Issues Behind NGINX Reverse Proxy - Refused to apply style because its MIME type is not support errors

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version: 18.0.3
Operating system and version: Ubuntu 18.04
Apache or nginx version: Apache = 2.4.29 // NGINX = 1.14.0
PHP version: 7.2

The issue you are facing:

I’ve been struggling with an on-going issue getting my Nextcloud instance to work behind an NGINX server I’m using to act exclusively as a reverse proxy. My current layout is as follows:

NGINX Server --> Nextcloud Server --> MariaDB Server

As of currently, I’m stuck trying to get onto the login page as it appears below:

Inspecting in the browser window yields several errors along the line of

Refused to apply style from ‘’ because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.

The only way I was able to see this now is by disabling the directive in my NGINX configuration:

try_files $fastcgi_script_name =404;

Which then stopped just showing me a 404 error with no details. My configuration files are listed below:

Nextcloud config.php Info

Nextcloud htaccess configuration
<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header always set Referrer-Policy "no-referrer" always
    Header always set X-Content-Type-Options "nosniff" always
    Header always set X-Download-Options "noopen" always
    Header always set X-Frame-Options "SAMEORIGIN" always
    Header always set X-Permitted-Cross-Domain-Policies "none" always
    Header always set X-Robots-Tag "none" always
    Header always set X-XSS-Protection "1; mode=block" always
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /
ErrorDocument 404 /
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/robots.txt
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>
"Nextcloud Apache Config
<VirtualHost *:80>
ServerName nextcloud.x.com
ServerAlias nextcloud.x.com
DocumentRoot /var/www/nextcloud
<Directory /var/www/nextcloud/>
  Require all granted
  AllowOverride All
  Options FollowSymLinks MultiViews

  <IfModule mod_dav.c>
    Dav off
  </IfModule>

</Directory>
RewriteEngine on
RewriteOptions inherit
Redirect 301 /.well-known/carddav /remote.php/dav
Redirect 301 /.well-known/caldav /remote.php/dav
</VirtualHost>
NGINX Configuration File
upstream php-handler {
# IP of NextCloud Server
	server x.x.x.x:9000;
#	server unix:/var/run/php/php7.2-fpm.sock;
}

server {
	listen 443 ssl http2;
	#listen [::]:443 ssl http2;
	server_name nextcloud.x.com;

	ssl_certificate /etc/nginx/ssl/letsencrypt/x.com/ssl.crt;
	ssl_certificate_key /etc/nginx/ssl/letsencrypt/x.com/ssl.key;
	ssl_dhparam /etc/nginx/ssl/letsencrypt/x.com/dhparams.pem;

	include /etc/nginx/ssl.conf;
	
	add_header Referrer-Policy "no-referrer" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Download-Options "noopen" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Permitted-Cross-Domain-Policies "none" always;
	add_header X-Robots-Tag "none" always;
	add_header X-XSS-Protection "1; mode=block" always;

	fastcgi_hide_header X-Powered-By;

	root /var/www/nextcloud;

	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	location = /.well-known/carddav {
		return 301 $scheme://$host:$server_port/remote.php/dav;
	}

	location = /.well-known/caldav {
		return 301 $scheme://$host:$server_port/remote.php/dav;
	}

	client_max_body_size 512M;
	fastcgi_buffers 64 4K;

	gzip on;
	gzip_vary on;
	gzip_comp_level 4;
	gzip_min_length 256;
	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

	location / {
		rewrite ^ /index.php;
	}
	
	location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
		deny all;
	}

	location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	}

	location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
		fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
		set $path_info $fastcgi_path_info;
#		try_files $fastcgi_script_name =404;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $path_info;
		fastcgi_param HTTPS on;
		# Avoid sending the security headers twice
		fastcgi_param modHeadersAvailable true;
		# Enable pretty urls
		fastcgi_param front_controller_active true;
		fastcgi_pass php-handler;
		fastcgi_intercept_errors on;
		fastcgi_request_buffering off;
	}

	location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
		try_files $uri/ =404;
		index index.php;
	}

	# Adding the cache control header for js, css and map files
	# Make sure it is BELOW the PHP block
	location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
		try_files $uri /index.php$request_uri;
		add_header Cache-Control "public, max-age=15778463";
		# Add headers to serve security related headers (It is intended to
		# have those duplicated to the ones above)
		# Before enabling Strict-Transport-Security headers please read into
		# this topic first.
		#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
		#
		# WARNING: Only add the preload option once you read about
		# the consequences in https://hstspreload.org/. This option
		# will add the domain to a hardcoded list that is shipped
		# in all major browsers and getting removed from this list
		# could take several months.
		add_header Referrer-Policy "no-referrer" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header X-Download-Options "noopen" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		add_header X-Permitted-Cross-Domain-Policies "none" always;
		add_header X-Robots-Tag "none" always;
		add_header X-XSS-Protection "1; mode=block" always;

		# Optional: Don't log access to assets
		access_log off;
	}

	location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
		try_files $uri /index.php$request_uri;
		# Optional: Don't log access to other assets
		access_log off;
	}

	location = /data/htaccesstest.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

}

At this point, I’m completely stumped on what else I could adjust to try and fix this. Prior to this point, I had been previously not using fastcgi and was instead just passing things over with proxy_pass directives and it worked, albeit it was slow and there were other errors that I was having troubles fixing after reviewing the overview pane, so I thought I’d use the recommended NGINX configuration template provided on the Nextcloud website which uses fastcgi and this is as far as I’ve been able to get.

Can someone please help me with this? I’m reluctant to post in forums in general because I know it’s probably just some dumb mistake I’m making and I’m going to get grilled for it at this point, but it’s worth it if I can just finally figure this out. I’ll be happy to submit any additional details as needed.

EDIT - Moved to “installation” category as I thought maybe this would be more of a setup issue than a “support” issue, so please feel free to move it wherever it may be appropriate.

1 Like

I don’t know anything about apache2.

For nginx this is a working reverse proxy configuration provided you have set the servers configuration file to detect the real IP, which I won’t get into here.

Nginx Proxy -> Nginx Main

Hey, thanks for responding - that configuration works for me, so I’m just going to give up on trying to use fastcgi for now. I did have to add:

'overwritehost' => 'nextcloud.x.com',

and

1 => '<the ip of my nextcloud server>'

to my ‘trusted_domains’ setting to get that configuration working so it didn’t redirect to the IP vs the requested hostname. Ironically, your configuration also resolved all of the webdav errors I was getting in the security & setup warnings I was observing before that made me want to go with the actual documentation provided by Nextcloud for NGINX configurations using fastcgi.

So again, thank you, you saved me from having to endure even more hours and hours of trying to figure this bloody thing out.

1 Like

Just make sure it’s recording the real client IP in the nextcloud log file or you’re going to have issues. That configuration does work for that provided you have the config.php setup right.

Glad it worked for you!

1 Like