Can't login via Cloudflared tunnel

Sampler · September 9, 2025, 1:51am

Old topic, I know, but this install is beating me, spent the past day trying to work it out. I’ve done this before, but it was a couple of years back, so I know it’s vaguely possible (and recall it being a pita then).

Have latest truenas (25.04.2.3) and installed tailscale to remotely access it (App Version: v1.86.5) and then nextcloud (App Version:v31.0.8 Version: v2.0.25) and it worked perfectly fine over the tailscale IP, was able to log in, configure a few things.

Then, added cloudflared to be able to give my friend access (whole idea of this box, give her a cloud storage to replace her google and icloud subscriptions, intend to sync the contents of this nas back to my own, which in turn syncs to a cloud back-up, so data security will be relatively good). And here’s where I’m struggling.

I’ve updated the “host” in application info>edit to be my cloudflare tunnel domain, if I use shell to view config.php I can see it’s in there and added OVERWRITEHOST & OVERWRTIRECLIURL environment variables as read elsewhere.

So I can see the NextCloud splashpage when I punch the domain in, but no login box. I can still access over the tailscale IP and remain logged in. If I try the mobile app it redirects to a browser and shows:

<edit, can’t embed images>

Which is at least more than going directly with a browser, however as you can see the login buttons greyed out, clicking “Alternative log in using app password” does nothing.

log files generated whilst this happens:

2025-09-09 01:38:46.166852+00:00127.0.0.1 (-) - - [09/Sep/2025:01:38:46 +0000] "GET /status.php HTTP/1.1" 200 1097 "-" "curl/8.14.1"
2025-09-09 01:38:49.263000+00:00172.16.2.7 (127.0.0.1) - - [09/Sep/2025:01:38:49 +0000] "GET /status.php HTTP/1.1" 200 1097 "-" "curl/7.88.1"
2025-09-09 01:39:16.114115+00:00fdd0:0:0:2::7 (172.16.2.1) - - [09/Sep/2025:01:39:16 +0000] "GET /status.php HTTP/1.1" 200 1097 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.32.3"
2025-09-09 01:39:16.283493+00:00127.0.0.1 (-) - - [09/Sep/2025:01:39:16 +0000] "GET /status.php HTTP/1.1" 200 1097 "-" "curl/8.14.1"
2025-09-09 01:39:17.255698+00:00172.16.2.7 (172.16.2.1) - - [09/Sep/2025:01:39:16 +0000] "HEAD /remote.php/dav HTTP/1.1" 401 1437 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.32.3"
2025-09-09 01:39:18.921270+00:00fdd0:0:0:2::7 (172.16.2.1) - - [09/Sep/2025:01:39:17 +0000] "POST /index.php/login/v2 HTTP/1.1" 200 2006 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.32.3"
2025-09-09 01:39:19.372973+00:00172.16.2.7 (127.0.0.1) - - [09/Sep/2025:01:39:19 +0000] "GET /status.php HTTP/1.1" 200 1097 "-" "curl/7.88.1"
2025-09-09 01:39:20.687633+00:00fdd0:0:0:2::7 (172.16.2.1) - - [09/Sep/2025:01:39:19 +0000] "GET /login/v2/flow/uAVs0PZ8JmDWQMdZ79epvPJhUDdeUXBd1zW8tjDCwvjIZ0Rank1PsjTHg08utJYPRVDpnMZ3N9C2jcldkguq82ESeyzrjjjs2LxDmBWHOk9Uh0eMMaeQ0U0fQwDpuPK5 HTTP/1.1" 303 1569 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36"
2025-09-09 01:39:20.874716+00:00172.16.2.7 (172.16.2.1) - - [09/Sep/2025:01:39:20 +0000] "GET /login/v2/flow?user=&direct=0 HTTP/1.1" 200 8194 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36"

App was fresh downloaded from Play store yesterday, so up to date.

<edit, can’t embed images>

When I visit the domain in a browser, it redirects to /login, without offering a login prompt, and generates these logs:

2025-09-09 01:15:16.021572+00:00fdd0:0:0:2::6 (172.16.2.1) - - [09/Sep/2025:01:15:15 +0000] "GET /login HTTP/1.1" 200 7709 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.210138+00:00172.16.2.6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/light-highcontrast.css?plain=0&v=31485234 HTTP/1.1" 200 2090 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.219852+00:00172.16.2.6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/dark.css?plain=1&v=31485234 HTTP/1.1" 200 2004 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.236539+00:00fdd0:0:0:2::6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/opendyslexic.css?plain=0&v=31485234 HTTP/1.1" 200 1137 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.244431+00:00172.16.2.6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/dark-highcontrast.css?plain=0&v=31485234 HTTP/1.1" 200 2111 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.247653+00:00fdd0:0:0:2::6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/dark-highcontrast.css?plain=1&v=31485234 HTTP/1.1" 200 2094 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.253810+00:00fdd0:0:0:2::6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/light.css?plain=1&v=31485234 HTTP/1.1" 200 2013 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.256063+00:00172.16.2.6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/default.css?plain=1&v=31485234 HTTP/1.1" 200 2013 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.260521+00:00fdd0:0:0:2::6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/light-highcontrast.css?plain=1&v=31485234 HTTP/1.1" 200 2074 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.271163+00:00172.16.2.6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/light.css?plain=0&v=31485234 HTTP/1.1" 200 2027 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

2025-09-09 01:15:16.299105+00:00fdd0:0:0:2::6 (172.16.2.1) - - [09/Sep/2025:01:15:16 +0000] "GET /apps/theming/theme/dark.css?plain=0&v=31485234 HTTP/1.1" 200 2016 "https://cloudflare.domain DOT com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"

Cloudflare settings are:
Type: HTTPS
URL: :30027
No TLS Verify: On

config.php is:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'redis',
    'password' => '<snip>',
    'port' => 6379,
  ),
  'upgrade.disable-web' => true,
  'passwordsalt' => '<snip>',
  'secret' => '<snip>',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '31.0.8.1',
  'overwrite.cli.url' => 'https://<cloudflare.domain DOT com>',
  'overwritehost' => '<cloudflare.domain DOT com>',
  'overwriteprotocol' => 'https',
  'overwritecondaddr' => '^(?!192\\.168\\.|10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])).*$',
  'dbname' => 'nextcloud',
  'dbhost' => 'postgres:5432',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => '<snip>',
  'dbpassword' => '<snip>',
  'installed' => true,
  'instanceid' => 'oczfwem84k4v',
  'memories.db.triggers.fcu' => true,
  'memories.exiftool' => '/var/www/html/custom_apps/memories/bin-ext/exiftool-amd64-glibc',
  'memories.vod.path' => '/var/www/html/custom_apps/memories/bin-ext/go-vod-amd64',
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\Image',
    1 => 'OC\\Preview\\HEIC',
    2 => 'OC\\Preview\\TIFF',
  ),
  'maintenance' => false,
  'loglevel' => 2,
  'forbidden_filename_basenames' =>
  array (
    0 => 'con',
    1 => 'prn',
    2 => 'aux',
    3 => 'nul',
    4 => 'com0',
    5 => 'com1',
    6 => 'com2',
    7 => 'com3',
    8 => 'com4',
    9 => 'com5',
    10 => 'com6',
    11 => 'com7',
    12 => 'com8',
    13 => 'com9',
    14 => 'com¹',
    15 => 'com²',
    16 => 'com³',
    17 => 'lpt0',
    18 => 'lpt1',
    19 => 'lpt2',
    20 => 'lpt3',
    21 => 'lpt4',
    22 => 'lpt5',
    23 => 'lpt6',
    24 => 'lpt7',
    25 => 'lpt8',
    26 => 'lpt9',
    27 => 'lpt¹',
    28 => 'lpt²',
    29 => 'lpt³',
  ),
  'forbidden_filename_characters' =>
  array (
    0 => '<',
    1 => '>',
    2 => ':',
    3 => '"',
    4 => '|',
    5 => '?',
    6 => '*',
    7 => '\\',
    8 => '/',
  ),
  'forbidden_filename_extensions' =>
  array (
    0 => ' ',
    1 => '.',
    2 => '.filepart',
    3 => '.part',
  ),
  'preview_imaginary_url' => 'http://imaginary:9000',
  'trusted_proxies' =>
  array (
    0 => '127.0.0.1',
    1 => '192.168.0.0/16',
    2 => '172.16.0.0/12',
    3 => '10.0.0.0/8',
  ),
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauth' => true,
  'mail_from_address' => '<snip>',
  'mail_domain' => '<snip>',
  'mail_smtphost' => '<snip>',
  'mail_smtpport' => '465',
  'mail_smtpname' => '<snip>',
  'mail_smtppassword' => '<snip>',
  'trusted_domains' =>
  array (
    0 => '<tailscaleIP>',
    1 => '127.0.0.1',
    2 => '<cloudflare.domain DOT com>',
    3 => 'localhost',
    4 => 'nextcloud',
  ),
);

Read in another thread about:
‘overwrite.cli.url’ => ‘https://<cloudflare.domain DOT com>’,
‘overwritehost’ => ‘<cloudflare.domain DOT com>’,
‘overwriteprotocol’ => ‘https’,
‘overwritecondaddr’ => ‘^(?!192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])).*$’,
So tried those in there.

Feel I’ve been through every topic on this that duck duck go will bring up, still not inching forward. Lost access being able to login via the tailscale IP now I’ve made all these changes, it redirects to the cloudflare domain, which is what I want, I just want a damned log in prompt to come up instead of just the background wallpaper…

I do get the following console errors on the login page:

Refused to load the script 'https://<cloudflare.domain DOT com>/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic' 'nonce-OwJM8T43VT+IzAA0AH+xc3IyRQBOx+LSU1qmhZhJLAk='".

which seems weird, it’s own CSP is blocking a script which appears to have a valid nonce…

All apps are from the standard truenas discover apps, no additional catalogues loaded (like Scale).

Sampler · September 9, 2025, 5:35am

So threw the CSP error in to Claude and it said to disable “Rocker Loader™” on Cloudflare (go to the domain > Speed > Optimisation > Rocket Loader™ - uncheck) and would you know, all my problems solved. goddamnit

Timoti · October 1, 2025, 2:42pm

That’s great! Thanks for sharing your experience