Install with docker-compose and front apache => violates the following "connect-src 'self'"

Kiterfoo · February 12, 2024, 3:31pm

Good morning,
I use a docker-compose from nextcloud as follows:
front => apache:

<VirtualHost *:443>

    ServerAdmin pou....
    DocumentRoot /var/www/html
    ServerAlias frontend.tld
    RewriteEngine on
    ErrorLog logs/cloud-dock-error_log
    CustomLog logs/cloud-dock-access_log common

 LogLevel warn
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

SSLEngine on
...
...
...
SetEnvIf Host "^(.*)$" THE_HOST=$1
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off

ProxyPassMatch (.*)(\/websocket)$ "ws://backend.tld:8082/$1$2"
ProxyPass / "http://backend.tld:8082/"
ProxyPassReverse / "http://backend.tld:8082/"

</VirtualHost>

back => docker compose:

https://github.com/nextcloud/docker/tree/master/.examples/docker-compose/insecure/postgres/fpm

everything seems to work, but I have these errors in Nextcloud->admin->overview:

-You access your instance via a secure connection, yet it generates insecure URLs. This probably means that you are behind a reverse proxy and that the rewrite variables are not set correctly. Refer to the documentation page on this subject .
-Your web server is not configured correctly to resolve “/.well-known/webfinger”. More information can be found on our documentation.
-Your web server is not configured correctly to resolve “/.well-known/nodeinfo”. More information can be found on our documentation.
-Your web server is not configured correctly to resolve “/.well-known/caldav”. More information can be found on our documentation.
-Your web server is not configured correctly to resolve “/.well-known/carddav”. More information can be found on our documentation.

and in Chrome (dev console) I have these errors:

Error with Permissions-Policy header: Origin trial controlled feature not enabled: ‘attribution-reporting’.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: ‘run-ad-auction’.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: ‘join-ad-interest-group’.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: ‘browsing-topics’.
bootstrap:19 JQMIGRATE: Migrate is installed, version 3.4.1
session-heartbeat.js:103 session heartbeat polling started
overview:1 Refused to connect to ‘http://backend.tld/index.php/.well-known/webfinger’ because it violates the following Content Security Policy directive: “connect-src ‘self’”.

overview:1 Refused to connect to ‘http://backend.tld/index.php/.well-known/nodeinfo’ because it violates the following Content Security Policy directive: “connect-src ‘self’”.

NotificationsApp.vue:470 Notifications permissions not yet requested
overview:1 Refused to connect to ‘http://backend.tld/remote.php/dav/’ because it violates the following Content Security Policy directive: “connect-src ‘self’”.

overview:1 Refused to connect to ‘http://backend.tld/remote.php/dav/’ because it violates the following Content Security Policy directive: “connect-src ‘self’”.
    GET https://frontend.tld/data/.ocdata?t=1707749893587 404 (Not Found)
send@jquery.js:9940
ajax@jquery.js:9521
(anonymous) @jquery-migrate.min.js:2
e. @jquery-migrate.min.js:2
checkDataProtected@setupchecks.js?v=67d23e84-0:392
(anonymous) @admin.js:114
Show 4 more frames
Show less
settings:1 Manifest: property ‘start_url’ ignored, should be same origin as document.

I tried to configure the “content-security-policy” headers in nginx but it’s worse, I think I didn’t put the right directive.
If anyone has an architecture similar to mine with working headers, I would like some help.
Fred

jtr · February 12, 2024, 4:28pm

Don’t do this. Nextcloud manages the CSP.

Can you post your Nextcloud config (e.g. output of ./occ config:list system from inside your app container)?

You likely need to, at a minimum, set your overwrite* parameters appropriately to use your external URL (i.e. proxy handled https://domain.com). The Admin Manual covers these parameters. At the moment I suspect they’re either not in your config or they are but they specify http.

Kiterfoo · February 12, 2024, 5:09pm

{
“system”: {
“memcache.local”: “\OC\Memcache\APCu”,
“apps_paths”: [
{
“path”: “/var/www/html/apps”,
“url”: “/apps”,
“writable”: false
},
{
“path”: “/var/www/html/custom_apps”,
“url”: “/custom_apps”,
“writable”: true
}
],
“memcache.distributed”: “\OC\Memcache\Redis”,
“memcache.locking”: “\OC\Memcache\Redis”,
“redis”: {
“host”: “REMOVED SENSITIVE VALUE”,
“password”: “REMOVED SENSITIVE VALUE”,
“port”: 6379
},
“upgrade.disable-web”: true,
“instanceid”: “REMOVED SENSITIVE VALUE”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
“localhost”,
“backend.tld:8082”,
“frontend.tld:443”
],
“datadirectory”: “REMOVED SENSITIVE VALUE”,
“dbtype”: “pgsql”,
“version”: “28.0.2.5”,
“trusted_proxies”: “REMOVED SENSITIVE VALUE”,
“overwriteprotocol”: “https”,
“overwritehost”: “frontend.tld”,
“overwritewebroot”: “/”,
“overwritecondaddr”: “^193\.xx\.xx\.xx$”, (cidr frontend.tld)
“forwarded-for-headers”: [
“X-Forwarded-For”,
“HTTP_X_FORWARDED_FOR”
],
“overwrite.cli.url”: “https://frontend.tld”,
“dbname”: “REMOVED SENSITIVE VALUE”,
“dbhost”: “REMOVED SENSITIVE VALUE”,
“dbport”: “”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“installed”: true
}
}

wwe · February 12, 2024, 8:29pm

likely the problem is here please remove both values (and respective Docker ENV variables if you set them perform docker-compose down+up and try again.

Kiterfoo · February 12, 2024, 11:01pm

great, thanks to your recommendations I have one less error:

-You access your instance via a secure connection, yet it generates insecure URLs. This probably means that you are behind a reverse proxy and that the rewrite variables are not set correctly. Refer to the documentation page on this subject .

I will work on the rewrite rules for the rest of the messages. :

-Your web server is not configured correctly to resolve “/.well-known/webfinger”. More information can be found on our documentation.
-Your web server is not configured correctly to resolve “/.well-known/nodeinfo”. More information can be found on our documentation.
-Your web server is not configured correctly to resolve “/.well-known/caldav”. More information can be found on our documentation.
-Your web server is not configured correctly to resolve “/.well-known/carddav”. More information can be found on our documentation.

Kiterfoo · February 15, 2024, 3:04pm

I have made a little progress on my problems, by adding these lines in the “virtualhost” of my reverse proxy apache :

RewriteEngine On
RewriteRule ^/.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/.well-known/nodeinfo https://%{SERVER_NAME}/remote.php/nodeinfo/ [R=301,L]
RewriteRule ^/.well-known/webfinger https://%{SERVER_NAME}/public.php?service=webfinger [QSA,L]

I have all the error lines from my chrome dev console which have disappeared to leave a new error:

GET https://frontend.tld/data/.ocdata?t=1708009143531 404 (Not Found)
send@jquery.js:9940
ajax@jquery.js:9521
(anonymous) @jquery-migrate.min.js:2
e. @jquery-migrate.min.js:2
checkDataProtected@setupchecks.js?v=691e8c5c-0:392

On the other hand, in Nextcloud there are still the lines:

Your web server is not configured correctly to resolve “/.well-known/webfinger”. More information can be found on our documentation.

Your web server is not configured correctly to resolve “/.well-known/nodeinfo”. More information can be found on our documentation.
which makes me think of a bug in Nextcloud which is looking for components that I would not have installed.

wwe · February 15, 2024, 9:30pm

besides of the warning do you have any issues using your system?