Broken login w/ AWS API gateway as reverse proxy

I’m trying to get Nextcloud running behind AWS api gateway acting as a reverse proxy. The API gateway is terminating https://demo.xxxx.com and forwarding to a Lambda function that transparently forwards to http://xx.xx.xx.xx/nextcloud, my Nextcloud instance running on a EC2 inside a vpc.

Everything works when accessing the Nextcloud instance directly. However, when accessing via browser throught the gateway, I can get the Nextcloud login page, enter my credentials, but the credentials are rejected and I end up back at the login page.

The one difference I see in the browser web console is that without the API gateway the cookie

nc_sameSiteCookieStrict = True

is always returned. With the API gateway that cookie is not returned.

I played around with the CORS config on the API Gateway to return the following headers to see if I could get the browser to return the nc_sameSiteCookieStrict, but that did nothing either.

access-control-allow-methods: GET, POST, OPTIONS, HEAD, PUT, DELETE, PATCH, PROPFIND
access-control-allow-headers: Authorization, Token, Content-Type, *
access-control-allow-origin: https://demo.xxxx.com

I’ve been banging my head on this for four days :cold_face:. Thank you in advance for any help or suggestions :pray:.

–Rob

Nextcloud config

<?php
$CONFIG = array (
  'debug' => true,
  'instanceid' => 'xxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxx',
  'secret' => 'xxxxxxxxx',
  'trusted_domains' =>
  array (
    0 => 'nn.nn.nn.nn',   <------ Nextcloud server IP
    1 => 'demo.xxxx.com',     <----- custom domain on API gateway
    2 => 'localhost',
  ),
  'trusted_proxies' =>    <-----  There is no set IP address for the gateway
  array (                                      so I put a bunch of IPs DNS returns to see if it made a difference
   0 => '13.57.0.0/16',               and it did not.
   1 => '54.0.0.0/8',
   2 => '13.57.99.202',
   3 => '54.215.123.27',
   4 => '54.241.185.0',
   5 => '52.52.202.58',
   6 => 'd-0rxxxf4j.execute-api.us-west-1.amazonaws.com',    <---- Tried entering name of API gateway to no avail.
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'sqlite3',
  'version' => '20.0.4.0',
  'installed' => true,
  'has_internet_connection' => true,
  'logtimezone' => 'America/Los_Angeles',
  'overwrite.cli.url' => 'https://demo.xxxx.com/nextcloud',
  'overwritehost' => 'demo.xxxx.com',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/nextcloud',
);

.htaccess file is

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

#ErrorDocument 403 /nextcloud/        <----- Commenting out these lines seemed to make no difference
#ErrorDocument 404 /nextcloud/
#<IfModule mod_rewrite.c>
  #Options -MultiViews
  #RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  #RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  #RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4|mp3|ogg|wav)$
  #RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  #RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
  #RewriteCond %{REQUEST_FILENAME} !/remote.php
  #RewriteCond %{REQUEST_FILENAME} !/public.php
  #RewriteCond %{REQUEST_FILENAME} !/cron.php
  #RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  #RewriteCond %{REQUEST_FILENAME} !/status.php
  #RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  #RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  #RewriteCond %{REQUEST_FILENAME} !/robots.txt
  #RewriteCond %{REQUEST_FILENAME} !/updater/
  #RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  #RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
  #RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  #RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/proxy.php$
  #RewriteRule . index.php [PT,E=PATH_INFO:$1]
  #RewriteBase /nextcloud
  #<IfModule mod_env.c>
  #  SetEnv front_controller_active true
  #  <IfModule mod_dir.c>
  #    DirectorySlash off
  #  </IfModule>
  #</IfModule>
#</IfModule>

Tried access on a different platforms. Nothing much in the access_log

[ec2-user@ip-172-31-25-57 ~]$ sudo tail /var/log/httpd/access_log
54.153.26.252 - - [11/May/2021:01:30:48 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 121 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
98.35.161.105 - - [11/May/2021:01:40:33 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 124 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
54.241.233.150 - - [11/May/2021:01:41:46 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 124 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
54.241.233.150 - - [11/May/2021:01:42:33 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 121 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
54.241.233.150 - - [11/May/2021:01:42:48 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 123 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
5.226.101.190 - - [11/May/2021:01:52:15 +0000] "GET / HTTP/1.1" 403 3985 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
98.35.161.105 - - [11/May/2021:01:52:33 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 121 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
3.101.102.241 - - [11/May/2021:01:53:46 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 123 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
3.101.102.241 - - [11/May/2021:01:54:33 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 121 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
3.101.102.241 - - [11/May/2021:01:54:48 +0000] "GET /nextcloud/index.php/csrftoken HTTP/1.1" 200 122 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"

Not much in error_log either:

[ec2-user@ip-172-31-25-57 ~]$ sudo tail -20 /var/log/httpd/error_log
[Tue May 11 01:54:33.238022 2021] [proxy:debug] [pid 1634:tid 140660322211584] proxy_util.c(2402): [client 3.101.102.241:56486] AH02545: fcgi: has determined UDS as /run/php-fpm/www.sock
[Tue May 11 01:54:33.238123 2021] [proxy:debug] [pid 1634:tid 140660322211584] proxy_util.c(2574): [client 3.101.102.241:56486] AH00947: connected /var/www/html/nextcloud/index.php to httpd-UDS:0
[Tue May 11 01:54:33.238159 2021] [proxy:debug] [pid 1634:tid 140660322211584] proxy_util.c(2945): AH02823: FCGI: connection established with Unix domain socket /run/php-fpm/www.sock (*)
[Tue May 11 01:54:33.238238 2021] [authz_core:debug] [pid 1634:tid 140660322211584] mod_authz_core.c(820): [client 3.101.102.241:56486] AH01626: authorization result of Require all granted: granted
[Tue May 11 01:54:33.238246 2021] [authz_core:debug] [pid 1634:tid 140660322211584] mod_authz_core.c(820): [client 3.101.102.241:56486] AH01626: authorization result of <RequireAny>: granted
[Tue May 11 01:54:33.272950 2021] [proxy:debug] [pid 1634:tid 140660322211584] proxy_util.c(2327): AH00943: FCGI: has released connection for (*)
[Tue May 11 01:54:48.148747 2021] [authz_core:debug] [pid 1634:tid 140660178908928] mod_authz_core.c(820): [client 3.101.102.241:56490] AH01626: authorization result of Require all granted: granted
[Tue May 11 01:54:48.148775 2021] [authz_core:debug] [pid 1634:tid 140660178908928] mod_authz_core.c(820): [client 3.101.102.241:56490] AH01626: authorization result of <RequireAny>: granted
[Tue May 11 01:54:48.148802 2021] [proxy:debug] [pid 1634:tid 140660178908928] mod_proxy.c(1255): [client 3.101.102.241:56490] AH01143: Running scheme unix handler (attempt 0)

[/details]

Nextcloud version (eg, 20.0.5): 20.0.4
Operating system and version (eg, Ubuntu 20.04): Centos
Apache or nginx version (eg, Apache 2.4.25): Apache
PHP version (eg, 7.4): ?