Fresh nextcloud issue with installing apps

Glowing_Wolf · February 27, 2025, 1:15pm

I just installed nextcloud according to this guide on gitlab: Alexander Brightwater / Nextcloud Docker · GitLab
I use Debian 12, docker (fpm, nginx (webserver), redis, postgres, caddy (reverse proxy))

Everything seems to work fine, but I cannot seem to install extensions via the GUI.
Trying to use OCC seems to work, but enabling extensions like suspicious login also fails with a generic error message.

This is the error from the browser console:

Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at http://<my domain>/apps/files/ because it violates the following directive: “connect-src 'self'”

Here is the webserver (nginx) log:

172.18.0.3 - - [27/Feb/2025:13:09:04 +0000] "POST /settings/apps/enable HTTP/1.1" 200 52 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0"
172.18.0.3 - - [27/Feb/2025:13:09:04 +0000] "GET /apps/files HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0"
172.18.0.3 - - [27/Feb/2025:13:09:04 +0000] "POST /settings/apps/disable HTTP/1.1" 200 22 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0"
172.18.0.3 - - [27/Feb/2025:13:09:04 +0000] "GET /ocs/v2.php/core/navigation/apps?format=json HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0"

Here is the nextcloud_app log:

172.18.0.5 -  27/Feb/2025:13:08:35 +0000 "PUT /ocs/v2.php" 200
172.18.0.5 -  27/Feb/2025:13:08:36 +0000 "POST /index.php" 200
172.18.0.5 -  27/Feb/2025:13:08:37 +0000 "POST /index.php" 200
172.18.0.5 -  27/Feb/2025:13:08:37 +0000 "GET /ocs/v2.php" 200

caddy, redis and postgres dont seem to generate a log entry for this action.

As far as I understand the issue is with this content security policy that is set in nginx. But I cannot see it in my nginx config (config in gitlab link above).
So I guess I might need to add something to my nginx or caddy config. But what?

I already had an extensive chat with chatgpt, but nothing it provided, helped…

jtr · February 27, 2025, 4:06pm

Based on the history in that repo, there is active working on this matter: Commits · master · Alexander Brightwater / Nextcloud Docker · GitLab

As far as I understand the issue is with this content security policy that is set in nginx. But I cannot see it in my nginx config (config in gitlab link above).

CSP is managed by Nextcloud. It does not need to be - and should not be since it’s dynamically adjusted - in the web server config.

Glowing_Wolf · February 27, 2025, 4:20pm

hi again, ja thats me who is working on it ^^
As far as I am understanding right now, I am not handing the information through to nextcloud that all requests always should use https. the domain that is created and shown in the error is http. But I am not understanding why…

jtr · February 28, 2025, 5:30pm

You can force it using overwriteprotocol.

However, the real issue is likely a mixture of:

not having trusted_proxies configured (you can pass to the image with environment variables)
making sure the X-Forwarded-Proto header comes through as https

The server protocol is determined using this order of preference in Nextcloud:

overwriteprotocol value
X-Forwarded-Proto header value (if sent by from an RP listed in trusted_proxies)
the HTTPS server environment variable

jtr · February 28, 2025, 5:35pm

Unrelated, but your nginx configuration is missing the immutable cache handling. See Installation: Nginx in the Nextcloud Admin Manual.

Glowing_Wolf · February 28, 2025, 6:45pm

But I am setting overwriteprotocol, trusted_proxies and X-Forwarded-Proto in my configs. If you take a look at the configs in the repo, I have set them all up. trusted_proxies has the exact IP of the caddy server, overwriteprotocol is set to https and the X-Forwarded-Proto is also set in the caddy config… I really dont understand why all of it is ignored. My best guess would be a typo, but I checked the files multiple times and couldnt find anything.

jtr · February 28, 2025, 7:07pm

Can you post the output of occ config:list system from inside your running nextcloud container?

Glowing_Wolf · February 28, 2025, 9:31pm

Of course. Here it is:

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "upgrade.disable-web": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.0.18",
        "overwrite.cli.url": "https:\/\/<my domain>",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.cb-deb03.awooo.cc"
        ],
        "default_phone_region": "US",
        "overwriteprotocol": "https",
        "overwritehost": "<my domain>",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 1,
        "overwritecondaddr": "^172\\.18\\.0\\.\\d+$",
        "maintenance": false,
        "app_install_overwrite": []
    }
}

And here is the config.php directly:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'redis',
    'password' => '<redacted>',
    'port' => 6379,
  ),
  'upgrade.disable-web' => true,
  'passwordsalt' => '<redacted>',
  'secret' => '<redacted>',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '31.0.0.18',
  'overwrite.cli.url' => 'https://<my domain>',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => '<redacted>',
  'installed' => true,
  'instanceid' => '<redacted>',
  'trusted_domains' => 
  array (
    0 => '<my domain>',
  ),
  'default_phone_region' => 'US',
  'overwriteprotocol' => 'https',
  'overwritehost' => '<my domain>',
  'trusted_proxies' => ['172.18.0.3'],
  'maintenance_window_start' => 1,
  'overwritecondaddr' => '^172\.18\.0\.\d+$',
  'maintenance' => false,
  'app_install_overwrite' => 
  array (
  ),
);

@jtr