Grant Access page using HTTP when behind proxy

[austenadler]

Steps to reproduce

1. Put Nginx behind a reverse proxy (https external; http internal)
2. Create a new account, open the authorization url (looks like: http://nextcloud.example.com/index.php/login/v2/flow/random-string/random-string)
3. Click log in, enter username/password, click login
4. Try to click "Grant Access"

Expected behaviour

Grant Access should work and be routed to https://nextcloud.example.com/index.php/login/v2/grant

Actual behaviour

Grant Access does not work since http://nextcloud.example.com/index.php/login/v2/grant is the action of the form. An error is showed in the console about unsafe URLs
Screenshot; private info replaced with zzz

Server configuration

Operating system: Docker host is Devuan, but using nextcloud official Docker image

Web server: Reverse proxy runs on Nginx

Database: Mariadb

PHP version:

Nextcloud version: 17.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: Docker

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Reverse Proxy Configuration (nginx):

Proxy config

location / {
	# NOTE: http://
	proxy_pass http://nextcloud:80/;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
	client_max_body_size 0;
}

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.example.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/nextcloud.example.com",
        "dbtype": "mysql",
        "version": "17.0.1.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

Nextcloud log (data/nextcloud.log)

Nextcloud log

-

Browser log

Browser log

JQMIGRATE: Migrate is installed, version 1.4.1 jquery-migrate.min.js:2:551
Content Security Policy: The page’s settings blocked the loading of a resource at http://nextcloud.example.com/index.php/login/v2/grant (“form-action”).

[austenadler]

It looks like the URL generation can be found using linkToRouteAbsolute() (https://github.com/nextcloud/server/blob/master/core/templates/loginflowv2/grant.php#L42)

Which uses $this->request->getServerProtocol() (https://github.com/nextcloud/server/blob/master/lib/private/URLGenerator.php#L270).

[kesselb]

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters

[RobinFrcd]

Same issue here, overwriteprotocol/host is already set in config.php.

[mstroppel]

Same issue here. Could fix it by editing the HTML page in Firefox from "http" to "https".

[jkramarz]

Webserver in nextcloud:17.0.1-apache images does respect X-Real-IP header, so $_SERVER['REMOTE_ADDR'] is set to client's address instead of reverse proxy's address, Request::fromTrustedProxy() condition is not met and Nextcloud rejects X-Forwarded-Proto header.

Remove proxy_set_header X-Real-IP $remote_addr; directive from Nginx, it is redundant with proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; in this use case and also makes this mess.

[kesselb]

@jkramarz it's a mess ;) Feel free to check nextcloud/docker#819 (comment) for more details. I'm not sure what the current status is. A change with nextcloud/server (a more stricter check if x-forwarded-host or x-forwarded-proto is coming from a trusted proxy) broke this feature in the first place. I think remoteip should be deprecated and trusted_proxies, overwrite* configureable by env. Would be good to have this fixed sometime. Here are tons of reports about this problem (e.g. #17432).

@austenadler okay with you to close this one as duplicate?

[austenadler]

Closing as duplicate in favor of #17432 and nextcloud/docker#819 (comment)

Thanks @kesselb and @jkramarz