CSRF check failed with API only

Bonjour :wave:

Traefik 2.6.3 as reverse proxy
Docker container 23.0.3 (apache)

After many configurations, in Administration > Overview : All checks passed. :+1:

But when I tried api call.

curl -u ADMIN:PASSWORD "https://DOMAIN.TLD/ocs/v2.php/cloud/users/USER" -H "OCS-APIRequest: True"

Response:

{"message":"CSRF check failed"}%

in console logs:

127.0.0.1 - USER [06/Apr/2022:14:55:42 +0000] "GET /ocs/v2.php/cloud/users/fred HTTP/1.1" 412 1619 "-" "curl/7.79.1"

I can use contact sync, calendar sync on macOS, apps on iOS without problem.

Traefik tag’s:

        "traefik.enable=true",
        "traefik.http.routers.domaintld.tls=true",
        "traefik.http.routers.domaintld.tls.certresolver=myresolver",
        "traefik.http.routers.domaintld.tls.options=mintls12@file",
        "traefik.http.routers.domaintld.entrypoints=https",
        "traefik.http.routers.domaintld.rule=Host(`domain.tld`)",

        "traefik.http.middlewares.domaintld.redirectscheme.scheme=https",
        "traefik.http.middlewares.domaintld.redirectscheme.permanent=true",
        "traefik.http.middlewares.domaintld-headers.headers.customResponseHeaders.X-Robots-Tag=none",
        "traefik.http.middlewares.domaintld-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=63072000",
        "traefik.http.middlewares.domaintld-headers.headers.frameDeny=true",
        "traefik.http.middlewares.domaintld-headers.headers.browserXssFilter=true",
        "traefik.http.middlewares.domaintld-headers.headers.contentTypeNosniff=true",
        "traefik.http.middlewares.domaintld-headers.headers.stsIncludeSubdomains=true",
        "traefik.http.middlewares.domaintld-headers.headers.stsPreload=true",
        "traefik.http.middlewares.domaintld-headers.headers.stsSeconds=31536000",
        "traefik.http.middlewares.domaintld-headers.headers.forceSTSHeader=true",
        "traefik.http.middlewares.domaintld-headers.headers.accessControlMaxAge=15552000",
        "traefik.http.middlewares.domaintld-headers.headers.customFrameOptionsValue=SAMEORIGIN",
        "traefik.http.routers.domaintld.middlewares=domaintld-headers@consulcatalog,domaintld_redirect",
        "traefik.http.middlewares.domaintld_redirect.redirectregex.permanent=true",
        "traefik.http.middlewares.domaintld_redirect.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav",
        "traefik.http.middlewares.domaintld_redirect.redirectregex.replacement=https://${1}/remote.php/dav/"

docker env:

OVERWRITEPROTOCOL=https
NEXTCLOUD_TRUSTED_DOMAINS = domain.tld 127.0.0.1
TRUSTED_PROXIES=127.0.0.1
APACHE_DISABLE_REWRITE_IP=1

config.php:

  'overwrite.cli.url' => 'https://domain.tld',

I read lot of topic and github issue, but didn’t find any solution.

Help! :ring_buoy:

Thanks :slightly_smiling_face: