[Bug]: CSRF Check failed, again

[immae]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

This is a reopening of a discussion that started in a closed issue #40626 (comment)
The symptoms are similar but the cause seems to be different.

I regularly get a CSRF error, when navigating or uploading a file via the web application. The easiest way to reproduce it for me is by navigating in the files app:

After about 5 to 10 clicks on folders, I end up getting a "Unexpected error: invalid response 401, [try again]"
When I look at the network console, I see that indeed the PROPFIND responsed with a 401 with the same sabre response as @michnovka above.
However, when I hit "try again", it usually works. But in the console the exact same request is made (I checked all the headers, they are all the same, and the request body too), with the same csrf token. It’s just successful the second time.

This seems to exclude a front-only issue to me.
In case it helps, between the two calls (the failing one and the successful one) there is always a GET /apps/files/ executed (it’s done automatically just after the 401 is received). Maybe that’s what "unlocks" the situation?

See the few comments starting at the link above for more feedbacks related to the issue.

Steps to reproduce

Not deterministic to reproduce, but just navigating on the web app is sufficient.

The issue started to occur after a migration from apache/httpd to nginx (nothing else changed). I have other nginx similar installs which work "just fine", without being able to spot a relevant difference between them

Expected behavior

Expecting to be able to navigate the web application and upload files without any error

Nextcloud Server version

32

Operating system

Other

PHP engine version

PHP 8.3

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

[GeneralPancakeMSTR]

I have a setup that completely deterministically reproduces this problem, but I can't tell if it's a NC bug or down to misunderstanding how to configure nginx, NC, or subdomains.

I will sanitize the setup and post the relevant files here.

[GeneralPancakeMSTR]

Here are the files :

config.php
docker-compose-subdomain-ssl.yml
Dockerfile.txt
index.html
myapp.conf.txt
nextcloud_http.conf.txt

// config.php
<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'redis',
    'password' => '',
    'port' => 6379,
  ),
  'upgrade.disable-web' => true,
  'instanceid' => '...',
  'passwordsalt' => '...',
  'secret' => '...',
  'trusted_domains' => 
  array (
    0 => 'nc.mydomain.com',    
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '32.0.3.2',
  'overwriteprotocol' => 'https',
  'overwrite.cli.url' => 'https://nc.mydomain.com',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => '...',
  'installed' => true,
  'log_type' => 'file',
  'log_type_audit' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'logfilemode' => 0640,
  'loglevel' => 2,
);

# docker-compose-subdomain-ssl.yml
services:
  myapp:
    hostname: myapp
    image: alpine_host_image
    restart: always
    stop_grace_period: 3s
    volumes:
      - ./myapp.conf:/etc/nginx/nginx.conf:ro
      - ./index.html:/var/www/html/index.html:ro
    command: >
      /bin/bash -c "
        nginx &&
        sleep infinity
        "

  db:
    # Note: Check the recommend version here: https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html#server
    image: postgres:alpine
    restart: always
    volumes:
      - db:/var/lib/postgresql/data:Z
    env_file:
      - db.env

  # Note: Redis is an external service. You can find more information about the configuration here:
  # https://hub.docker.com/_/redis
  redis:
    image: redis:alpine
    restart: always

  nextcloud:
    hostname: app
    image: nextcloud:fpm-alpine
    restart: always
    volumes:
      - nextcloud:/var/www/html
      # NOTE: The `volumes` config of the `cron` and `app` containers must match
    environment:
      - POSTGRES_HOST=db
      - REDIS_HOST=redis
    env_file:
      - db.env
    depends_on:
      - db
      - redis

  cron:
    image: nextcloud:fpm-alpine
    restart: always
    volumes:
      - nextcloud:/var/www/html
      # NOTE: The `volumes` config of the `cron` and `app` containers must match
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

  # Note: Nginx is an external service. You can find more information about the configuration here:
  # https://hub.docker.com/_/nginx/
  nginx_nextcloud:
    hostname: nginx_nextcloud
    image: nginx:alpine-slim
    restart: always
    volumes:
      # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
      - ./nextcloud_http.conf:/etc/nginx/nginx.conf:ro
      # NOTE: The `volumes` included below should match those of the `app` container (unless you know what you're doing)
      - nextcloud:/var/www/html:ro
      - letsencrypt:/etc/letsencrypt:ro
    depends_on:
      - nextcloud

  nginx:
    hostname: web
    image: nginx:alpine-slim
    restart: always
    stop_grace_period: 3s
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./subdomain-ssl.conf:/etc/nginx/nginx.conf
      - letsencrypt:/etc/letsencrypt
    depends_on:
      - nginx_nextcloud

volumes:
  db:
  nextcloud:
  letsencrypt:

# Dockerfile 
# docker build --rm -t alpine_host_image .

FROM alpine:latest

RUN apk update && apk add bash

# RUN apk add bc --no-cache 
# RUN apk add coredns --no-cache
RUN apk add grep --no-cache
RUN apk add iptables --no-cache
# RUN apk add ip6tables --no-cache
RUN apk add iputils --no-cache
# RUN apk add kmod --no-cache
# RUN apk add libcap-utils --no-cache
# RUN apk add libqrencode-tools --no-cache
RUN apk add net-tools --no-cache
# RUN apk add nftables --no-cache
# RUN apk add openresolv --no-cache
RUN apk add tcpdump --no-cache
RUN apk add iproute2 --no-cache
RUN apk add curl --no-cache

RUN apk add shadow --no-cache 
RUN apk add sudo --no-cache

RUN apk add shadow --no-cache 
RUN apk add sudo --no-cache

RUN apk add nginx --no-cache
RUN apk add certbot certbot-nginx --no-cache

RUN apk add python3 --no-cache 

RUN useradd -g www-data www-data --shell /bin/bash

ARG USER=uhost
ARG GROUP=ghost
RUN groupadd ${GROUP}
RUN useradd ${USER} --create-home --shell /bin/bash

RUN usermod -aG root,wheel ${USER}

# Passworded sudo 
RUN echo '%wheel ALL=(ALL:ALL) ALL' >> /etc/sudoers
# <Set uhost password here>

<!-- index.html -->
Hello World!

# myapp.conf 
events {
    worker_connections  1024;
}


http {    
    server {
        listen 80;

        # Path to the root of your installation
        root /var/www/html;
        
        location = / {                        
            index index.html;
            try_files $uri /index.html =404;
        }
    }
}

# nextcloud_http.conf
worker_processes auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include mime.types;
    default_type  application/octet-stream;
    types {
        text/javascript mjs;
    }

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    # Prevent nginx HTTP Server Detection
    server_tokens   off;

    keepalive_timeout  65;

    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
    map $arg_v $asset_immutable {
        "" "";
    default ", immutable";
    }

    #gzip  on;

    resolver 127.0.0.11 valid=2s;
    upstream php-handler {
        zone backends 64k;
        server app:9000 resolve;
    }

    server {
        listen 80;

        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

        # set max upload size and increase upload timeout:
        client_max_body_size 512M;
        client_body_timeout 300s;
        fastcgi_buffers 64 4K;

        # The settings allows you to optimize the HTTP2 bandwidth.
        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
        # for tuning hints
        client_body_buffer_size 512k;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        # Pagespeed is not supported by Nextcloud, so if your server is built
        # with the `ngx_pagespeed` module, uncomment this line to disable it.
        #pagespeed off;

        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Referrer-Policy                      "no-referrer"       always;
        add_header X-Content-Type-Options               "nosniff"           always;
        add_header X-Frame-Options                      "SAMEORIGIN"        always;
        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
        add_header X-Robots-Tag                         "noindex, nofollow" always;
        add_header X-XSS-Protection                     "1; mode=block"     always;

        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;

        # Path to the root of your installation
        root /var/www/html;

        # Specify how to handle directories -- specifying `/index.php$request_uri`
        # here as the fallback means that Nginx always exhibits the desired behaviour
        # when a client requests a path that corresponds to a directory that exists
        # on the server. In particular, if that directory contains an index.php file,
        # that file is correctly served; if it doesn't, then the request is passed to
        # the front-end controller. This consistent behaviour means that we don't need
        # to specify custom rules for certain paths (e.g. images and other assets,
        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
        # `try_files $uri $uri/ /index.php$request_uri`
        # always provides the desired behaviour.
        index index.php index.html /index.php$request_uri;

        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
        location = / {
            if ( $http_user_agent ~ ^DavClnt ) {
                return 302 /remote.php/webdav/$is_args$args;
            }
        }

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        # Make a regex exception for `/.well-known` so that clients can still
        # access it despite the existence of the regex rule
        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
        # for `/.well-known`.
        location ^~ /.well-known {
            # The rules in this block are an adaptation of the rules
            # in `.htaccess` that concern `/.well-known`.

            location = /.well-known/carddav { return 301 /remote.php/dav/; }
            location = /.well-known/caldav  { return 301 /remote.php/dav/; }

            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

            # Let Nextcloud's API for `/.well-known` URIs handle all other
            # requests by passing them to the front-end controller.
            return 301 /index.php$request_uri;
        }

        # Rules borrowed from `.htaccess` to hide certain paths from clients
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
        # which handle static assets (as seen below). If this block is not declared first,
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;

            try_files $fastcgi_script_name =404;

            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            #fastcgi_param HTTPS on;

            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
            fastcgi_param front_controller_active true;     # Enable pretty urls
            fastcgi_pass php-handler;

            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;

            fastcgi_max_temp_file_size 0;
        }

        # Serve static files
        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463$asset_immutable";
            add_header Referrer-Policy                   "no-referrer"       always;
            add_header X-Content-Type-Options            "nosniff"           always;
            add_header X-Frame-Options                   "SAMEORIGIN"        always;
            add_header X-Permitted-Cross-Domain-Policies "none"              always;
            add_header X-Robots-Tag                      "noindex, nofollow" always;
            add_header X-XSS-Protection                  "1; mode=block"     always;
            access_log off;     # Optional: Don't log access to assets

            location ~ \.wasm$ {
                default_type application/wasm;
            }
        }

        location ~ \.(otf|woff2?)$ {
            try_files $uri /index.php$request_uri;
            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }

        # Rule borrowed from `.htaccess`
        location /remote {
            return 301 /remote.php$request_uri;
        }

        location / {
            try_files $uri $uri/ /index.php$request_uri;
        }
    }
}

# subdomain-ssl.conf
events {
    worker_connections  1024;
}


http {
    # Docker resolver 
    resolver 127.0.0.11 ipv6=off valid=2s;    
    
    
    server { 
        server_name mydomain.com www.mydomain.com;

        location / {
            proxy_pass http://myapp:80$uri;
            proxy_set_header Host $host;
        }
    
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}    

    server {
        listen 90;
        server_name nc.mydomain.com;
        
        # Logging
        access_log /var/log/nginx/nextcloud_access.log;
        error_log /var/log/nginx/nextcloud_error.log;

        location / {
            proxy_pass http://nginx_nextcloud:80$uri;
            proxy_set_header Host $host;
        }
    
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


    server {
    if ($host = www.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = www.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        
        listen 80; 
        server_name www.mydomain.com mydomain.com;
    return 404; # managed by Certbot




}}

[GeneralPancakeMSTR]

I think I finally solved the problem. It is an nginx.conf issue.

The basic idea is to drop the $uri argument in the proxy pass section of the nextcloud server in the nginx.conf

    # ...
    server {
        server_name nc.mydomain.com
        location / {
            # proxy_pass http://nginx_nextcloud:80$uri; # <-- This breaks the website (logout issue)
            proxy_pass http://nginx_nextcloud:80; # <-- ! drop the $uri
            proxy_set_header Host $host;
        }
    # ...
}

Here are some relevant links that I found to resolve the issue:

• Nginx - encoding (normalizing) part of URI
• Nextcloud | CSRF check failed when logging out
• cant logout of Nextcloud

Dropping that $uri variable/argument has fixed my nextcloud instance!

[solracsf]

The issue started to occur after a migration from apache/httpd to nginx (nothing else changed). I have other nginx similar installs which work "just fine", without being able to spot a relevant difference between them

This generally indicates a configuration problem, not a bug.