CODEWITHSUNDEEP
dockerformsapachekubernetesnextcloud
Andrej
Andrej

Reputation: 27

Unable to Login to Nextcloud Docker Deployment with Apache Behind Kubernetes Ingress

I am facing an issue with my Nextcloud setup running in a Docker container with Apache. It is deployed behind a Kubernetes Ingress, but after submitting the login form, I get the following error in the browser:

Refused to send form data to 'https://test.nextcloud.example.com/index.php/login' because it violates the following Content Security Policy directive: "form-action 'self'".

However, when I reload the page after the error, the Nextcloud dashboard appears as if I had logged in successfully. I'm unsure if this is related to the Content-Security-Policy (CSP) configuration or the interaction between Apache and the Kubernetes Ingress.

Setup Details

Dockerfile

# Based on the official PHP image with Apache
FROM php:8.2-apache

# Install required packages and PHP extensions
RUN apt-get update && apt-get install -y \
    libpng-dev \
    libjpeg-dev \
    libzip-dev \
    libbz2-dev \
    unzip \
    curl \
    libicu-dev \
    default-mysql-client \
    libgmp-dev \
    imagemagick \
    libmagickwand-dev \
    && rm -rf /var/lib/apt/lists/* \
    && docker-php-ext-configure intl \
    && docker-php-ext-install intl \
    && docker-php-ext-configure gd --with-jpeg \
    && docker-php-ext-install -j$(nproc) gd pdo pdo_mysql zip bcmath gmp exif pcntl

ENV NEXTCLOUD_PATH=/var/www/nextcloud

# Copy Nextcloud files
COPY nextcloud /var/www/nextcloud

# Copy PHP configuration
COPY ic-scripts/php.ini /usr/local/etc/php/

# Set Apache permissions
RUN chown -R www-data:www-data /var/www/nextcloud && \
    chmod -R 755 /var/www/nextcloud

WORKDIR /var/www/nextcloud

# Enable required Apache modules
RUN a2enmod rewrite headers env dir mime
COPY ic-scripts/apache2/sites-available/nextcloud.conf /etc/apache2/sites-available/nextcloud.conf

RUN a2dissite 000-default && a2ensite nextcloud

# Expose port 80
EXPOSE 80

CMD ["apache2-foreground"]

Nextcloud config.php

<?php
$CONFIG = array (
  'passwordsalt' => '80xlyMpfd2sdx9M3P2S2uIJOMOm37s9fmOwf',
  'secret' => 'Em1orES3RGMVbc3IRwWsdsDrwR9aKOZQToCegAyEGaQhch48QlW',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'test.nextcloud.example.com',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '30.0.2.2',
  'overwrite.cli.url' => 'https://test.nextcloud.example.com',
  'dbname' => 'nextcloud',
  'dbhost' => '78.140.127.328',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_ma2ws16',
  'dbpassword' => 'g|*8{(7%uT)k%0Xs2hN.XLN.R7=;Q3',
  'installed' => true,
  'instanceid' => 'ocjo6sffdsrztga',
  'allow_local_remote_servers' => true,
);

Apache Virtual Host Configuration

<VirtualHost *:80>
    DocumentRoot /var/www/nextcloud
    ServerName test.nextcloud.example.com

    <Directory /var/www/nextcloud/>
        Require all granted
        AllowOverride All
        Options FollowSymlinks
    </Directory>

    <IfModule mod_dav.c>
        Dav off
    </IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

    Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; manifest-src 'self'; script-src 'nonce-c8kLTSPzju+7+cZdHr7DDUKDFvwBaNn6qNhs3GN7n0o='; script-src-elem 'strict-dynamic' 'nonce-c8kLTSPzju+7+cZdHr7DDUKDFvwBaNn6qNhs3GN7n0o='; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.tile.openstreetmap.org; font-src 'self' data:; connect-src 'self'; media-src 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self' https://test.nextcloud.example.com;"
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Permissions-Policy "autoplay=(self), camera=(), geolocation=(), microphone=(), payment=()"

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

Kubernetes Ingress Configuration

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-nextcloud
  namespace: nextcloud
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      add_header Content-Security-Policy "default-src 'self'; form-action 'self' https://test.nextcloud.example.com;";
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - test.nextcloud.example.com
      secretName: nextcloud-tls
  rules:
    - host: test.nextcloud.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nextcloud-service
                port:
                  number: 80

What I Have Tried

  1. Adjusted form-action in CSP headers within Apache and Kubernetes Ingress.
  2. Confirmed trusted_domains in config.php includes test.nextcloud.example.com.
  3. Tested with and without RewriteCond %{HTTPS} off in the Apache configuration.

Question

How can I resolve the CSP form-action violation error during login? Could the Kubernetes Ingress or my Apache configuration be causing this, and how can I ensure a seamless login experience?

Upvotes: 0

Views: 49

Answers (0)

Related Questions