Hello all,
I have multiple nextcloud instances running on the same server. Same basics for all of them:
Nextcloud version (eg, 20.0.5): 23.0.3 (on stable, just updated them today)
Operating system and version (eg, Ubuntu 20.04): Linux 4.19.0-16-amd64 x86_64 (Debian on a shared host)
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.38
PHP version (eg, 7.4): 8.0.17
Issue
The issue came up when using the Deck app on two different nextcloud instances. In both cases, I created a card, added a description and linked an image using markdown.
- On instance A, the image is displayed as expected.
- On instance B, the image is not displayed at all.
Diving into this, the browser console on instance B shows a Content Security Policy-error, i.e. it is simply forbidden to show images from external sites. Following this lead, https://csp-evaluator.withgoogle.com shows different CSP for my different instances:
- Instance A contains
img-src 'self' data: blob: *;- this allows loading images from everywhere, which is what I want - Instance B contains
img-src 'self' data: blob: https://*.tile.openstreetmap.org;, which explains why external images from other domains are not displayed (side note: on this instance, there never was any app installed that uses map data; whereas on the other instance, there is…) - Instance C and D both use
img-src 'self' data: blob:;
Question
My take from the above is that on the same version, nextcloud instances use different CSPs. Is there a way to edit / influence them from inside nextcloud? I’ve read some forum posts about rewriting them from Apache, but this seemed to cause trouble for some people, and honestly I’m kind of curious about the underlying reason.
Can anybody can point me into the right direction? Preferrably some direct way and not indirect like “fiddle with the installed apps until you find some that result in the right CSP”. But if that is what it takes, at least I know…
I’ve omitted attaching all the log files, as I guess that the above is due to some static configuration within nextcloud that will not show up in any (error) logs. If necessary, I’ll be happy to provide them.
The config.php is almost the same for both instances. Instance A has mail configured and some app override.
Instance A
<?php
$CONFIG = array (
'instanceid' => 'XXX',
'passwordsalt' => 'XXX',
'secret' => 'XXX',
'trusted_domains' =>
array (
0 => 'CLOUD.DOMAIN_INSTANCE_A.TLD',
),
'datadirectory' => '/home/www/DOMAIN_INSTANCE_A.TLD/cloud/data',
'dbtype' => 'mysql',
'version' => '23.0.3.2',
'overwrite.cli.url' => 'https://CLOUD.DOMAIN_INSTANCE_A.TLD',
'dbname' => 'XXX',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'XXX',
'dbpassword' => 'XXX',
'installed' => true,
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'ssl',
'mail_from_address' => 'XXX',
'mail_domain' => 'DOMAIN_INSTANCE_A.TLD',
'mail_smtpauth' => 1,
'mail_smtphost' => 'XXX',
'mail_smtpport' => '465',
'maintenance' => false,
'theme' => '',
'loglevel' => 2,
'app_install_overwrite' =>
array (
0 => 'files_reader',
),
'default_phone_region' => 'DE',
'updater.release.channel' => 'stable',
'updater.secret' => 'XXX',
);
<?php
$CONFIG = array (
'instanceid' => 'XXX',
'passwordsalt' => 'XXX',
'secret' => 'XXX',
'trusted_domains' =>
array (
0 => 'CLOUD.DOMAIN_INSTANCE_B.TLD',
),
'datadirectory' => '/home/www/DOMAIN_INSTANCE_B.TLD/cloud/data',
'dbtype' => 'mysql',
'version' => '23.0.3.2',
'overwrite.cli.url' => 'https://CLOUD.DOMAIN_INSTANCE_B.TLD',
'dbname' => 'XXX',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'XXX',
'dbpassword' => 'XXX',
'installed' => true,
'maintenance' => false,
'theme' => '',
'loglevel' => 2,
'default_phone_region' => 'DE',
'updater.release.channel' => 'stable',
'updater.secret' => 'XXX',
);