Unable to add/update passwords using NextCloud in docker (docker-compose)

iDontWantAUsername · April 1, 2022, 11:45pm

Hi,
I have been running on NextCloud on my Synology NAS (that doesn’t support docker) but after the recent update to v23 it is running super slow and i don’t think the NAS can support it anymore with its very limited memory/CPU speed.

I have a Raspberry Pi (that is already running Home Assistant as well as a few other services (including reverse proxy with Nginx) that i plan to use to now host NextCloud.

I have set this up using Docker-Compose and it is mostly working as expected reverse proxying through Nginx to the docker container. I created a duplicate of the [Maria] DB and Data folders on the NAS which i can connect to and mount via fstab. Clicking around things seem to be working ok and is much faster than the old NAS.

I have installed the Passwords app and managed to Import all the old passwords using ./occ commands using the documentation; i can view a list of my passwords and see the password details.
However i cannot Edit or Add passwords, when i click + Add Password or Right Click → Edit nothing happens. I have also noticed that if i click Settings under More i the bottom left corner i get the following error popup:

“Unable to load SettingsSection”

I have uninstalled and reinstalled, also deleted the custom apps folder after uninstall. I have turned on Debug logging but i get no extra details just “SCSSCacher::process ordinary check follows” which seems to be a common occurrence on normal pages.

In the Docker logs i can only see a line when i click on the settings (bottom left button), nothing when clicking add:
"172.18.0.1 - - [02/Apr/2022:10:38:34 +1100] “GET /custom_apps/passwords/l10n/settings/en_GB.json?_=2022.3.0 HTTP/1.1” 302 900 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36"”

In the Admin Passwords app settings the only error is:

Using Ajax to execute background jobs may cause delays. We recommend using Cron. Please check the system requirements.

I just haven’t setup a cronjob yet.

My docker-compose is:

ersion: '3.7'

volumes:
  nextcloud:

services:
  app:
    image: nextcloud
    container_name: NextCloud_Dev
    restart: always
    ports:
      - 8888:80
    volumes:
      - nextcloud:/var/www/html
      - /opt/NextCloud_data:/var/www/html/data
      - /etc/timezone:/etc/timezone:ro
    environment:
      - MYSQL_PASSWORD=***
      - MYSQL_DATABASE=***
      - MYSQL_USER=***
      - MYSQL_HOST=***
      - TZ=Australia/Melbourne
      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.home cloud_pi.home cloud_pi.home:8888
      - TRUSTED_PROXIES=172.18.0.1

I feel like a php module is missing or something but i don’t really know where to start, does anyone have any ideas why this isn’t working.

Let me know if you need any more logs or details.

Thanks,
Richard

mdw · April 2, 2022, 9:44am

There might be something wrong with the url setup. When you open the settings/edit form, the app will try to request a JS-file from the server. Check the url used in the browser (F12, then network tab)

iDontWantAUsername · April 2, 2022, 9:43pm

Ahr yes, i should have checked that, i can see that the browser? is blocking the request for the 3 js files requested when clicking on Add Password link:

https://cloud_pi.home/custom_apps/passwords/js/Static/marked.33dc1aebbd2d220e820f.js
https://cloud_pi.home/custom_apps/passwords/js/Static/148.317bc629dd5ced7b8a07.js
https://cloud_pi.home/custom_apps/passwords/js/Static/CreatePassword.21ef7b9da3144c4f15bd.js

The status is blocked:csp

This may be due to the self signed certificate setup perhaps? It does seem strange as the resource URL (cloud_pi.home) is the same for these requests as rest of the pages. Unless the reverse proxy is causing the issue with the HTTPS translation?

mdw · April 2, 2022, 10:02pm

The CSP is the Content Security Policy. Usually, when you open the url of the passwords app, the CSP should be set automatically and be included in the headers of the response, e.g.:

content-security-policy
default-src 'none';base-uri 'none';
manifest-src 'self';
script-src 'nonce-long-stuff' test.passwordsapp.org 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob: raw.githubusercontent.com;
font-src 'self' data:;
connect-src 'self' wss://nextcloudpi raw.githubusercontent.com data:;
media-src 'self' raw.githubusercontent.com blob:;
frame-ancestors 'self';form-action 'self'

Especially the script source should contain the host of the url you’re using.

iDontWantAUsername · April 2, 2022, 10:38pm

It seems ok, for script-src there is the nonce and then the cloud_pi.home resource.

default-src 'none';base-uri 'none';
manifest-src 'self';
script-src 'nonce-SGZJYzcrR3doNTljd2Z0WEpYT0FsNVY1Zk10SkREdFByc2tiL3EyV25iVT06ZUxONG9KV0E3dHB0dWNNMVZEUzV4NlVBRlp3NFlIRU8vbzl5eCtmVjFNdz0=' cloud_pi.home 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob: raw.githubusercontent.com;
font-src 'self' data:;connect-src 'self' raw.githubusercontent.com data:;
media-src 'self' raw.githubusercontent.com blob:;
frame-src 'self';frame-ancestors 'self';
worker-src 'self' blob:;form-action 'self'

In console the full error is:

Refused to load the script 'https://cloud_pi.home/custom_apps/passwords/js/Static/CreatePassword.21ef7b9da3144c4f15bd.js' because it violates the following Content Security Policy directive: "script-src 'nonce-SGZJYzcrR3doNTljd2Z0WEpYT0FsNVY1Zk10SkREdFByc2tiL3EyV25iVT06ZUxONG9KV0E3dHB0dWNNMVZEUzV4NlVBRlp3NFlIRU8vbzl5eCtmVjFNdz0=' cloud_pi.home 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

A.l @ app.js?v=e148e717-0:2
A.f.j @ app.js?v=e148e717-0:2
(anonymous) @ app.js?v=e148e717-0:2
A.e @ app.js?v=e148e717-0:2
(anonymous) @ app.js?v=e148e717-0:2
createPassword @ app.js?v=e148e717-0:2
createPassword @ app.js?v=e148e717-0:2
click @ app.js?v=e148e717-0:2
Ke @ app.js?v=e148e717-0:2
n @ app.js?v=e148e717-0:2
s._wrapper @ app.js?v=e148e717-0:2

So it seems aware of the CSP and has the correct resource identifier.

iDontWantAUsername · April 4, 2022, 9:58am

I had more time to look into the browser logs, it seems the issue stems from this line:

The source list for the Content Security Policy directive 'script-src' contains an invalid source: 'cloud_pi.home'. It will be ignored.

But as listed above

default-src 'none';base-uri 'none';
manifest-src 'self';
script-src 'nonce-SGZJYzcrR3doNTljd2Z0WEpYT0FsNVY1Zk10SkREdFByc2tiL3EyV25iVT06ZUxONG9KV0E3dHB0dWNNMVZEUzV4NlVBRlp3NFlIRU8vbzl5eCtmVjFNdz0=' cloud_pi.home 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob: raw.githubusercontent.com;
font-src 'self' data:;connect-src 'self' raw.githubusercontent.com data:;
media-src 'self' raw.githubusercontent.com blob:;
frame-src 'self';frame-ancestors 'self';
worker-src 'self' blob:;form-action 'self'

it is in the CSP header sent with the /passwords/ request so i guess there is another CSP being set.
Is there some other config i have missed when setting up the instance and or the reverse proxy?

mdw · April 4, 2022, 1:52pm

I think the browser message is clear on that. cloud_pi.home is not seen as a valid entry for script-src and ignored by the browser. So even if it is present in the header from the server, the browser ignores it and won’t load from the domain.

iDontWantAUsername · April 6, 2022, 2:15am

Right so it turns out I am an idiot and ‘_’ is not a valid character in a domain name so obviously Chrome was rejecting any CSP requests using it.

I have replaced with a ‘-’ which is valid and the Passwords app works as expected.

Thanks for your help and sorry for wasting your time.