docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon nextcloud

Infinite redirects (302) with Reverse HTTPS Proxy when using a Subdirectory

Open attila-tokes opened this issue 3 years ago • 1 comments

Hi!

I'm trying to run NextCloud behind a HTTPS Load Balancer (reverse-proxy), under a sub-path (/nc) of a FreeDNS sub-domain. Ex: https://<edited>.jumpingcrab.com/nc/.

Setup overview:

  • NextCloud is ran in a container using Podman, and is exposed to port 8910 on the host VM
  • the LB is configured to forward request for the /nc/ subpath to the Host VM on port 8910
  • the LB also terminates the HTTPS connection

Following the documentation pages link 1 and link 2, I tried to set the NEXTCLOUD_TRUSTED_DOMAINS, APACHE_DISABLE_REWRITE_IP, TRUSTED_PROXIES and OVERWRITE* environment variables as shown bellow.

$ podman run --detach --pod=nextcloud   \
   --env MYSQL_HOST=127.0.0.1 \
   --env MYSQL_DATABASE=nextcloud \
   --env MYSQL_USER=nextcloud \
   --env MYSQL_PASSWORD=<edited>
   --env NEXTCLOUD_ADMIN_USER=admin \
   --env NEXTCLOUD_ADMIN_PASSWORD=<edited>
   --env OVERWRITEWEBROOT=/nc \
   --env NEXTCLOUD_TRUSTED_DOMAINS=<edited>.jumpingcrab.com \
   --env APACHE_DISABLE_REWRITE_IP=1 \
   --env TRUSTED_PROXIES=10.0.0.0/8
   --env OVERWRITEHOST=<edited>.jumpingcrab.com \
   --env OVERWRITEPROTOCOL=https
   --volume nextcloud-appdata:/var/www/html:Z \
   --volume nextcloud-files:/var/www/html/data:Z \
   --restart on-failure \
   --name nextcloud-app \
   docker.io/library/nextcloud:stable

The problem is that with this setup I get an ERR_TOO_MANY_REDIRECTS from a browser and curl.

To investigate the issue, I tried to do some requests locally using curl and looks like NextCloud server is redirecting HTTPS requests to the same URL. For ex: https://<edited>.jumpingcrab.com/nc/login is redirected to the exact same address.

$ curl -v -X GET http://10.0.0.5:8910/nc/login \
  -H 'Host: <edited>.<edited>.com \
  -H "X-Real-IP: 88.0.0.1"
  -H "X-Forwarded-Proto: https"
  -H "X-Forwarded-Host: <edited>.<edited>.com"
  -H "X-Forwarded-For: 88.0.0.1"
...
< HTTP/1.1 302 Found
...
< Server: Apache/2.4.54 (Debian)
...
< X-Powered-By: PHP/8.1.13
...
< Location: https://<edited>.jumpingcrab.com/nc/login

The IP address of both the VM and LB is in the 10.0.0.0/8 range.

As a note, there is a warning about the domain name in the logs, and all the requests are logged with the 10.0.2.100 address:

$ podman logs -f nextcloud-app

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message

10.0.2.100 - - [26/Dec/2022:14:53:54 +0000] "GET /nc/login HTTP/1.1" 302 1676 "-" "curl/7.81.0"

Also tried a couple other configurations (with clean install each time) using the listed environment variables, but nothing worked yet.

Any idea what is needed to stop this redirects?

Thanks!

attila-tokes avatar Dec 26 '22 15:12 attila-tokes

Looks like what I was missing is that NextCloud expects the LB / Reverse Proxy to rewrite the URL and remove the web root prefix (ex. /nc/login should be rewritten to /login).

As we are already running an Apache server, maybe we could add an optional feature (ex. REMOVE_WEB_ROOT_PREFIX=1) to remove the web root prefix.

This could be usefull with Load Balancers that does not support URL rewrites, like the LB-s in Oracle Cloud Infrastructure. What do you think?

attila-tokes avatar Dec 27 '22 14:12 attila-tokes

$ curl -v -X GET http://10.0.0.5:8910/nc/login \

the LB is configured to forward request for the /nc/ subpath to the Host VM on port 8910

Looks like what I was missing is that NextCloud expects the LB / Reverse Proxy to rewrite the URL and remove the web root prefix (ex. /nc/login should be rewritten to /login).

Your frontend (reverse proxy) is providing /nc/. It doesn't really exist on the Nextcloud app container. Your proxy should just be pointed at http://10.0.0.5:8910/ (well, I assume; you mentioned 8910 but I don't see it in your run command mapped against :80 and I'm making the assumption that was just an oversight in your write-up example).

And your internal (behind the proxy) curl tests should not have /nc/ in them.

What does curl -v -X GET http://10.0.0.5:8910/ \ [...] return?

P.S. Since this is mostly a config matter, if further troubleshooting is needed, I suggest taking this to the help forum - https://help.nextcloud.com

P.P.S. If I'm missing something in your report and you really believe there is something wrong or missing from the image, don't hesitate to follow-up. I can always re-open.

joshtrichards avatar Jun 18 '24 20:06 joshtrichards