You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been trying day and night, but cannot find a solution to the following problem:
Nextcloud refuses to use the X-Forwarded-... headers (-For, -Proto & -Host) when run behind an NGINX reverse proxy (also in docker).
My setup:
Host: Ubuntu 20.04 LTS
Docker & docker-compose both latest (fresh install)
compose.yml (also have nextcloud-cron and redis, but not shown for length):
What I have checked to make sure the NGINX reverse proxy passes the correct headers:
I have replaced index.php in /var/www/html/nextcloud with the following content to view the headers received by Nextcloud (inspired by #800 (comment)):
<?php
print_r($_SERVER);
?>
Results in the correct HTTP_X_FORWARDED_... headers being passed to Nextcloud:
Now my question: why does Nextcloud not honor the headers as it should per it's config?
Any other container I run behind my NGINX proxy works like a charm with the headers. Just Nextcloud is being a, well, you know...
And before anyone mentions it:
Yes, I know I can set the OVERWRITEPROTOCOL=https environment variable, but that doesn't fix the problem of Nextcloud not using the X-Forwarded-For header to get the client IP. Only 'make-shift' solution so far is to remove APACHE_DISABLE_REWRITE_IP, and in remoteip.conf make some sketchy edits with RemoteIPInternalProxy etc, see https://help.nextcloud.com/t/how-to-get-the-real-ips-in-logs/83096/31
Sooooo, who can help me pinpoint the problem? Might be me doing something stupid, might be something wrong with the nextcloud:apache containers, might be something wrong entire different. I just do not know where to look anymore for a solution...
EDIT:
Sooo, I found that adding the IP address of the NGINX-container instead of nginx-proxy solves the problem:
(192.168.160.4 is the IP of my nginx-proxy container, this changes every time you start the docker containers)
I do not understand why, since in other containers I can happily use nginx-proxy instead of an every varying IP-address whenever docker containers are down (e.g. for backups).
So the question would be: how can I configure the 'trusted_proxies' config that it dynamically points to the nginx-proxy container? Note that whitelisting the entire 192.XXX range is not a solution; due to hairpin routing all internal traffic is logged as the router IP address (ISP router, non-configurable :( ).
I have been trying day and night, but cannot find a solution to the following problem:
Nextcloud refuses to use the X-Forwarded-... headers (-For, -Proto & -Host) when run behind an NGINX reverse proxy (also in docker).
My setup:
Host: Ubuntu 20.04 LTS
Docker & docker-compose both latest (fresh install)
compose.yml (also have nextcloud-cron and redis, but not shown for length):
Note APACHE_DISABLE_REWRITE_IP=1 as per https://github.com/nextcloud/docker#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol
In nginx.conf the following headers are set:
And the nextcloud config.php relevant lines:
What I have checked to make sure the NGINX reverse proxy passes the correct headers:
I have replaced index.php in /var/www/html/nextcloud with the following content to view the headers received by Nextcloud (inspired by #800 (comment)):
Results in the correct HTTP_X_FORWARDED_... headers being passed to Nextcloud:
Now my question: why does Nextcloud not honor the headers as it should per it's config?
Any other container I run behind my NGINX proxy works like a charm with the headers. Just Nextcloud is being a, well, you know...
See https://github.com/nextcloud/server/blob/9de329a4c2327767d86bd7f594b232eb56af0d01/lib/private/AppFramework/Http/Request.php#L692? for the relevant server code that should auto-configure using the headers.
And before anyone mentions it:
Yes, I know I can set the OVERWRITEPROTOCOL=https environment variable, but that doesn't fix the problem of Nextcloud not using the X-Forwarded-For header to get the client IP. Only 'make-shift' solution so far is to remove APACHE_DISABLE_REWRITE_IP, and in remoteip.conf make some sketchy edits with RemoteIPInternalProxy etc, see https://help.nextcloud.com/t/how-to-get-the-real-ips-in-logs/83096/31
Sooooo, who can help me pinpoint the problem? Might be me doing something stupid, might be something wrong with the nextcloud:apache containers, might be something wrong entire different. I just do not know where to look anymore for a solution...
EDIT:
Sooo, I found that adding the IP address of the NGINX-container instead of nginx-proxy solves the problem:
Changed to:
(192.168.160.4 is the IP of my nginx-proxy container, this changes every time you start the docker containers)
I do not understand why, since in other containers I can happily use nginx-proxy instead of an every varying IP-address whenever docker containers are down (e.g. for backups).
So the question would be: how can I configure the 'trusted_proxies' config that it dynamically points to the nginx-proxy container? Note that whitelisting the entire 192.XXX range is not a solution; due to hairpin routing all internal traffic is logged as the router IP address (ISP router, non-configurable :( ).
EDIT2:
Problem comes from:
in https://github.com/nextcloud/server/blob/9de329a4c2327767d86bd7f594b232eb56af0d01/lib/private/AppFramework/Http/Request.php#L607.
It does not first resolve the trusted_proxy name, just CIDR comparison or literal IP-comparison.
The text was updated successfully, but these errors were encountered: