Upgrade from v27 to v28 not working with trusted domains

bcleonard · January 17, 2024, 4:41pm

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 20.0.5): 28.0.1.1
Operating system and version (eg, Ubuntu 20.04): unsure
Apache or nginx version (eg, Apache 2.4.25): unsure
PHP version (eg, 7.4): unsure

I’m using the following docker image: Docker

The issue you are facing: I performed an upgrade from v27 to v28. After the upgrade, I received a web page stating that I needed to add my domain to trusted domain. I am going through a proxy. I could not log in and all my desktop/ios clients stopped working. My manipulating the trusted_domains setting, I can get my desktop/ios clients to work, but I can’t login via the web.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

upgrade v27 to v28

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

Working IOS/Desktop Clients:

  'trusted_domains' =>
  array (
    0 => 'storage.stygianresearch.com:9531',
    1 => 'storage.stygianresearch.com:443',
    2 => 'storage.stygianresearch.com:80',
    3 => 'storage.stygianresearch.com',
  ),

Not working:

  'trusted_domains' =>
  array (
    0 => 'storage.stygianresearch.com:9531',
  ),

For the working (first config), all the clients work, but the login page ends up redirecting to the 4th entry (no port), which is not passed through the proxy. My setup worked prior to the upgrade, so something was working but now its not. I’m not sure what.

jtr · January 17, 2024, 5:58pm

Which image? The Apache or the FPM one?
What proxy are you using and how is it configured in general?
Post your occ config:list system output

bcleonard · January 17, 2024, 9:52pm

I use the tag nextcloud:latest which I believe is the apache one.

I use jwilder’s nginx proxy - GitHub - nginx-proxy/nginx-proxy: Automated nginx proxy for Docker containers using docker-gen

here is my complete docker-compose file (actually portainer stack)

# GH: https://github.com/nextcloud/docker
# GH: https://github.com/nginx-proxy/nginx-proxy
# DH: https://hub.docker.com/r/jwilder/nginx-proxy
# DH: https://hub.docker.com/_/mariadb
# DH: https://hub.docker.com/_/redis
# DH: https://hub.docker.com/_/nextcloud
networks:
  nextcloud_network:
    name: nextcloud_networks
    ipam: 
      config:
        - subnet: 172.69.69.0/24

services:
  proxy:
    image: jwilder/nginx-proxy:alpine
    container_name: nextcloud-proxy
    networks:
     - nextcloud_network
    ports:
      - 9531:443
    volumes:
      - /home/cloudstorage/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
      - /usr/local/certs:/etc/nginx/certs:rprivate
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      - DEFAULT_HOST=storage.stygianresearch.com
    restart: unless-stopped

  db:
    image: mariadb:latest
    container_name: nextcloud-mariadb
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    networks:
      - nextcloud_network
    volumes:
      - /home/cloudstorage/mysql:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    environment:
      - MYSQL_ROOT_PASSWORD=<redacted>
      - MYSQL_PASSWORD=<redacted>
      - MYSQL_DATABASE=<redacted>
      - MYSQL_USER=<redacted>
    restart: unless-stopped

  redis:
    image: redis:alpine
    container_name: nextcloud-redis

    networks:
     - nextcloud_network
    restart: always

  app:
    image: nextcloud:latest
    container_name: nextcloud-app
    networks:
      - nextcloud_network
    depends_on:
      - proxy
      - db
      - redis
    volumes:
      - /home/cloudstorage/apache-sr.conf:/etc/apache2/conf-enabled/apache-sr.conf
      - /mnt/nextcloud-data/data/html:/var/www/html
      - /mnt/nextcloud-data/data/apps:/var/www/html/apps
      - /mnt/nextcloud-data/data/config:/var/www/html/config
      - /mnt/nextcloud-data/data/data:/var/www/html/data
      - /etc/localtime:/etc/localtime:ro
      - /tmp:/tmp
    environment:
      - VIRTUAL_HOST=storage.stygianresearch.com
      - TRUSTED_PROXIES=172.69.69.0/24
      - TRUSTED_DOMAINS=localhost,storage.internal.stygianresearch.com:443,storage.internal.stygianresearch.com:80,storage.internal.stygianresearch.com:9531
      - REDIS_HOST=redis
      - PHP_MEMORY_LIMIT=6G
      - PHP_UPLOAD_LIMIT=10G
    restart: unless-stopped

docker exec --user www-data nextcloud-app php occ config:list system

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "storage.stygianresearch.com:9531",
            "storage.stygianresearch.com:443",
            "storage.stygianresearch.com:80",
            "storage.stygianresearch.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "tempdirectory": "\/tmp",
        "dbtype": "mysql",
        "version": "28.0.1.1",
        "overwrite.cli.url": "http:\/\/storage.stygianresearch.com:9531",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "default_phone_region": "US",
        "mail_smtpdebug": true,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "filelocking.ttl": 3600,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "loglevel": 1,
        "debug": false,
        "maintenance": false,
        "trashbin_retention_obligation": "auto"
    }
}

What looks like is happening is the trusted domain is fine, but the port is stripped out during some sort of redirect.