CSP errors preventing login and app installation (yet again)

norseghost · April 2, 2025, 11:54am

TLDR; internal app requests are not being rewritten to https; violating CSP; despite overwrite* settings being set

I’m using the versions of nextcloud (30.x.x) with the php-fpm and nginx config from the nextcloud docker compose example. My router is running Caddy and is the reverse proxy. I access nc successfully through https://cloud.mydomain.com

Except

I have problems with form login as well as web ui app management (occ app:enable works)

Dev console gives a CSP error, which is understandable; as the internal links to /apps etc are prepended with http:// instead of https://, which violates the ‘self’ restriction in the Content-Security-Policy

How do I fix?

OVERWRITE* env vars are set -and propagate - but make no difference.

I have tried un-setting and re-setting the CSP headers in the nginx configuration as a hack/workaround. This kinda works — i can see the headers being changed; but the “self” restriction still remains.

docker exec -it --user www-data nextcloud_app php occ config:list system
{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "upgrade.disable-web": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "10.10.10.10:8080",
            "cloud.andersens.xyz"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.2.1",
        "overwrite.cli.url": "https:\/\/cloud.andersens.xyz",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "forbidden_filename_basenames": [
            "con",
            "prn",
            "aux",
            "nul",
            "com0",
            "com1",
            "com2",
            "com3",
            "com4",
            "com5",
            "com6",
            "com7",
            "com8",
            "com9",
            "com\u00b9",
            "com\u00b2",
            "com\u00b3",
            "lpt0",
            "lpt1",
            "lpt2",
            "lpt3",
            "lpt4",
            "lpt5",
            "lpt6",
            "lpt7",
            "lpt8",
            "lpt9",
            "lpt\u00b9",
            "lpt\u00b2",
            "lpt\u00b3"
        ],
        "forbidden_filename_characters": [
            "<",
            ">",
            ":",
            "\"",
            "|",
            "?",
            "*",
            "\\",
            "\/"
        ],
        "forbidden_filename_extensions": [
            " ",
            ".",
            ".filepart",
            ".part"
        ],
        "maintenance": false,
        "overwritehost": "https:\/\/cloud.andersens.xyz"
    }
}

norseghost · April 2, 2025, 12:22pm

So I “fixed” the CSP header by disabling it in caddy.

Not home rn, but caddy settings are something like

header_down -Content-Security-Policy

But issues persist — I now get mixed source errors bc server still serves some http assets

jtr · April 2, 2025, 1:58pm

This value should not be a URL. It should just be the hostname.

norseghost · April 2, 2025, 4:51pm

Thanks, fixed.

Still have the https/http mixup though

norseghost · April 2, 2025, 8:17pm

Oh hey tried edge at work, and it works — https all around. Some cache shenanigans in my home edge maybe?

norseghost · April 3, 2025, 7:23am

huh, home!edge is still weird;

Mixed Content: The page at 'https://cloud.andersens.xyz/settings/apps/disabled' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://cloud.andersens.xyz/apps/files/'. This request has been blocked; the content must be served over HTTPS.

but an inprivate test run at home works as expexted. will try a complete cache purge of nextcloud related things.

norseghost · April 3, 2025, 7:28am

yep, a browser data clearout fixed things.

now to dismantle my csp hacks

norseghost · April 3, 2025, 2:24pm

Ooops. Spoke too soon. Still have csp errors when enabling apps (which actually are mixed content errors due to the call for app install being set as http.

Console error from work edge:

Refused to connect to 'http://cloud.andersens.xyz/apps/files/' because it violates the following Content Security Policy directive: "connect-src 'self'".

“Self” is https://cloud.andersens.xyz