Server: Password Reset broken by default CSP

Created on 6 Oct 2019 · 10Comments · Source: nextcloud/server

Steps to reproduce

run nextcloud via docker with nextcloud:17-apache
front it with nginx for vhost support (as this passes through, it actually should not make a difference?)
create a password reset request
click on the link in the email
the password change page opens
enter a new password
click submit

Expected behaviour

The password should be changed to the one entered.

Actual behaviour

in 5. the server sends the following CSP headers:

content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-Mk1RbkprTGhWV1lodlBWQlpLQTU0V3p1cW1xQ1JjYUZHWHhNNDErSVU5bz06amJkTVFBeVFGeXhXMGJjVU5PaHZwaXZhL1J2T0lLNzJiQTRrMWliTkZ1Zz0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';worker-src 'self' blob:;form-action 'self'

in 8. (when clicking reset password), the browser will report (in console): "Refused to connect to 'http://cloud.myhost.com/index.php/lostpassword/set/F0wht0l71UItYBwKyNJDx/username' because it violates the following Content Security Policy directive: "connect-src 'self'".
"
In the browser window, below the password reset button it will just print "Network Error"

Server configuration

Operating system:
ubuntu 18.04 / docker
Web server:
apache through "nextcloud:17-apache" docker image
Database:
mysql via docker "mysql:5.7"
PHP version:
the one shipped with "nextcloud:17-apache" docker image
Nextcloud version: (see Nextcloud admin page)

Updated from an older Nextcloud/ownCloud or fresh install:
upgrade, but only the "data" and "config" directories are mounted into the install via

    volumes:
      - /data/mycloud.at/domdorn/config:/var/www/html/config
      - /data/mycloud.at/domdorn/data:/var/www/html/data

Where did you install Nextcloud from:
Docker
Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:

accessibility: 1.3.0
activity: 2.10.1
cloud_federation_api: 1.0.0
comments: 1.7.0
dav: 1.13.0
federatedfilesharing: 1.7.0
federation: 1.7.0
files: 1.12.0
files_pdfviewer: 1.6.0
files_rightclick: 0.15.1
files_sharing: 1.9.0
files_trashbin: 1.7.0
files_versions: 1.10.0
files_videoplayer: 1.6.0
firstrunwizard: 2.6.0
gallery: 18.4.0
logreader: 2.2.0
lookup_server_connector: 1.5.0
nextcloud_announcements: 1.6.0
notifications: 2.5.0
oauth2: 1.5.0
password_policy: 1.7.0
privacy: 1.1.0
provisioning_api: 1.7.0
recommendations: 0.5.0
serverinfo: 1.7.0
sharebymail: 1.7.0
support: 1.0.1
survey_client: 1.5.0
systemtags: 1.7.0
text: 1.1.0
theming: 1.8.0
twofactor_backupcodes: 1.6.0
updatenotification: 1.7.0
viewer: 1.1.0
workflowengine: 1.7.0
Disabled:
admin_audit
encryption
files_external
user_ldap

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.xxxx.at"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "http:\/\/cloud.xxxx.at",
        "dbtype": "mysql",
        "version": "17.0.0.9",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "loglevel": 0,
        "theme": "",
        "maintenance": false,
        "forcessl": false,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "appstore.experimental.enabled": false,
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "mail_sendmailmode": "smtp",
        "mail_smtpauth": 1,
        "mail_smtpsecure": "tls",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
no

Client configuration

Browser:
Chrome Version 76.0.3809.100 (Official Build) (64-bit)

Operating system:
OSX

Logs

Web server error log

no relevant log entry, as the request never reaches the server

Nextcloud log (data/nextcloud.log)

Nextcloud log

nextcloud.log has 14MB .. don't think anything important is in there.

Browser log

a)

b)

I think the sent CSP is defined in EmptyContentSecurityPolicy, however I'm not sure. I'm using the default configuration with Docker. The only thing special is that I don't directly expose the docker container, but front it with nginx.
I had to set "trusted_domains" for this to work in config.php

0. Needs triage bug

Source

domdorn

Most helpful comment

Thanks @kesselb for your answer. After a lot of trial and error I finally got it working.

Nginx sends the X-Forwarded-Proto header, which apparently nextcloud ignores, even when I set
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED_PROTO', 'HTTP_X_FORWARDED_HOST')

so I had to manually set
'overwriteprotocol' => 'https',

I'm not sure if its a bug, but I think nextcloud should honour the X-Forwarded-Proto from a trusted proxy.

domdorn on 7 Oct 2019

👍4 ❤3 🎉1

All 10 comments

https://docs.nextcloud.com/server/17/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies

Nginx forwards X-Forwarded-Host and X-Forwarded-Proto so nextcloud is able to generate the correct urls. But by default these headers are ignored if the ip of your reverse proxy is not specified in trusted_proxies.

CSP fails because the form is submitted to http:// from a https:// page.

kesselb on 6 Oct 2019

Thanks @kesselb for your answer. After a lot of trial and error I finally got it working.

so I had to manually set
'overwriteprotocol' => 'https',

I'm not sure if its a bug, but I think nextcloud should honour the X-Forwarded-Proto from a trusted proxy.

domdorn on 7 Oct 2019

👍4 ❤3 🎉1

@domdorn it does work for overwritehost (which is populated from X-Forwarded-Host) but not overwriteprotocol? You added the IP of the reverse proxy to trusted_proxies in config.php?

kesselb on 8 Oct 2019

EDIT: FIXED

Hey! I am still getting this issue in 'nextcloud:17-apache'.

Relevant config:

'overwrite_host' => 'nextcloud.domain.name', 'overwrite_protocol' => 'https', 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED_PROTO', 'HTTP_X_FORWARDED_HOST'), 'trusted_proxies' => array ( 0 => '10.233.0.0/16', // Kubernetes Nginx Reverse Proxy 1 => '173.245.48.0/20', // Cloudflare Reverse Proxy 2 => '103.21.244.0/22', 3 => '103.22.200.0/22', 4 => '103.31.4.0/22', 5 => '141.101.64.0/18', 6 => '108.162.192.0/18', 7 => '190.93.240.0/20', 8 => '188.114.96.0/20', 9 => '197.234.240.0/22', 10 => '198.41.128.0/17', 11 => '162.158.0.0/15', 12 => '104.16.0.0/12', 13 => '172.64.0.0/13', 14 => '131.0.72.0/22', ),

Am I missing something?

EDIT:

After way too much digging through code trying to figure out how that url was generated I figured out my issue was that I was using: overwrite_protocol instead of overwriteprotocol. Not sure how I polluted my config with that underscore but now everything works.

domhauton on 13 Oct 2019

@domhauton

'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED_PROTO', 'HTTP_X_FORWARDED_HOST'),

Don't append HTTP_X_FORWARDED_PROTO and HTTP_X_FORWARDED_HOST to forwarded_for_headers. It try to determinate the client ip from these headers.

kesselb on 13 Oct 2019

👍1

ok, about my issue.. I think I found a/the problem..

the default docker image nextcloud:17-apache contains a file:
/etc/apache2/conf-enabled/remoteip.conf
which contains

RemoteIPHeader X-Real-IP
RemoteIPTrustedProxy 10.0.0.0/8
RemoteIPTrustedProxy 172.16.0.0/12
RemoteIPTrustedProxy 192.168.0.0/16

That means, that the apache2 serving my nextcloud automatically takes the X-Real-IP that's passed by my nginx and sets it as REMOTE_ADDR. This however makes my

  'trusted_proxies' => ['172.22.0.0/24'],

not match anymore (because I only get the ip of my computer/client as REMOTE_ADDR and that is certainly not in the private range). And because of that, the X_FORWARDED_PROTO is not automatically used, falls back to http and I have to manually set

'overwriteprotocol' => 'https',

domdorn on 14 Oct 2019

❤2 👍2 🎉1

Cool! I didn't know that :+1: If the client ip is already correct overwriteprotcol and overwritehost should be enough.

kesselb on 14 Oct 2019

Have the same issue but when I try to login. How do I add the overwriteprotocol line?

TheChiefMeat on 23 Oct 2019

@domdorn Thank you very much! You saved my day.

'overwriteprotocol' => 'https',

Problems like this reminds me to get some chicken bones for future telling...

egandro on 2 Dec 2019

👍5

hello there,

i am facing the exact same issue. I allready have overwriteprotocol set to https.
Everything works like a charm, except the passwort reset funktion. Everytime i try to set a new passwort i get the same error like described above.

here is my config:

$CONFIG = array (
'htaccess.RewriteBase' => '/',
'memcache.local' => '\OC\Memcache\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'instanceid' => '######',
'passwordsalt' => '######',
'secret' => '######',
'trusted_domains' =>
array (
0 => '######',
1 => '######',
2 => '######',
),
'trusted_proxies' =>
array (
0 => '######',
1 => '######',
2 => '######',
),
'datadirectory' => '/var/www/html/data',
'dbtype' => 'mysql',
'version' => '19.0.0.12',
'overwriteprotocol' => 'https',
'overwritehost' => '######',
'overwritecondaddr' => '^10\.0\.0\.2$',
'dbname' => '######',
'dbhost' => '######',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => '######',
'dbpassword' => '######',
'installed' => true,
'overwrite.cli.url' => 'https://XXXXXXXX.TLD',
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'tls',
'mail_sendmailmode' => 'smtp',
'mail_from_address' => 'noreply',
'mail_domain' => '######',
'mail_smtpauth' => 1,
'mail_smtpauthtype' => 'LOGIN',
'mail_smtphost' => 'mail.XXXXX.tld',
'mail_smtpport' => '587',
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED_PROTO', 'HTTP_X_FORWARDED_HOST'),