### ⚠️ This issue respects the following points: ⚠️
- [X] This is a **bug**, no…t a question or a configuration/webserver/proxy issue.
- [X] This issue is **not** already reported on [Github](https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3Abug) OR [Nextcloud Community Forum](https://help.nextcloud.com/) _(I've searched it)_.
- [X] Nextcloud Server **is** up to date. See [Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) for supported versions.
- [X] I agree to follow Nextcloud's [Code of Conduct](https://nextcloud.com/contribute/code-of-conduct/).
### Bug description
Since I upgraded a cloud from v27.1.3 to v28.0.4, I can't enable /disable any of the apps in the cloud.
Every attempt shows me this error msg:
"This app cannot be enabled because it makes the server unstable"
### Steps to reproduce
1. Go to apps page
2. Enable / disable any of the apps
### Expected behavior
Apps are activated / desactivated.
### Installation method
Community Manual installation with Archive
### Nextcloud Server version
28
### Operating system
Debian/Ubuntu
### PHP engine version
PHP 8.1
### Web server
Nginx
### Database engine version
MariaDB
### Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
### Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
### What user-backends are you using?
- [X] Default user-backend _(database)_
- [ ] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
### Configuration report
```shell
{
"system": {
"trusted_domains": [
"cloud.yyyyy.be",
"cloud.yyyyy2.be"
],
"activity_expire_days": 30,
"appstoreenabled": true,
"appstore.experimental.enabled": false,
"auth.bruteforce.protection.enabled": true,
"default_phone_region": "be",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"data-fingerprint": "",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"dbtableprefix": "",
"dbtype": "mysql",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"default_language": "fr",
"hashingCost": 10,
"htaccess.RewriteBase": "\/",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"integrity.check.disabled": true,
"localstorage.allowsymlinks": true,
"logfile": "\/var\/log\/nextcloud\/yyyyy.log",
"loglevel": 2,
"logtimezone": "Europe\/Brussels",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "sendmail",
"maintenance": false,
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0,
"dbindex": 1,
"timeout": 1.5
},
"minimum.supported.desktop.version": "2.1.0",
"mysql.utf8mb4": true,
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"preview_libreoffice_path": "\/usr\/bin\/libreoffice",
"preview_max_filesize_image": 10,
"secret": "***REMOVED SENSITIVE VALUE***",
"simpleSignUpLink.shown": false,
"trashbin_retention_obligation": "auto, 30",
"updatechecker": true,
"upgrade.disable-web": true,
"version": "28.0.4.1",
"versions_retention_obligation": "auto, 90",
"overwrite.cli.url": "https:\/\/cloud.yyyyy.be\/",
"theme": "",
"mail_sendmailmode": "smtp",
"maintenance_window_start": 2,
"app_install_overwrite": [
"bbb"
],
"trusted_proxies": "***REMOVED SENSITIVE VALUE***"
}
}
```
### List of activated Apps
```shell
Enabled:
- activity: 2.20.0
- appointments: 2.0.4
- bookmarks: 13.1.3
- calendar: 4.6.7
- cloud_federation_api: 1.11.0
- comments: 1.18.0
- contacts: 5.5.3
- dav: 1.29.1
- federatedfilesharing: 1.18.0
- files: 2.0.0
- files_accesscontrol: 1.18.0
- files_automatedtagging: 1.18.0
- files_pdfviewer: 2.9.0
- files_reminders: 1.1.0
- files_sharing: 1.20.0
- files_trashbin: 1.18.0
- files_versions: 1.21.0
- forms: 4.1.1
- impersonate: 1.15.0
- lookup_server_connector: 1.16.0
- notifications: 2.16.0
- oauth2: 1.16.3
- ownpad: 0.10.0
- password_policy: 1.18.0
- photos: 2.4.0
- polls: 7.0.2
- privacy: 1.12.0
- provisioning_api: 1.18.0
- related_resources: 1.3.0
- richdocuments: 8.3.3
- settings: 1.10.1
- sharebymail: 1.18.0
- socialsharing_email: 3.1.0
- systemtags: 1.18.0
- text: 3.9.1
- theming: 2.3.0
- timetracker: 0.0.82
- twofactor_backupcodes: 1.17.0
- user_status: 1.8.1
- viewer: 2.2.0
- workflowengine: 2.10.0
Disabled:
- admin_audit: 1.18.0 (installed 1.13.0)
- bbb: 2.5.0 (installed 2.5.0)
- bruteforcesettings: 2.8.0 (installed 2.4.0)
- circles: 28.0.0 (installed 22.1.1)
- contactsinteraction: 1.9.0 (installed 1.3.0)
- dashboard: 7.8.0 (installed 7.0.0)
- encryption: 2.16.0
- federation: 1.18.0 (installed 1.13.0)
- files_external: 1.20.0 (installed 1.15.0)
- files_markdown: 2.4.1 (installed 2.4.1)
- files_rightclick: 1.6.0 (installed 1.6.0)
- firstrunwizard: 2.17.0 (installed 2.1)
- keeweb: 0.6.17 (installed 0.6.17)
- logreader: 2.13.0 (installed 2.0.0)
- nextcloud_announcements: 1.17.0 (installed 1.16.0)
- onlyoffice: 9.0.0 (installed 9.0.0)
- recommendations: 2.0.0 (installed 1.1.0)
- serverinfo: 1.18.0 (installed 1.18.0)
- support: 1.11.1 (installed 1.5.0)
- survey_client: 1.16.0 (installed 1.11.0)
- suspicious_login: 6.0.0
- twofactor_totp: 10.0.0-beta.2
- updatenotification: 1.18.0 (installed 1.1.1)
- user_ldap: 1.19.0 (installed 1.15.0)
- weather_status: 1.8.0 (installed 1.2.0)
```
### Nextcloud Signing status
```shell
No errors have been found.
```
### Nextcloud Logs
```shell
Nothing in Nextcloud log with loglevel to 0
```
### Additional info
I upgrade other clouds on another server from v27.1.3 to v28.0.4 and there, no problem to enable / disable the apps.
Server has the same configuration as the one with the problems (Debian / php / mariadb / nginx).
The only thing (I see) that is different, is the Haproxy I'm using in front of Nginx on the server with the problems.
The Nginx log shows the POST request to enable the app and gives a 200 return code:
```
1.2.3.4 - - [05/Apr/2024:15:58:51 +0200] "POST /settings/apps/enable HTTP/2.0" 200 52 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0" "-" "cloud.yyyyy.be"
```
In the Firefox console, I have this error each time I try to enable / disable an app:
```
Content-Security-Policy : Les paramètres de la page ont empêché le chargement d’une ressource à https://cloud.yyyyy.be:4431/apps/files/ (« connect-src »).
```
My haproxy config is using the tcp mode, so https is managed by Nginx:
```
frontend https_in
bind *:443
mode tcp
option tcplog
tcp-request connection track-sc0 src table gatekeeper
acl uncivilized src_conn_rate(gatekeeper) ge 600
acl uncivilized src_conn_cur(gatekeeper) ge 400
acl triggerban src_inc_gpc0(gatekeeper) gt 0
acl banned src_get_gpc0(gatekeeper) gt 0
tcp-request connection silent-drop if uncivilized triggerban
tcp-request connection silent-drop if banned
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl bon_domaine req.ssl_sni,map_dom(/etc/haproxy/routes.map) -m found
acl ip_test src -f /etc/haproxy/ip_test.lst
tcp-request content reject if !ip_test !bon_domaine
use_backend https_test if ip_test
use_backend %[req.ssl_sni,map(/etc/haproxy/routes.map)]
backend https_test
mode tcp
option ssl-hello-chk
server Cloud2 lan.cloud2:4431 send-proxy check inter 4s downinter 4s fall 2 rise 2 fastinter 2 slowstart 30s weight 100
backend https_srv_1
mode tcp
option ssl-hello-chk
server Cloud1 lan.cloud1:4431 send-proxy check inter 4s downinter 4s fall 2 rise 2 fastinter 2 slowstart 30s weight 100
backend https_srv_2
mode tcp
option ssl-hello-chk
server Cloud2 lan.cloud2:4431 send-proxy check inter 4s downinter 4s fall 2 rise 2 fastinter 2 slowstart 30s weight 100
```
The content of the file routes.map is:
```
# DomainName BackendName
cloud.aaaaa.be https_srv_1
ncloud.bbbbb.be https_srv_2
...
```
My Nginx config is very much like the one from the doc (https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html):
```
server {
server_name cloud.yyyyy.be;
include /etc/nginx/sites-available/conf_communes_clouds_ssl.conf;
ssl_certificate /etc/letsencrypt/live/cloud.yyyyy.be/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.yyyyy.be/privkey.pem;
root /srv/nextcloud/instances/yyyyy/;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 10G;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
client_body_buffer_size 512k;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
include mime.types;
types {
# text/javascript mjs; # déjà présent ds mime.types
application/wasm wasm;
}
index index.php index.html /index.php$request_uri;
access_log /var/log/nginx/access.log ndd_inclus;
error_log /var/log/nginx/error.log;
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 $scheme://$host/remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:$|/) {
# Ajout du strict-transport-security ici sinon Nc ne le recevait pas
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
#fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler-8.1;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
```