Describe the bug
When uploading files larger than ~8MB through HAProxy as reverse proxy with Authentik as external OIDC provider, TUS uploads fail with HTTP 403 on the second chunk. The first chunk (up to ~10MB) succeeds, but subsequent PATCH requests return 403 with transferred-bytes: 0 in the OpenCloud logs.
Steps to reproduce
Set up OpenCloud 6.0.0 rolling behind HAProxy (OPNsense 26.1) with Authentik 2026.2.1 as external OIDC provider
Log in via Authentik SSO
Upload a file larger than ~8MB via the web UI
Expected behavior
Files of any size should upload successfully via TUS chunked upload.
Actual behavior
Files smaller than ~8MB upload successfully (fallback to regular PUT/POST)
Files larger than ~8MB fail with 403 on the second TUS PATCH chunk
OpenCloud logs show: content-length: X, transferred-bytes: 0, "content length vs transferred bytes mismatch"
Browser console shows: tus: unexpected response while uploading chunk, response code: 403
The TUS JWT token contains "target":"http://localhost:9158/data/tus/..." — the internal datagateway address
Setup
OpenCloud
OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
OC_DOCKER_TAG=latest (6.0.0)
OC_DOMAIN=cloud.example.com
OC_EXCLUDE_RUN_SERVICES=idp
OC_OIDC_ISSUER=https://auth.example.com/application/o/open-cloud-web/
WEB_OIDC_CLIENT_ID=web
WEB_OIDC_SCOPE=openid profile email groups offline_access
PROXY_OIDC_REWRITE_WELLKNOWN=true
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
PROXY_AUTOPROVISION_ACCOUNTS=true
PROXY_USER_OIDC_CLAIM=preferred_username
PROXY_USER_CS3_CLAIM=username
PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=groups
GRAPH_ASSIGN_DEFAULT_USER_ROLE=true
GRAPH_USERNAME_MATCH=none
Reverse Proxy
HAProxy 3.2.14 (OPNsense 26.1.5)
SSL termination at HAProxy
Backend: HTTP/1.1 to OpenCloud port 9200
Identity Provider
Authentik 2026.2.1
Additional context
The TUS JWT token always contains localhost:9158 as the internal datagateway target regardless of STORAGE_USERS_DATA_GATEWAY_URL setting
Setting STORAGE_USERS_DATA_GATEWAY_URL=https://cloud.example.com/data has no effect on the generated JWT token
The issue also occurs when bypassing HAProxy and connecting directly to OpenCloud (HTTP, port 9200), suggesting the root cause may be in OpenCloud's internal datagateway authentication rather than HAProxy
First TUS chunk succeeds with Upload-Offset 0, second chunk with Upload-Offset ~10MB fails immediately with 403
OpenCloud proxy logs show context canceled / Request Timeout when loading user roles during upload
Replaced my domain for this bug report with example.com
Describe the bug
When uploading files larger than ~8MB through HAProxy as reverse proxy with Authentik as external OIDC provider, TUS uploads fail with HTTP 403 on the second chunk. The first chunk (up to ~10MB) succeeds, but subsequent PATCH requests return 403 with transferred-bytes: 0 in the OpenCloud logs.
Steps to reproduce
Set up OpenCloud 6.0.0 rolling behind HAProxy (OPNsense 26.1) with Authentik 2026.2.1 as external OIDC provider
Log in via Authentik SSO
Upload a file larger than ~8MB via the web UI
Expected behavior
Files of any size should upload successfully via TUS chunked upload.
Actual behavior
Files smaller than ~8MB upload successfully (fallback to regular PUT/POST)
Files larger than ~8MB fail with 403 on the second TUS PATCH chunk
OpenCloud logs show: content-length: X, transferred-bytes: 0, "content length vs transferred bytes mismatch"
Browser console shows: tus: unexpected response while uploading chunk, response code: 403
The TUS JWT token contains "target":"http://localhost:9158/data/tus/..." — the internal datagateway address
Setup
OpenCloud
OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
OC_DOCKER_TAG=latest (6.0.0)
OC_DOMAIN=cloud.example.com
OC_EXCLUDE_RUN_SERVICES=idp
OC_OIDC_ISSUER=https://auth.example.com/application/o/open-cloud-web/
WEB_OIDC_CLIENT_ID=web
WEB_OIDC_SCOPE=openid profile email groups offline_access
PROXY_OIDC_REWRITE_WELLKNOWN=true
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
PROXY_AUTOPROVISION_ACCOUNTS=true
PROXY_USER_OIDC_CLAIM=preferred_username
PROXY_USER_CS3_CLAIM=username
PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=groups
GRAPH_ASSIGN_DEFAULT_USER_ROLE=true
GRAPH_USERNAME_MATCH=none
Reverse Proxy
HAProxy 3.2.14 (OPNsense 26.1.5)
SSL termination at HAProxy
Backend: HTTP/1.1 to OpenCloud port 9200
Identity Provider
Authentik 2026.2.1
Additional context
The TUS JWT token always contains localhost:9158 as the internal datagateway target regardless of STORAGE_USERS_DATA_GATEWAY_URL setting
Setting STORAGE_USERS_DATA_GATEWAY_URL=https://cloud.example.com/data has no effect on the generated JWT token
The issue also occurs when bypassing HAProxy and connecting directly to OpenCloud (HTTP, port 9200), suggesting the root cause may be in OpenCloud's internal datagateway authentication rather than HAProxy
First TUS chunk succeeds with Upload-Offset 0, second chunk with Upload-Offset ~10MB fails immediately with 403
OpenCloud proxy logs show context canceled / Request Timeout when loading user roles during upload
Replaced my domain for this bug report with example.com