[Bug]: Brotli or ZSTD reverse proxy compression breaks SSO authentication in some android apps #859
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
I use nextcloud 31.0.6 container in combination with traefik 3.4.1 reverse proxy.
In traefik's dynamic configuration it I configured a compress middleware, like so:
compress:
compress:
defaultEncoding: zstd
encodings:
- zstd
- br
- gzip
includedContentTypes:
- "text/html"
- "text/css"
- "text/javascript"
- "text/xml"
- "text/plain"
- "application/javascript"
- "application/x-javascript"
- "application/xml"
- "application/rss+xml"
- "application/xhtml+xml"
- "application/vnd.ms-fontobject"
- "application/x-font"
- "application/x-font-opentype"
- "application/x-font-otf"
- "application/x-font-truetype"
- "application/x-font-ttf"
- "font/opentype"
- "font/otf"
- "font/ttf"
- "image/svg+xml"
- "image/x-icon"
- "application/json"
- "application/manifest+json"
The middleware is used as default entrypoint middleware and is applied to nextcloud.
After that, when using Login using Nextcloud Files App auth method in some Android apps, such as Nextcloud Notes, or Nextcloud News, I was getting an error (see issue nextcloud/news-android#1544).
Changing zstd to br (brotli) had no effect.
After removing - "application/json" - "application/manifest+json" from the list of included content types, the issue disappeared.
I then added a new middleware (added it to the entrypoint middlewares too so that it applied to nextcloud) that set default encoding to gzip for those types instead:
compress-gzip:
compress:
defaultEncoding: gzip
encodings:
- zstd
- br
- gzip
includedContentTypes:
- "application/json"
- "application/manifest+json"
and with that the sign in option worked without an issue too.
I don't believe Nextcloud documents that it only supports gzip web compression, which is why I'm reporting this.
Steps to reproduce
- Configure Nextcloud 31.0.6 to be accesible via Traefik 3.4.1 reverse proxy
- Configure compress middleware with the following config
compress-gzip:
compress:
defaultEncoding: br
encodings:
- zstd
- br
- gzip
includedContentTypes:
- "application/json"
- "application/manifest+json"
- Apply it to the nextcloud container
- Try
Login using Nextcloud Files Applogin option from within Nextcloud Notes or News Android apps - Get an error:
Expected behavior
Login using Nextcloud Files App works with either brotli or zstd, not just gzip, compression without an issue.
Nextcloud Server version
31
Operating system
Other
PHP engine version
PHP 8.3
Web server
Apache (supported)
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"nextcloud.mydomain.redacted"
],
"dbtype": "pgsql",
"version": "31.0.6.2",
"overwrite.cli.url": "https:\/\/nextcloud.tannisroot.tech",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379,
"user": "nextcloud",
"password": "***REMOVED SENSITIVE VALUE***"
},
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"logfile": "\/var\/log\/nextcloud\/nextcloud.log",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"allowed_admin_ranges": [
"REDACTED"
],
"loglevel": 1,
"log_rotate_size": 10485760,
"maintenance_window_start": 2,
"maintenance": false,
"filelocking.enabled": true,
"upgrade.disable-web": true,
"default_phone_region": "REDACTED"
}
}List of activated Apps
Enabled:
- activity: 4.0.0
- admin_audit: 1.21.0
- app_api: 5.0.2
- bruteforcesettings: 4.0.0
- calendar: 5.3.3
- circles: 31.0.0
- cloud_federation_api: 1.14.0
- comments: 1.21.0
- contacts: 7.1.3
- contactsinteraction: 1.12.0
- cookbook: 0.11.3
- dashboard: 7.11.0
- dav: 1.33.0
- federatedfilesharing: 1.21.0
- federation: 1.21.0
- files: 2.3.1
- files_downloadlimit: 4.0.0
- files_pdfviewer: 4.0.0
- files_reminders: 1.4.0
- files_sharing: 1.23.1
- files_trashbin: 1.21.0
- files_versions: 1.24.0
- firstrunwizard: 4.0.0
- logreader: 4.0.0
- lookup_server_connector: 1.19.0
- news: 26.0.1
- nextcloud_announcements: 3.0.0
- notes: 4.12.1
- notifications: 4.0.0
- oauth2: 1.19.1
- password_policy: 3.0.0
- photos: 4.0.0-dev.1
- privacy: 3.0.0
- profile: 1.0.0
- provisioning_api: 1.21.0
- recommendations: 4.0.0
- related_resources: 2.0.0
- serverinfo: 3.0.0
- settings: 1.14.0
- sharebymail: 1.21.0
- support: 3.0.0
- survey_client: 3.0.0
- systemtags: 1.21.1
- tasks: 0.16.1
- text: 5.0.0
- theming: 2.6.1
- twofactor_backupcodes: 1.20.0
- twofactor_totp: 13.0.0-dev.0
- updatenotification: 1.21.0
- user_status: 1.11.0
- viewer: 4.0.0
- weather_status: 1.11.0
- webhook_listeners: 1.2.0
- workflowengine: 2.13.0
Disabled:
- encryption: 2.19.0
- files_external: 1.23.0
- suspicious_login: 9.0.1
- twofactor_nextcloud_notification: 5.0.0
- user_ldap: 1.22.0Nextcloud Signing status
No errors have been found.Nextcloud Logs
{"reqId":"32vTOltEiXA8Bajf8ZVu","level":0,"time":"2025-05-21T14:56:18+00:00","remoteAddr":"CLIENT_IP_REDACTED","user":"alex","app":"news","method":"GET","url":"/index.php/apps/news/api/v1-2/version?","message":"No proxy configuration found","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.31.1","version":"31.0.5.1","data":{"app":"news"}}
{"reqId":"32vTOltEiXA8Bajf8ZVu","level":0,"time":"2025-05-21T14:56:18+00:00","remoteAddr":"CLIENT_IP_REDACTED","user":"alex","app":"news","method":"GET","url":"/index.php/apps/news/api/v1-2/version?","message":"new parser added : FeedIo\\Standard\\Json","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.31.1","version":"31.0.5.1","data":{"app":"news"}}
{"reqId":"32vTOltEiXA8Bajf8ZVu","level":0,"time":"2025-05-21T14:56:18+00:00","remoteAddr":"CLIENT_IP_REDACTED","user":"alex","app":"news","method":"GET","url":"/index.php/apps/news/api/v1-2/version?","message":"new parser added : FeedIo\\Standard\\Atom","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.31.1","version":"31.0.5.1","data":{"app":"news"}}
{"reqId":"32vTOltEiXA8Bajf8ZVu","level":0,"time":"2025-05-21T14:56:18+00:00","remoteAddr":"CLIENT_IP_REDACTED","user":"alex","app":"news","method":"GET","url":"/index.php/apps/news/api/v1-2/version?","message":"new parser added : FeedIo\\Standard\\Rss","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.31.1","version":"31.0.5.1","data":{"app":"news"}}
{"reqId":"32vTOltEiXA8Bajf8ZVu","level":0,"time":"2025-05-21T14:56:18+00:00","remoteAddr":"CLIENT_IP_REDACTED","user":"alex","app":"news","method":"GET","url":"/index.php/apps/news/api/v1-2/version?","message":"new parser added : FeedIo\\Standard\\Rdf","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.31.1","version":"31.0.5.1","data":{"app":"news"}}
{"reqId":"32vTOltEiXA8Bajf8ZVu","level":0,"time":"2025-05-21T14:56:18+00:00","remoteAddr":"CLIENT_IP_REDACTED","user":"alex","app":"news","method":"GET","url":"/index.php/apps/news/api/v1-2/version?","message":"OCA\\News\\Controller\\UtilityApiController::version returned raw data. Please wrap it in a Response or one of it's inheritors.","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.31.1","version":"31.0.5.1","data":{"app":"news"}}Additional info
No response