Cannot login, Refused to execute inline script because it violates the following Content Security Policy directive
arminus opened this issue · 3 comments
Behaviour
Nextcloud appears to be installed and configured fine, no obvious errors in the docker logs, but I can't login.
Steps to reproduce this issue
- Installed everything from scratch, using https://github.com/crazy-max/docker-nextcloud/blob/master/examples/compose/docker-compose.yml
- Successfully ran the pre-configiuration (i.e. register admin user, waited for "Installing..." completion
- Tried to login
Expected behaviour
Being able to actually log in
Actual behaviour
After clicking login, I just get back to the login screen again. Error in the console:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-VzdtY3lOL0Zia1BrNnBvYjJ3Y2xOZWFlOERsYm1OMEhyVnRSNVl6K0Yrbz06Yk5QbWpvMldXbWlOck5STjRtaFNUYlBYczJ3MXFhNVI1eUZvb2NyTldvOD0='". Either the 'unsafe-inline' keyword, a hash ('sha256-rwMOiOeVICH7/Cjy5SkreID3OOi5HTrit357k22hUDQ='), or a nonce ('nonce-...') is required to enable inline execution.
Removing RP_HEADER from .env and restarting the containers didn't make a difference.
Happens in Firefox, Brave and Chrome - all most current version.
Configuration
- Docker version (type
docker --version) : 20.10.5+dfsg1, build 55c4c88 - Docker compose version if applicable (type
docker-compose --version) : 1.25.0 - Platform (Debian 9, Ubuntu 18.04, ...) : Raspberry Debian 11 Bullseye
- System info (type
uname -a) : Linux pi4 5.15.32-v8+ #1538 SMP PREEMPT Thu Mar 31 19:40:39 BST 2022 aarch64 GNU/Linux - Include all necessary configuration files :
docker-compose.yml,.env, ... -> basically the same as in examples, just changed the volumes
Docker info
Client:
Context: default
Debug Mode: false
Server:
Containers: 17
Running: 17
Paused: 0
Stopped: 0
Images: 68
Server Version: 20.10.5+dfsg1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 1.4.13~ds1-1~deb11u1
runc version: 1.0.0~rc93+ds1-5+b2
init version:
Security Options:
seccomp
Profile: default
cgroupns
Kernel Version: 5.15.32-v8+
Operating System: Debian GNU/Linux 11 (bullseye)
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 3.706GiB
Name: pi4
ID: TPZD:GIGK:IEF6:ESYA:RNI3:VFDE:HIDT:F7NB:72EA:EE7P:TFCP:Q2I5
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: Support for cgroup v2 is experimental
Logs
> Container logs (set LOG_LEVEL to debug if applicable)
@arminus What's the output of docker-compose exec nextcloud occ config:list system?
Your command returns this:
❯ docker-compose exec nextcloud occ config:list system
Console has to be executed with the user that owns the file config/config.php
Current user id: 1000
Owner id of config.php: 1024
Try adding 'sudo -u #1024' to the beginning of the command (without the single quotes)
If running with 'docker exec' try adding the option '-u 1024' to the docker command (without the single quotes)
Since I think the user in the container is actually nextcloud, I tried this:
❯ docker exec -it --user nextcloud nextcloud bash
bash-5.1$ ps -ef
PID USER TIME COMMAND
1 root 0:00 s6-svscan -t0 /var/run/s6/services
36 root 0:00 s6-supervise s6-fdholderd
534 root 0:00 s6-supervise php-fpm
535 root 0:00 s6-supervise nginx
536 root 0:00 s6-supervise socklog/log
537 root 0:00 s6-supervise socklog
538 nextclou 0:00 php-fpm: master process (/etc/php8/php-fpm.conf)
540 nobody 0:00 s6-log -bp - +^cron\. T /var/log/socklog/cron - +^daemon\. T /var/log/socklog/daemon - +^\.debug: T /var/log/socklog/debu
541 nextclou 0:00 nginx: master process nginx -g daemon off;
543 nobody 0:00 socklog unix /dev/log
565 nextclou 0:00 nginx: worker process
566 nextclou 0:00 nginx: worker process
567 nextclou 0:00 nginx: worker process
568 nextclou 0:00 nginx: worker process
719 nextclou 0:00 php-fpm: pool www
720 nextclou 0:00 php-fpm: pool www
1152 nextclou 0:00 bash
1168 nextclou 0:00 ps -ef
bash-5.1$ occ config:list system
error: failed switching to "nextcloud:nextcloud": operation not permitted
same error with --user 1024:
❯ docker exec -it --user 1024 nextcloud bash
bash-5.1$ occ config:list system
error: failed switching to "nextcloud:nextcloud": operation not permitted
bash-5.1$ ls -al config/config.php
lrwxrwxrwx 1 nextclou nextclou 23 Apr 10 19:43 config/config.php -> /data/config/config.php
bash-5.1$ ls -al /data/config/config.php
-rw-r--r-- 1 1024 users 1101 Apr 10 19:43 /data/config/config.php
I don't have a user defined in the docker-compose.yml
What might play a role here: the data volume is like this:
volumes:
- "/mnt/sshfs/nextcloud:/data"
This is mounted like this on the docker host:
sshfs -o allow_other -o idmap=user admin@192.168.0.125:/2TB /mnt/sshfs
There are no file permission errors anywhere in the docker logs, so I assumed everything is ok.
I don't think this is an issue with this image but your nginx configuration that you might need to tweak. Look for the overwrite.cli.url or any other CSP-related settings in config.php. Seems similar to nextcloud/server#44685