxy > VM backend virtual host with nextcloud (also apache2)

On backend in apache2.conf i have such configuration:

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy redacted

This lines help me to see remote client ip, logs are sended back via remote syslog to reverse proxy to parse it using fail2ban tool. On backend server i have also some other virtual hosts (not only nextcloud).
When line “RemoteIPHeader X-Forwarded-For” is deleted everything works great, no loggon issue, but with it i have error mentioned above. I cant delete: “RemoteIPHeader X-Forwarded-For” cause instead of remote clients ip i have only reverseproxy ip so its useless for fail2ban.

Any idea how i can solve this?