Infinite Login Redirect

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
,
1

I’m running nextcloud in a home kubernetes cluster and ran into a significant issue yesterday. For a few reasons I had to re-build the cluster. When I re-applied my config for nextcloud (working for a year or so without issue) I’m now getting an infinite redirect on login.

If I got to https://mydomain/nextcloud/login I receive a 302 to https://mydomain/nextcloud/login (curl snip below). I tried a direct connect to the pod that runs nextcloud to make sure it wasn’t my reverse proxy. When I did I got a non-trusted domain message. After adding the IP to the trusted domain array in the config file, it no longer threw that message and instead went into the same 302 redirect loop.

Any help would be appreciated.

A few relevant sections of my config file:
$CONFIG = array (
‘overwritewebroot’ => ‘/nextcloud’,
‘htaccess.RewriteBase’ => ‘/nextcloud’,
‘overwriteprotocol’ => ‘https’,
‘overwritehost’ => ‘www.mydomain.com’,
‘trusted_proxies’ =>
array (
0 => ‘172.16.1.70’,
),
‘trusted_domains’ =>
array (
0 => ‘www.mydomain.com’,
1 => ‘172.16.1.70’,
2 => ‘172.16.1.78’,
),

When trying the direct IP access (172.16.1.78) I had the overwrite settings off to make sure that wasn’t causing the issue. No change though.

Curl through reverse proxy to https://www.mydomain.com/nextcloud/login:

* About to connect() to www.mydomain.com port 443 (#0)
*   Trying 172.16.1.70...
* Connected to www.mydomain.com (172.16.1.70) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.mydomain.com
*       start date: Mar 28 21:31:44 2021 GMT
*       expire date: Jun 26 21:31:44 2021 GMT
*       common name: www.mydomain.com
*       issuer: CN=R3,O=Let's Encrypt,C=US
> GET /nextcloud/login HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.mydomain.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Mon, 29 Mar 2021 10:13:04 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=.....SNIP........; path=/nextcloud; secure; HttpOnly; SameSite=Lax
< Set-Cookie: ocitex2d9bm2=.....SNIP........; path=/nextcloud; secure; HttpOnly; SameSite=Lax
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-.....SNIP........='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Location: https://www.mydomain.com/nextcloud/login
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=15724800; includeSubDomains

curl to direct IP (with hostname overwrite set as the IP) using http:

  • About to connect() to 172.16.1.78 port 80 (#0)
  • Trying 172.16.1.78…
  • Connected to 172.16.1.78 (172.16.1.78) port 80 (#0)

GET /nextcloud/login HTTP/1.1
User-Agent: curl/7.29.0
Host: 172.16.1.78
Accept: /

< HTTP/1.1 302 Found
< Server: nginx/1.19.8
< Date: Mon, 29 Mar 2021 10:15:46 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=…snip…; path=/nextcloud; HttpOnly; SameSite=Lax
< Set-Cookie: ocitex2d9bm2=…snip…; path=/nextcloud; HttpOnly; SameSite=Lax
< Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘nonce-…snip…’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’;
< Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Location: http://172.16.1.78/nextcloud/login
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block

nextcloud log for the request:

[nextcloud-5cf6fc9bcf-b5b8x nextcloud] 127.0.0.1 - 29/Mar/2021:06:15:46 -0400 “GET /index.php” 302

nginx log for the request:

[nextcloud-5cf6fc9bcf-b5b8x nginx] 10.244.1.0 - - [29/Mar/2021:10:15:46 +0000] “GET /nextcloud/login HTTP/1.1” 302 5 “-” “curl/7.29.0” “-”

same log message if I direct connect or connect through the proxy

Nextcloud version: nextcloud:fpm 21.0.0
Operating system and version: Docker on Centos 7
Apache or nginx version _: nginx 1.19.8
PHP version: Whatever is in the docker container