nextcloud
Running this chart configured with nginx causes incorrect redirects and CSP errors
Describe your Issue
When running this chart with nginx enabled, URIs without an ending "/" will cause nginx to redirect with a 301 to "http" instead of "https" (this is of course assuming that you have a reverse proxy serving https as well).
Nginx is the part that is causing this redirect, and it seems like this is solved by adding "absolute_redirect off;" in the server section in the nginx configuration. I would gladly open a PR for this, but I'm not knowledgeable enough about the project to know if this is the best solution.
This issue appears most clearly when trying to enable/disable apps, which will cause a request to https://server/apps/files, which gets incorrectly redirected to http://server/apps/files/
Logs and Errors
Describe your Environment
-
Kubernetes distribution: k3s
-
Helm Version (or App that manages helm):
-
Helm Chart Version:
-
values.yaml:
# paste your values.yaml (anonymize any sensitive data)
Additional context, if any
I'm unable to reproduce this. Could you please fill out the values.yaml in your post so we, or someone else in the community, can better help you? I just went to https://cloud.mydomain/apps/files on my server and it redirected to https with no issues. I also verified via web developer tools in firefox that all requests are 200s. I have nginx enabled. You can view my whole config here.
Hello, same problem here on a fresh install of the helm chart. The redirections are looping as follow:
- https://nextcloud.domain.com/apps/dashboard, redirect with 301 to (we are noting the https and no trailing /)
- http://nextcloud.domain.com/apps/dashboard/, redirect with 308 to (only http this time but trailing / is here)
- https://nextcloud.domain.com/apps/dashboard, etc... As noted by @dankar, I do not have this problem if I manually put the trailing / on the https URL.
Here my values.yaml (I took the liberty to keep only the relevant part. Tell me if you want the full one)
image:
repository: nextcloud
flavor: fpm
ingress:
enabled: true
className: nginx
servicePort: 8080
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/proxy-body-size: 4G
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
# Keep this in sync with the README.md:
nginx.ingress.kubernetes.io/server-snippet: |-
server_tokens off;
proxy_hide_header X-Powered-By;
rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
deny all;
}
tls:
- secretName: nextcloud-tls
hosts:
- nextcloud.domain.com
labels: {}
path: /
pathType: Prefix
nextcloud:
host: nextcloud.domain.com
nginx:
enabled: true
image:
repository: nginx
tag: alpine
pullPolicy: IfNotPresent
I'm still unable to reproduce this with my current settings, which you can find here: https://github.com/small-hack/argocd-apps/blob/667215dd71d433f3d0cf240ff7e72c2c2d395669/nextcloud/app_of_apps/nextcloud_argocd_appset.yaml
I think the only difference is that I currently have cors disabled, and I have a valid TLS cert currently, as I am using letsencrypt-prod right now.
In the meantime, I've added a help wanted label here, so that if anyone else in the community does encounter this and knows the solution, they can perhaps chime in.