CSS and Javascript error over HTTPS with nginx

Server
#1

Steps to reproduce

  1. Manual installation of ownCloud
  2. Install nginx, SSL certificate, MySQL, php-fpm and all prerequisites
  3. here is the nginx config:

upstream php-handler {

  server 127.0.0.1:9000;
  # Depending on your used PHP version
  # server unix:/var/run/php5-fpm.sock;
  #server unix:/run/php/php7.2-fpm.sock;

}
server {

  listen 80;
  server_name cloud.bdevay.duckdns.org;
  # For SSL certificate verifications, this needs to be served via HTTP
  location /.well-known/(acme-challenge|pki-validation)/ {
      root /var/www/.well-known/pki-validation/;
  }
  # enforce https
  location / {
      return 301 XXXXS://$server_name$request_uri;
  }

}
server {

  listen 443 ssl http2;
  server_name cloud.bdevay.duckdns.org;
  ssl_certificate /etc/ssl/nginx/certificate.crt;
  ssl_certificate_key /etc/ssl/nginx/private.key;
  # Example SSL/TLS configuration. Please read into the manual of NGINX before applying these.
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
  ssl_dhparam /etc/nginx/dh4096.pem;
  ssl_prefer_server_ciphers on;
  keepalive_timeout    70;
  ssl_stapling on;
  ssl_stapling_verify on;
  # Add headers to serve security related headers
  # The always parameter ensures that the header is set for all responses, including internally generated error responses.
  # Before enabling Strict-Transport-Security headers please read into this topic first.
  # XXXXS://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
  add_header X-Content-Type-Options nosniff always;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header X-Robots-Tag none always;
  add_header X-Download-Options noopen always;
  add_header X-Permitted-Cross-Domain-Policies none always;
  # Path to the root of your installation
  root /var/www/owncloud/;
  location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
  }
  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
 # rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
 # rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
  location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
  }
  location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
  }
  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 8 4K;                     # Please see note 1
  fastcgi_ignore_headers X-Accel-Buffering; # Please see note 2
  # Disable gzip to avoid the removal of the ETag header
  # Enabling gzip would also make your server vulnerable to BREACH
  # if no additional measures are done. See XXXXS://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
  gzip off;
  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;
  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;
  location / {
     rewrite ^ /index.php$uri;
  }

  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      return 404;
  }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      return 404;
  }
  location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|ocm-provider/.+|core/templates/40[34])\.php(?:$|/) {
      fastcgi_split_path_info ^(.+\.php)(/.*)$;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot XXXXS://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param HTTPS on;
      fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
      fastcgi_param front_controller_active true;
      fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
      # fastcgi_pass php-handler;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_intercept_errors on;
      fastcgi_request_buffering off; #Available since NGINX 1.7.11
  }
  location ~ ^/(?:updater|ocs-provider|ocm-provider)(?:$|/) {
      try_files $uri $uri/ =404;
      index index.php;
  }
  # Adding the cache control header for js and css files
  # Make sure it is BELOW the PHP block
  location ~ \.(?:css|js)$ {
      try_files $uri /index.php$uri$is_args$args;
      add_header Cache-Control "max-age=15778463" always;

      # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
      # The always parameter ensures that the header is set for all responses, including internally generated error responses.
      # Before enabling Strict-Transport-Security headers please read into this topic first.
      # XXXXS://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

      #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
      add_header X-Content-Type-Options nosniff always;
      add_header X-Frame-Options "SAMEORIGIN" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header X-Robots-Tag none always;
      add_header X-Download-Options noopen always;
      add_header X-Permitted-Cross-Domain-Policies none always;
      # Optional: Don't log access to assets
      access_log off;
  }
  location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map|json)$ {
      add_header Cache-Control "public, max-age=7200" always;
      try_files $uri /index.php$uri$is_args$args;
      # Optional: Don't log access to other assets
      access_log off;
  }

}

Expected behaviour

CSS and Javascript content should be displayed on web

Actual behaviour

Browser displays the login text boxes but no buttons, no style available

Server configuration

Operating system:
Linux 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic

Web server:
nginx version: nginx/1.14.0 (Ubuntu)

Database:
MySQL Server version: 5.7.31-0ubuntu0.18.04.1 (Ubuntu)

PHP version:
PHP 7.2.24-0ubuntu0.18.04.6 (cli) (built: May 26 2020 13:09:11) ( NTS )

ownCloud version: (see ownCloud admin page)
$OC_VersionString = ‘10.5.0’;
$OC_Build = ‘2020-08-03T07:16:07+00:00 dc16af58beb6050976fd62bf683da0232034e1c6’;

Updated from an older ownCloud or fresh install:
Fresh install

Where did you install ownCloud from:
owncloud-complete-20200731.zip

Signing status (ownCloud 9.0 and above):
Unsigned. Unable to login since the controls are not displayed.

The content of config/config.php:
{
“system”: {
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
“localhost”,
“cloud.bdevay.duckdns.org”
],
“datadirectory”: “/mnt/documents/www/owncloud/data”,
“overwrite.cli.url”: “http://localhost”,
“dbtype”: “mysql”,
“version”: “10.5.0.10”,
“dbname”: “owncloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“mysql.utf8mb4”: true,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“logtimezone”: “UTC”,
“apps_paths”: [
{
“path”: “/mnt/documents/www/owncloud/apps”,
“url”: “/apps”,
“writable”: false
},
{
“path”: “/mnt/documents/www/owncloud/apps-external”,
“url”: “/apps-external”,
“writable”: true
}
],
“installed”: true,
“instanceid”: “ocyzljj5kjsh”
}
}

List of activated apps:
Enabled:

  • activity: 2.5.3
  • comments: 0.3.0
  • configreport: 0.2.0
  • dav: 0.6.0
  • federatedfilesharing: 0.5.0
  • federation: 0.1.0
  • files: 1.5.2
  • files_external: 0.7.1
  • files_mediaviewer: 1.0.3
  • files_pdfviewer: 0.11.1
  • files_sharing: 0.13.0
  • files_texteditor: 2.3.0
  • files_trashbin: 0.9.1
  • files_versions: 1.3.0
  • firstrunwizard: 1.2.0
  • market: 0.6.0
  • notifications: 0.5.2
  • provisioning_api: 0.5.0
  • systemtags: 0.3.0
  • templateeditor: 0.4.0
  • updatenotification: 0.2.1
    Disabled:
  • admin_audit
  • announcementcenter
  • customgroups
  • encryption
  • enterprise_key
  • external
  • files_antivirus
  • files_classifier
  • files_external_dropbox
  • files_external_ftp
  • files_ldap_home
  • firewall
  • guests
  • oauth2
  • password_policy
  • ransomware_protection
  • sharepoint
  • systemtags_management
  • theme-enterprise
  • twofactor_totp
  • user_external
  • user_ldap
  • user_shibboleth
  • windows_network_drive
  • wopi
  • workflow

Are you using external storage, if yes which one: local/smb/sftp/

no

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/

no

LDAP configuration (delete this part if not used)

There are no commands defined in the “ldap” namespace.

Client configuration

Browser:
Chrome

Operating system:
Windows 10

Logs

Web server error log

2020/08/08 01:22:32 [alert] 28773#28773: *32 open socket #16 left in connection 6
2020/08/08 01:22:32 [alert] 28773#28773: aborting
2020/08/08 01:29:07 [alert] 29005#29005: *219 open socket #15 left in connection 8
2020/08/08 01:29:07 [alert] 29005#29005: aborting

ownCloud log (data/owncloud.log)

{“reqId”:“iO3tUJfPuLUZKRib9xwv”,“level”:3,“time”:“2020-08-07T23:39:59+00:00”,“remoteAddr”:"",“user”:"–",“app”:“mysql.setup”,“method”:"–",“url”:"–",“message”:“Specific user creation failed: An exception occurred while executing ‘SELECT user FROM mysql.user WHERE user=?’ with params [“oc_admin”]:\n\nSQLSTATE[42000]: Syntax error or access violation: 1142 SELECT command denied to user ‘admin’@‘localhost’ for table ‘user’”}

Browser log

Refused to apply style from ‘XXXXs://cloud.bdevay.duckdns.org/core/vendor/select2/select2.css?v=156c1a1cd2fc4710f74b3613142c96e9’ because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.
login:1 Refused to apply style from ‘XXXXs://cloud.bdevay.duckdns.org/core/css/header.css?v=156c1a1cd2fc4710f74b3613142c96e9’ because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.
login:1 Refused to apply style from ‘XXXXs://cloud.bdevay.duckdns.org/core/vendor/jquery-ui/themes/base/jquery-ui.css?v=156c1a1cd2fc4710f74b3613142c96e9’ because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.
39Refused to execute script from ‘’ because its MIME type (‘text/css’) is not executable, and strict MIME type checking is enabled.
jquery.ocdialog.js?v=156c1a1cd2fc4710f74b3613142c96e9:194 Uncaught ReferenceError: jQuery is not defined
at jquery.ocdialog.js?v=156c1a1cd2fc4710f74b3613142c96e9:194
octemplate.js?v=156c1a1cd2fc4710f74b3613142c96e9:104 Uncaught ReferenceError: jQuery is not defined
at octemplate.js?v=156c1a1cd2fc4710f74b3613142c96e9:104
search.js?v=156c1a1cd2fc4710f74b3613142c96e9:397 Uncaught ReferenceError: OCA is not defined
at search.js?v=156c1a1cd2fc4710f74b3613142c96e9:397
at search.js?v=156c1a1cd2fc4710f74b3613142c96e9:398
login:1 Refused to execute script from ‘XXXXs://cloud.bdevay.duckdns.org/core/js/oc-requesttoken.js?v=156c1a1cd2fc4710f74b3613142c96e9’ because its MIME type (‘text/html’) is not executable, and strict MIME type checking is enabled.
select2.js?v=156c1a1cd2fc4710f74b3613142c96e9:39 Uncaught ReferenceError: jQuery is not defined
at select2.js?v=156c1a1cd2fc4710f74b3613142c96e9:39
oc-backbone.js?v=156c1a1cd2fc4710f74b3613142c96e9:104 Uncaught ReferenceError: jQuery is not defined
at oc-backbone.js?v=156c1a1cd2fc4710f74b3613142c96e9:104
oc-backbone-webdav.js?v=156c1a1cd2fc4710f74b3613142c96e9:397 Uncaught ReferenceError: OCA is not defined
at oc-backbone-webdav.js?v=156c1a1cd2fc4710f74b3613142c96e9:397
at oc-backbone-webdav.js?v=156c1a1cd2fc4710f74b3613142c96e9:398
sharemodel.js?v=156c1a1cd2fc4710f74b3613142c96e9:397 Uncaught ReferenceError: OCA is not defined
at sharemodel.js?v=156c1a1cd2fc4710f74b3613142c96e9:397
at sharemodel.js?v=156c1a1cd2fc4710f74b3613142c96e9:398
sharedialogresharerinfoview.js?v=156c1a1cd2fc4710f74b3613142c96e9:12 Uncaught ReferenceError: OC is not defined
at sharedialogresharerinfoview.js?v=156c1a1cd2fc4710f74b3613142c96e9:12
at sharedialogresharerinfoview.js?v=156c1a1cd2fc4710f74b3613142c96e9:124
sharedialoglinkshareview.js?v=156c1a1cd2fc4710f74b3613142c96e9:397 Uncaught ReferenceError: OCA is not defined
at sharedialoglinkshareview.js?v=156c1a1cd2fc4710f74b3613142c96e9:397
at sharedialoglinkshareview.js?v=156c1a1cd2fc4710f74b3613142c96e9:398
sharedialogshareelistview.js?v=156c1a1cd2fc4710f74b3613142c96e9:397 Uncaught ReferenceError: OCA is not defined
at sharedialogshareelistview.js?v=156c1a1cd2fc4710f74b3613142c96e9:397
at sharedialogshareelistview.js?v=156c1a1cd2fc4710f74b3613142c96e9:398
jquery.colorbox.js?v=156c1a1cd2fc4710f74b3613142c96e9:397 Uncaught ReferenceError: OCA is not defined
at jquery.colorbox.js?v=156c1a1cd2fc4710f74b3613142c96e9:397
at jquery.colorbox.js?v=156c1a1cd2fc4710f74b3613142c96e9:398
login:1 Refused to execute script from ‘XXXXs://cloud.bdevay.duckdns.org/core/js/files/fileinfo.js?v=156c1a1cd2fc4710f74b3613142c96e9’ because its MIME type (‘text/html’) is not executable, and strict MIME type checking is enabled.
visitortimezone.js?v=156c1a1cd2fc4710f74b3613142c96e9:397 Uncaught ReferenceError: OCA is not defined
at visitortimezone.js?v=156c1a1cd2fc4710f74b3613142c96e9:397
at visitortimezone.js?v=156c1a1cd2fc4710f74b3613142c96e9:398
lostpassword.js?v=156c1a1cd2fc4710f74b3613142c96e9:397 Uncaught ReferenceError: OCA is not defined
at lostpassword.js?v=156c1a1cd2fc4710f74b3613142c96e9:397
at lostpassword.js?v=156c1a1cd2fc4710f74b3613142c96e9:398
browser-update.js?v=156c1a1cd2fc4710f74b3613142c96e9:194 Uncaught ReferenceError: jQuery is not defined
at browser-update.js?v=156c1a1cd2fc4710f74b3613142c96e9:194

#2

Hey,

i think this is the reason for the problem:

It looks to me somehow that you web server is sending the stylesheet (or some kind of different “Not found” message with text/html instead of text/css.

I would re-check if your nginx configuration is matching the required one for ownCloud (runnig fine for me) at:

#3

Hi,

thanks for the quick answer.

I’ve copy-pasted the example configuration from the site you pointed (replacing the server name exclusively), restarted the nginx server but the same result. You can check my server (https://cloud.bdevay.duckdns.org). I don’t know how to force nginx to send the stylesheet properly if it’s the root cause at all. I was aware of the order of the PHP and CSS location (however, in the example it’s in the right order).

The only changes that nginx error log shows the following:
“2020/08/09 06:42:59 [crit] 30934#30934: *794 SSL_do_handshake() failed (SSL: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low) while SSL handshaking, client: 216.218.206.67, server: 0.0.0.0:443”

The nginx access log shows the many CSS request attempt but it seems successful.

Any idea?

#4

Hey,

if i’m opening the URL i’m getting the following error of Firefox presented:

Your connection is not secure

The website tried to negotiate an inadequate level of security.

cloud.bdevay.duckdns.org uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.

Error code: NS_ERROR_NET_INADEQUATE_SECURITY

opening the link with Chrome shows the following:

This site can’t be reachedThe webpage at https://cloud.bdevay.duckdns.org/ might be temporarily down or it may have moved permanently to a new web address.
ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

It looks to me there is a new problem with the SSL configuration on the web server unrelated to ownCloud which seems to match this from your log file:

Maybe you can find some information on the internet about these errors and how to configure nginx with SSL correctly for your operating system (could be possible that some of the SSL configuration in the example nginx config are too new or too old for Ubuntu 18.04).

Updates for the nginx community configuration
#5

Hey,

it seems the following page / test could also give valuable information for the SSL configuration. For example it seems there is a certificate name mismatch and some mentions of “Server negotiated HTTP/2 with blacklisted suite” there:

https://www.ssllabs.com/ssltest/analyze.html?d=cloud.bdevay.duckdns.org

#6

Wow. I was planning to fix this SSL issue after the page is available but it seems I was wrong. After fixing the security issue, everything works like charm. Thank you @tom42, you made my day :slight_smile:

1 Like