Apache RewriteBase: argument is not a valid URL failure (NC 21.0.3; subdirectory in URL)

I have a strange error using the Nextcloud Apache Docker image with v21.0.3 of Nextcloud and an installation in a subdirectory.

The older version i.e. <v21.0.3 worked, strangely.

The problem

[Sat Jul 03 09:19:39.787244 2021] [core:alert] [pid 98] [client 10.0.2.100:38370] /var/www/html/.htaccess: RewriteBase: argument is not a valid URL
10.0.2.100 - - [03/Jul/2021:09:19:39 +0000] "GET /status.php HTTP/1.1" 500 800 "-" "curl/7.76.1"

The file itself worked in the past/until now:

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Download-Options
    Header always set X-Download-Options "noopen"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /nextcloud/
ErrorDocument 404 /nextcloud/
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4|mp3|ogg|wav)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/robots.txt
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/proxy.php$
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase https://***:port/subdir/
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

Docker-compose snippet:

nc:
    image: nextcloud:21-apache
    restart: unless-stopped
    ports:
      - "***:80"
    volumes: &nextcloud_volumes
      - nc_data:/var/www/html
      - […]
    […]
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost/status.php"]
      interval: 1m30s
      timeout: 10s
      retries: 3
      start_period: 40s

From podman inspect shows the healthckec fails (it requests status.php) due to an update today:

            "StartedAt": "2021-07-03T00:00:51.015095615+02:00",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "unhealthy",
                "FailingStreak": 457,
                "Log": [
                    {
                        "Start": "2021-07-03T11:27:53.85297986+02:00",
                        "End": "2021-07-03T11:27:54.090700577+02:00",
                        "ExitCode": 1,
                        "Output": ""
                    },
                    {
                        "Start": "2021-07-03T11:29:24.851330462+02:00",
                        "End": "2021-07-03T11:29:25.028279854+02:00",
                        "ExitCode": 1,
                        "Output": ""
                    },
                    {
                        "Start": "2021-07-03T11:30:55.861971966+02:00",
                        "End": "2021-07-03T11:30:56.111280348+02:00",
                        "ExitCode": 1,
                        "Output": ""
                    },
                    {
                        "Start": "2021-07-03T11:32:26.853488825+02:00",
                        "End": "2021-07-03T11:32:27.044844944+02:00",
                        "ExitCode": 1,
                        "Output": ""
                    },
                    {
                        "Start": "2021-07-03T11:33:57.856059518+02:00",
                        "End": "2021-07-03T11:33:58.027539026+02:00",
                        "ExitCode": 1,
                        "Output": ""
                    }
                ]
            }

Images:

$ podman images
REPOSITORY                   TAG        IMAGE ID      CREATED       SIZE
docker.io/library/nextcloud  21-apache  068f511d11c8  16 hours ago  896 MB
docker.io/library/mariadb    latest     6d5c5ed114ad  9 days ago    414 MB
docker.io/library/redis      alpine     1690b63e207f  4 weeks ago   33.5 MB
k8s.gcr.io/pause             3.5        ed210e3e4a5b  3 months ago  690 kB
$ $ podman image inspect docker.io/library/nextcloud:21-apache
[
    {
        "Id": "068f511d11c8ee7e327ba469344c27fce2a03879c209bd20b58d78dd29a8742f",
        "Digest": "sha256:3de296cb87d5cdf535da02c5755137785037d3e064ec0288ca4920800d5e9e95",
        "RepoTags": [
            "docker.io/library/nextcloud:21-apache"
        ],
        "RepoDigests": [
            "docker.io/library/nextcloud@sha256:3de296cb87d5cdf535da02c5755137785037d3e064ec0288ca4920800d5e9e95",
            "docker.io/library/nextcloud@sha256:e12a68ff2c6a61457c0d946bc03694cfc5299678cb9acc0c1d384adbb454b54b"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2021-07-02T18:00:52.042011795Z",
        "Config": {
            "ExposedPorts": {
                "80/tcp": {}
            },
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "PHPIZE_DEPS=autoconf \t\tdpkg-dev \t\tfile \t\tg++ \t\tgcc \t\tlibc-dev \t\tmake \t\tpkg-config \t\tre2c",
                "PHP_INI_DIR=/usr/local/etc/php",
                "APACHE_CONFDIR=/etc/apache2",
                "APACHE_ENVVARS=/etc/apache2/envvars",
                "PHP_EXTRA_BUILD_DEPS=apache2-dev",
                "PHP_EXTRA_CONFIGURE_ARGS=--with-apxs2 --disable-cgi",
                "PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64",
                "PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64",
                "PHP_LDFLAGS=-Wl,-O1 -pie",
                "GPG_KEYS=42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312",
                "PHP_VERSION=7.4.21",
                "PHP_URL=https://www.php.net/distributions/php-7.4.21.tar.xz",
                "PHP_ASC_URL=https://www.php.net/distributions/php-7.4.21.tar.xz.asc",
                "PHP_SHA256=cf43384a7806241bc2ff22022619baa4abb9710f12ec1656d0173de992e32a90",
                "PHP_MEMORY_LIMIT=512M",
                "PHP_UPLOAD_LIMIT=512M",
                "NEXTCLOUD_VERSION=21.0.3"
            ],
            "Entrypoint": [
                "/entrypoint.sh"
            ],
            "Cmd": [
                "apache2-foreground"
            ],
            "Volumes": {
                "/var/www/html": {}
            },
            "WorkingDir": "/var/www/html",
            "StopSignal": "SIGWINCH"
        },
        "Version": "20.10.7",
        "Author": "",
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 895974042,
        "VirtualSize": 895974042,
        […]
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:764055ebc9a7a290b64d17cf9ea550f1099c202d83795aa967428ebdf335c9f7",
                "sha256:e02cc87a00633762be56e632e802faa7de99b617e909facbec18a51983e80956",
                "sha256:6e4ff68f07bd0cc75430eee06b5dbfa505df7a75e47bae716fd7cb9cd36c9a1e",
                "sha256:87eeceedc1f78823b623ee93ff03aa4a8322cd5839b709b92228c43acd697c69",
                "sha256:dc312d3ad2e139ec915c2b4843492258311fb2b0a063182325dbde00a2e3bffb",
                "sha256:984e1a0eb8451f68576fd3ec9d6b9d2fd398908081cd7a2be0f018ed401dd995",
                "sha256:e95af925b6b09cb2edaa32f0b30b698dbc4707fe275d7557c8a1857fe0f52964",
                "sha256:c5bb0d416b0a5378ab40505e87218c7de1d6062dfbb385948d04e68c14d6891c",
                "sha256:c51941fd72e0b62e6b86aba1efc2973e34d65038ec66e28b48a1e145716f5046",
                "sha256:d3c6dfa4c7d22add9d8f0a90813f1f055292fbf8bf2d754cd955041dad1060b8",
                "sha256:93c4c602aa40f4254c856da50f48e8ceb952b5088d1c15597fe9e54a99901f5b",
                "sha256:efb318104fd65c85b06d8c2b873c71c674795b669e594b25d344f172a41759a8",
                "sha256:60c1f5684371760ebd2598a5fa06398641fe1cde30d988789a02558c406c17b9",
                "sha256:2f095f048016ebefa5e3c07bf7f4c4cc5bc87ef5effff1a224199bccda816b23",
                "sha256:26f0090b7eef64be983b283b56d5c8c8edd912bd7bed1ae1074cc2c75df15630",
                "sha256:a54a01dc87bdfbaa4ce36af16f802b67dd3e06a473bad103e0da85f68efe1947",
                "sha256:cbbdb9d3666586ba3af852a349f3abbbf90c0579e1b731a6f0e8e968833da94b",
                "sha256:cdb9591a64f7e3b0aa4901ff6dbf07009570ea83bada898ad9b3d665f65f9e3a",
                "sha256:56d34a61620a337b782fbda62fc552b7ce7dcc378b862f58e7614531d64f5e8f",
                "sha256:5d3405bae2c91711f130f4989a8b8d5f7e71cf5cd64c3b26c5c5f6fd1e3edb8f"
            ]
        },
       "Labels": null,
        "Annotations": {},
        "ManifestType": "application/vnd.docker.distribution.manifest.v2+json",
        "User": "",
        "History": [
            {
                "created": "2021-06-23T00:20:40.386610922Z",
                "created_by": "/bin/sh -c #(nop) ADD file:4903a19c327468b0e08e4f463cfc162c66b85b4618b5803d71365862f6302e0b in / "
            },
       […]

Based on that I see it is this build:
https://hub.docker.com/layers/nextcloud/library/nextcloud/21-apache/images/sha256-e12a68ff2c6a61457c0d946bc03694cfc5299678cb9acc0c1d384adbb454b54b?context=explore

Every other build before worked fine.

More information

occ status works fine:

 - installed: true
  - version: 21.0.3.1
  - versionstring: 21.0.3
  - edition: 

Nextcloud release v21.0.3 was just a maintainance release, so I doubt it is the cause: https://nextcloud.com/changelog/#21-0-3

$ podman --version
podman version 3.2.0

x86_64

I found Error 500 - "RewriteBase: argument is not a valid URL" · Issue #1576 · nextcloud/server · GitHub but that pointed to 404 links and did not help.

Also AFAIK I did not manually configure that file. I have no idea why RewriteBase is set incorrectly there…

Solving the first error

The error lies within this .htaccess part:

RewriteBase https://***:port/subdir/

It should be this instead:

RewriteBase /subdir

When changed manually, it works.

Something in the container/startup scripts or whatever, seems to have improperly written this…

Still redirect errors…

But even if that is fixed, I get some strange internal redirect errors when accessing /login/v2/flow/ stuff:

[Sat Jul 03 09:54:04.002837 2021] [core:error] [pid 2059] [client 10.0.2.100:39262] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

Part of config.php:

$CONFIG = array (
  'htaccess.RewriteBase' => 'https://****:port/subdir/',
  […]
  'overwritehost' => '****:port',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/subdir',

This looks all unchanged and not as if it was a problem…

Also getting errors from the encryption module, though I’m not sure whether that is related:

Error     no app in context   OC\ForbiddenException: This request is not allowed to access the filesystem at lib/private/Lockdown/Filesystem/NullStorage.php line   2021-07-03T12:01:48+02:00  
                                42                                                                                                                                                               
                                                                                                                                                                                                 
                                 0. lib/private/Files/View.php line 1172                                                                                                                         
                                    OC\Lockdown\Filesystem\NullStorage->mkdir("files_encryption")                                                                                                
                                 1. lib/private/Files/View.php line 272                                                                                                                          
                                    OC\Files\View->basicOperation("mkdir", "\/**username**\/files_encryption", ["create","write"])                                                                       
                                 2. lib/private/Encryption/Keys/Storage.php line 485                                                                                                             
                                    OC\Files\View->mkdir("\/**username**\/files_encryption")                                                                                                             
                                 3. lib/private/Encryption/Keys/Storage.php line 338                                                                                                             
                                    OC\Encryption\Keys\Storage->keySetPreparation("\/**username**\/files_encryption\/OC_DEFAULT_MODULE")                                                                 
                                 4. lib/private/Encryption/Keys/Storage.php line 132                                                                                                             
                                    OC\Encryption\Keys\Storage->setKey(                                                                                                                          
                                      "\/**username**\/files_encryption\/OC_DEFAULT_MODULE\/**username**.publicKey",                                                                                             
                                      {key:"LS0tLS1C************************************ ... "}                                                                 
                                    )                                                                                                                                                            
                                 5. apps/encryption/lib/KeyManager.php line 334                                                                                                                  
                                    OC\Encryption\Keys\Storage->setUserKey(                                                                                                                      
                                      "*** sensitive parameter replaced ***",                                                                                                                    
                                      "publicKey",                                                                                                                                               
                                      "-----BEGIN PUBLIC KEY-----\**************8AMIICCgKCAgEA0gQWij ... n",                                                                    
                                      "OC_DEFAULT_MODULE"                                                                                                                                        
                                    )                                                                                                                                                            
                                 6. apps/encryption/lib/KeyManager.php line 293                                                                                                                  
                                    OCA\Encryption\KeyManager->setPublicKey(                                                                                                                     
                                      "*** sensitive parameter replaced ***",                                                                                                                    
                                      "-----BEGIN PUBLIC KEY-----\**************8AMIICCgKCAgEA0gQWi ... n"                                                                      
                                    )                                                                                                                                                            
                                 7. apps/encryption/lib/Users/Setup.php line 54                                                                                                                  
                                    OCA\Encryption\KeyManager->storeKeyPair("*** sensitive parameters replaced ***")                                                                             
                                 8. apps/encryption/lib/Hooks/UserHooks.php line 180                                                                                                             
                                    OCA\Encryption\Users\Setup->setupUser("*** sensitive parameters replaced ***")                                                                               
                                 9. lib/private/legacy/OC_Hook.php line 110                                                                                                                      
                                    OCA\Encryption\Hooks\UserHooks->login("*** sensitive parameters replaced ***")                                                                               
                                10. lib/private/Server.php line 581                                                                                                                              
                                    OC_Hook::emit("OC_User", "post_login", "*** sensitive parameter replaced ***")                                                                               
                                11. <<closure>>                                                                                                                                                  
                                    OC\Server->OC\{closure}("*** sensitive parameters replaced ***")                                                                                             
                                12. lib/private/Hooks/EmitterTrait.php line 107                                                                                                                  
                                    call_user_func_array(                                                                                                                                        
                                      Closure {},                                                                                                                                                
                                      ["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensitive par ... "]                                                   
                                    )                                                                                                                                                            
                                13. lib/private/Hooks/PublicEmitter.php line 41                                                                                                                  
                                    OC\Hooks\BasicEmitter->emit(                                                                                                                                 
                                      "\\OC\\User",                                                                                                                                              
                                      "postLogin",                                                                                                                                               
                                      ["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensit ... "]                                                          
                                    )                                                                                                                                                            
                                14. lib/private/User/Session.php line 412                                                                                                                        
                                    OC\Hooks\PublicEmitter->emit(                                                                                                                                
                                      "\\OC\\User",                                                                                                                                              
                                      "postLogin",                                                                                                                                               
                                      ["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***","*** sensi ... "]                                                           
                                    )                                                                                                                                                            
                                15. lib/private/User/Session.php line 665                                                                                                                        
                                    OC\User\Session->completeLogin("*** sensitive parameters replaced ***")                                                                                      
                                16. lib/private/User/Session.php line 365                                                                                                                        
                                    OC\User\Session->loginWithToken("*** sensitive parameters replaced ***")                                                                                     
                                17. lib/private/User/Session.php line 462                                                                                                                        
                                    OC\User\Session->login("*** sensitive parameters replaced ***")                                                                                              
                                18. apps/dav/lib/Connector/Sabre/Auth.php line 131                                                                                                               
                                    OC\User\Session->logClientIn("*** sensitive parameters replaced ***")                                                                                        
                                19. 3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php line 103                                                                                           
                                    OCA\DAV\Connector\Sabre\Auth->validateUserPass("*** sensitive parameters replaced ***")                                                                      
                                20. apps/dav/lib/Connector/Sabre/Auth.php line 254                                                                                                               
                                    Sabre\DAV\Auth\Backend\AbstractBasic->check(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})                                                                   
                                21. apps/dav/lib/Connector/Sabre/Auth.php line 156                                                                                                               
                                    OCA\DAV\Connector\Sabre\Auth->auth(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})                                                                            
                                22. 3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 182                                                                                                          
                                    OCA\DAV\Connector\Sabre\Auth->check(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})                                                                           
                                23. 3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php line 137                                                                                                          
                                    Sabre\DAV\Auth\Plugin->check(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})                                                                                  
                                24. 3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89                                                                                                    
                                    Sabre\DAV\Auth\Plugin->beforeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})                                                                           
                                25. 3rdparty/sabre/dav/lib/DAV/Server.php line 456                                                                                                               
                                    Sabre\DAV\Server->emit("beforeMethod:PROPFIND", [Sabre\HTTP\Request {},Sabre\HTTP\Response {}])                                                              
                                26. 3rdparty/sabre/dav/lib/DAV/Server.php line 253                                                                                                               
                                    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})                                                                                
                                27. 3rdparty/sabre/dav/lib/DAV/Server.php line 321                                                                                                               
                                    Sabre\DAV\Server->start(                                                                                                                                     
                                                                                                                                                                                                 
                                    )                                                                                                                                                            
                                28. apps/dav/appinfo/v1/carddav.php line 103                                                                                                                     
                                    Sabre\DAV\Server->exec(                                                                                                                                      
                                                                                                                                                                                                 
                                    )                                                                                                                                                            
                                29. remote.php line 167                                                                                                                                          
                                    require_once("\/var\/www\/html\/apps\/dav\/appinfo\/v1\/carddav.php")                                                                                        
                                                         

I checked that the data directory is accessible from inside the container:

podman exec --user www-data -it nextcloud_nc_1 /bin/sh
$ cd /var/[…] # (the dir set in the config.php as datadirectory)
$ ls -la
total 14760
drwxr-x---. 1 www-data www-data      522 Jul  2 21:55 .
drwxr-xr-t. 3 root     root           56 Jul  2 22:00 ..
-rw-r--r--. 1 www-data www-data      542 Jul  2 22:00 .htaccess
[…]

Cross-posted from the Nextcloud Docker issue I’ve opened.
If anyone has any tips that would be greatly appreciated. I do have a reverse proxy in front of my Nextcloud installation.