Nextcloud desktop client gets stuck on 'Account access' view / during login

Having set up Nextcloud with Docker and secured over TLS, I wanted to connect my Netcloud desktop client. I was successfully able to login into Nextcloud in my browser. But somehow, the desktop client would always get stuck on the login page of Nextcloud.

Scenario

I use NGINX to act as a reverse proxy for Nextcloud. TLS termination happens at the NGINX. That is, the connection between NGINX and Nextcloud is not secured.

Gotcha

There are different versions of the Nextcloud desktop client (snap package vs. Ubuntu/Debian packages PPA). Using the snap package of the Nextcloud desktop client, I was able to figure out why the desktop client would always get stuck on the login page:

Somehow, the login website contains an HTML form with an action that points to a URL with plain HTTP connection (no TLS encryption). At the same time, the website itself is served through a TLS encrypted connection. My browser, here Firefox, then denies this insecure HTTP request.

It turned out, that Nextcloud cannot know that it is served by a reverse proxy which encrypts all HTTP traffic to the outside world. Therefore, some URLs generated by Nextcloud lack the HTTPS.

Solution

To solve this problem with incorrect URLs, Nextcloud offers a configuration parameter overwriteprotocol which tells Nextcloud that it is running behind a reverse proxy with TLS encryption. If one sets this value to https, Nextcloud will automatically generate correct URLs.

Unfortunately, Nextcloud only offers a few environment variables for configuration. The majority of configuration can only be done through files. Changing configuration files of dockerized applications is always a struggle.

As the documentation states, the main configuration of Nextcloud is stored inside the file config/config.php. But, because the official documentation doesn’t mention an absolute file path, I tried to edit /var/www/html/config/config.php at first hand (DO NOT EDIT THIS FILE! That’s the wrong way!).

Here are the correct steps to edit or - better extend - config.php for Nextcloud inside the Docker image:

1. The documentation of Nextcloud states:

   Nextcloud supports loading configuration parameters from multiple files. You can add arbitrary files ending with .config.php in the config/ directory, for example you could place your email server configuration in email.config.php. This allows you to easily create and manage custom configurations, or to divide a large complex configuration file into a set of smaller files. These custom files are not overwritten by Nextcloud, and the values in these files take precedence over config.php.

2. So, I created a separate configuration file tls.config.php and added my specific configuration:

   <?php
   $CONFIG = array (
     'overwriteprotocol' => 'https',
   );
   

3. Then, I created a Dockerfile in which I extended the official docker image and added my individual coniguration:

   FROM nextcloud:17.0.0-apache
      
   COPY tls.config.php /usr/src/nextcloud/config/
   RUN chmod 440 /usr/src/nextcloud/config/tls.config.php
   

4. If you use plain Docker, you’re ready to build your new image and run it:

   docker build -t nextcloud:17.0.0-apache-customized .
   docker run -p 8080:80 nextcloud:17.0.0-apache-customized
   

   If you use Docker Compose, then you need to add a build step to your docker-compose.yml and change the image name so that Docker won’t remove the tag from the original Nextcloud Docker image:

   ---
   version: '3'
   services:
     nextcloud:
       image: "nextcloud:17.0.0-apache-customized"
       build: .
       restart: always
   
   ...
   

   Make sure to add the --build option when starting your stack:

   docker-compose up --build