Rewrite or internal redirection cycle (monica:fpm)

[o-pteron]

Hello, I really appreciate your work and I hope you can help with this issue. I think "Photos" and "Documents" in the docker monica:fpm are broken.

Photos:

Photos are "empty":

and I get errors like this:

app_1  | 172.24.0.4 -  21/Aug/2021:20:42:33 +0000 "GET /index.php" 200
web_1  | 2021/08/21 20:42:33 [error] 32#32: *91 rewrite or internal redirection cycle while internally redirecting to "/index.php/store/photos/WXG28Cm1XvswjH0IeNgfRdXzE4iUplkXddH5qAM2.jpg", client: 192.168.9.1, server: monica, request: "GET /store/photos/WXG28Cm1XvswjH0IeNgfRdXzE4iUplkXddH5qAM2.jpg HTTP/1.1", host: "m.mydomain.dk"

nginx.conf is not altered:

worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    set_real_ip_from  10.0.0.0/8;
    set_real_ip_from  172.16.0.0/12;
    set_real_ip_from  192.168.0.0/16;
    real_ip_header    X-Real-IP;

    # Connect to app service
    upstream php-handler {
        server app:9000;
    }

    server {
        listen 80;

        server_name monica;

        ## HSTS ##
        # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
        # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
        # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
        # removed from this list could take several months.
        #
        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;

        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;

        root /var/www/html/public;

        index index.html index.htm index.php;

        charset utf-8;

        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }

        location ~ ^/(?:robots.txt|security.txt) {
            allow all;
            log_not_found off;
            access_log off;
        }

        error_page 404 500 502 503 504 /index.php;

        location ~ /\.well-known/(?:carddav|caldav) {
            return 301 $scheme://$host/dav;
        }
        location = /.well-known/security.txt {
            return 301 $scheme://$host/security.txt;
        }
        location ~ /\.(?!well-known).* {
            deny all;
        }

        # set max upload size
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;

        location ~ \.php$ {
            # regex to split $uri to $fastcgi_script_name and $fastcgi_path
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;

            # Check that the PHP script exists before passing it
            try_files $fastcgi_script_name =404;

            fastcgi_pass php-handler;
            fastcgi_index index.php;

            include fastcgi_params;

            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            # Bypass the fact that try_files resets $fastcgi_path_info
            # see: http://trac.nginx.org/nginx/ticket/321
            set $path_info $fastcgi_path_info;
            fastcgi_param PATH_INFO $path_info;
        }

        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463";

            ## HSTS ##
            # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
            # Note it is intended to have those duplicated to the ones above.
            # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
            # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
            # removed from this list could take several months.
            #
            #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;

            add_header Referrer-Policy "no-referrer" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-Download-Options "noopen" always;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-Permitted-Cross-Domain-Policies "none" always;
            add_header X-Robots-Tag "none" always;
            add_header X-XSS-Protection "1; mode=block" always;

            # Optional: Don't log access to assets
            access_log off;
        }

        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /index.php$request_uri;

            # Optional: Don't log access to assets
            access_log on;
        }

        # deny access to .htaccess files
        location ~ /\.ht {
            deny all;
        }
    }
}

docker-compose.yml

version: "3.4"

services:
  app:
    image: monica:fpm
    depends_on:
      - db
    environment:
      - APP_ENV=production
      - APP_DEBUG=true
      - APP_KEY=38KOVH4VUMpATaIpyuQ1lMJaWY7lw6FM
      - HASH_SALT=7VOlCvzfDRvPhDC6NF+5HVA93Lk
      - HASH_LENGTH=18
      - APP_URL=https://m.mydomain.dk
      - APP_FORCE_URL=false
      - APP_TRUSTED_PROXIES=*
      - DB_HOST=db
      - DB_USERNAME=monica
      - DB_PASSWORD=secret
    volumes:
      - ./appdata:/var/www/html/storage
    restart: always

  web:
    build: ./web
    ports:
      - 8554:80
    depends_on:
      - app
    volumes:
      - ./webdata:/var/www/html/storage:ro
    restart: always

  db:
    image: mysql:5.7
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=true
      - MYSQL_DATABASE=monica
      - MYSQL_USER=monica
      - MYSQL_PASSWORD=secret
    volumes:
      - ./mysqldata:/var/lib/mysql
    restart: always

I've tried running the container behind reverse proxy and local, with and without https, with docker volumes and with binds like above. Nothing works with nginx/fpm - however it works fine with apache instead. I've read that this endless loop can be fixed in nginx.conf, but that the real error resides in the app code(?)

Documents:

Documents works sometimes when uploading, but sometimes it fails saying: "There was an error uploading the document. Please try again below. " I get the same error with apache. Some files just wont upload no matter how many times you try (like "gifs_08 (1).gif") but I cant find a pattern regarding filenames or sizes. Output from the container logs:

web_1  | 2021/08/21 20:51:56 [warn] 32#32: *178 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000015, client: 192.168.9.1, server: monica, request: "POST /people/h:5mME4pW0e2PNlDn9dv/documents HTTP/1.1", host: "m.mydomain.dk"
app_1  | 172.24.0.4 -  21/Aug/2021:20:51:56 +0000 "POST /index.php" 422
web_1  | 192.168.9.1 - - [21/Aug/2021:20:51:56 +0000] "POST /people/h:5mME4pW0e2PNlDn9dv/documents HTTP/1.1" 422 109 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" "192.168.9.1"

I hope you can help me Thank you in advance :)

[o-pteron]

Also, when downloading uploaded documents I get the the rewrite or internal redirection cycle error:

web_1 | 2021/08/22 06:42:58 [error] 32#32: *147 rewrite or internal redirection cycle while internally redirecting to "/index.php/store/documents/OAck3Cbste8qHJvvKsV7fNEJPV5lrn0eQwsASHbr.jpg", client: 192.168.9.1, server: monica, request: "GET /store/documents/OAck3Cbste8qHJvvKsV7fNEJPV5lrn0eQwsASHbr.jpg HTTP/1.1", host: "m.mydomain.dk"