The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy

[budimanjojo]

Hello, I got this in the Overview Settings.

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.

Currently I'm running Traefik for my reverse proxy. I tried to add these in the docker-compose.yml:

- "traefik.frontend.headers.SSLProxyHeaders=X-Forwarded-Forwarded-For:12.34.56.78||X-Real-IP:12.34.56.78||X-Forwarded-Host:mydomain.com||X-Forwarded-Proto:https"

I also added this into my traefik.toml:

[entryPoints.http.forwardedHeaders]
  trustedIPs = ["127.0.0.1/32"]

And that error is still around. I think I should go into my nextcloud container and change the config/config.php? Maybe make a new ENV variable so I don't have to modify the file inside the container manually? Thanks before.

[DatAres37]

Not sure if I 100% understand the problem, but yes you probably have to set 'trusted_proxies' and 'forwarded_for_headers' in your config.php if you're using a reverse proxy.
Just map the config folder to the host as a volume so it'll keep the settings: ./app/config:/var/www/html/config

Btw X-Forwarded-Forwarded-For sounds incorrect.

[Heracles31]

Hi,

I also have problems with clients' IP addresses after going through my HAProxy reverse proxy.

Packet captured from the HAProxy to the server running the Nextcloud Docker container :
    172.31.0.65.10745 > 172.31.2.15.8080: Flags [P.], cksum 0x44f7 (correct), seq 1:1061, ack 1, win 513, options [nop,nop,TS val 675952469 ecr 2918894607], length 1060: HTTP, length: 1060
	GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1
	accept: application/json, text/plain, */*
	requesttoken: HIDDEN=
	user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
	accept-encoding: gzip, deflate, br
	accept-language: en-US,en;q=0.9,fr;q=0.8
	host: nextcloud.mydomain.org
	cookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_music_shuffle=true; oc_music_repeat=true; oc_music_volume=78; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; _ga=GA1.2.946075303.1556416883; nc_username=HIDDEN; oc_sessionPassphrase=HIDDEN; nc_token=HIDDEN
	X-Forwarded-Proto: https
	X-Forwarded-For: 172.31.3.64

So the X-Forwarded-For tag is there and correct.

'trusted_proxies' =>
        array (
                '172.31.0.65',
                '172.17.0.1',
                '127.0.0.1',
        ),

The first IP should be enough, but doing debugging, I also added the IP address for the Docker gateway (172.17.0.1) and the loopback...

I also tried to fix the header manually, without success :

'forwarded_for_headers' => array ('HTTP_X_FORWARDED_FOR'),

I also tried to modify the remoteip module of Apache, without success. As of now, that Apache module is back to the container's default because I would rather not have to modify / fix it every time I do an upgrade.

Running the latest version of the :latest docker container...

Any idea what is wrong and why I still have this in my raw log ? (client IP is still marked as the Proxy's internal IP)

<30>Jul  6 18:10:05 nextcloud[3415]: 172.31.0.65 - HIDDEN [06/Jul/2019:22:10:05 +0000] "PROPFIND /remote.php/dav/files/HIDDEN/ HTTP/1.1" 207 1102 "-" "Mozilla/5.0 (Linux) mirall/2.5.2git (Nextcloud)"

Thanks for your help,

[DatAres37]

You have to manually modify the apache2.conf in /etc/apache2/. Apache isn't logging forwarded IPs from proxies by default. Find the lines with LogFormat and replace every occurrence of %h with %{X-Forwarded-For}i.
Also try this for the header configuration:

 'forwarded_for_headers' => 
  array (
    0 => 'X-Forwarded-For',
    1 => 'HTTP_X_FORWARDED_FOR',
  ),

One should work.

[Heracles31]

Hi,

Thanks for your help. Indeed, I now have the client's IP in my RAW log. Comments in the Apache conf say not to do that and I will now have to re-fix this manually every time I upgrade the container, but it is now doable...

Hope the container will be improved for this setting to survive from configs only in the config.php file...

In all cases, thanks again

[budimanjojo]

@DatAres37 Thanks for the answer 👍 😀 Yeah a typo there in X-Forwarded-Forwarded-For and I fixed it, then I edited the file config/config.php like you guys mentioned above and the error went away. Maybe there should be a new environment variable? Like NEXTCLOUD_TRUSTED_PROXIES and NEXTCLOUD_FORWARDED_FOR_HEADER? Isn't that a more recommended practice for docker?

[njfox]

Maybe there should be a new environment variable? Like NEXTCLOUD_TRUSTED_PROXIES and NEXTCLOUD_FORWARDED_FOR_HEADER? Isn't that a more recommended practice for docker?

This 100%...I'm trying to migrate to Docker to simplify my setup and it would be great to be able to use envvars instead of a custom config file.

[chmanie]

@budimanjojo Hey, I'm also using traefik and am getting the same error. I'm not entirely sure how to fix it yet. I added the traefik labels you mentioned but what exactly do I have to change in the config/config.php? Do I still have to edit the apache2.conf? Would I then have to restart apache somehow? Sorry for all these questions but I'm really lost here...

[budimanjojo]

@chmanie This are what I have in my config/config.php (You need to suit the ip addresses to your system configuration)

  'trusted_proxies' =>
  array (
    0 => '172.18.0.5',
    1 => '127.0.0.1',
    2 => '172.29.0.1',
  ),
  'forwarded-for-headers' =>
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
  ),

If you are using traefik then just do it in traefik, you don't need to edit apache config file. You can restart your nextcloud docker container.

[chmanie]

Thanks @budimanjojo, that helped!

[ja0nz]

Just a side note to this well documented solution:
It should be sufficient to just add the docker gateway to the trusted_proxies array. Thats the address which docker exposes to the internet and can be found by:
docker network inspect yourtraefiknetwork --format='{{(index .IPAM.Config 0).Gateway}}'

[jsalatiel]

In my case I am running nextcloud container on kubernetes and I just can not get rid of that message.
My setup warning page shows me three warnings that I think somehow are related:

    The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
    Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
    Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

The last two makes no sense for me. It complains of /.well-known/caldav and /.well-known/carddav, but if i try to get those address I see they are being correctly redirected to dav:

Concerning the "reverse proxy header" ( this issue ),

I tried to add the following to my config.php

'trusted_proxies' =>
array (
0 => '10.233.90.131',
1 => '127.0.0.1',
2 => '10.233.96.141',
),
'forwarded-for-headers' =>
array (
0 => 'X-Forwarded-For',
1 => 'HTTP_X_FORWARDED_FOR'
),

where 10.233.90.131 and 10.233.96.141 are my nginx ingress ips.

But that does not fix it. I am out of ideas.

If i replace index.php for a very simple file like the one below, i can see all headers.

<?php
print_r($_SERVER);
?>

Array
(
    [HTTP_AUTHORIZATION] => 
    [htaccessWorking] => true
    [front_controller_active] => true
    [PATH_INFO] => 
    [HTTP_HOST] => snc.internal.lan
    [HTTP_X_REQUEST_ID] => ddefd30062b55007ef3c4765665969cc
    **[HTTP_X_REAL_IP] => 10.27.252.1**
    **[HTTP_X_FORWARDED_FOR] => 10.27.252.1**
    [HTTP_X_FORWARDED_HOST] => snc.internal.lan
    [HTTP_X_FORWARDED_PORT] => 443
    [HTTP_X_FORWARDED_PROTO] => https
    [HTTP_X_SCHEME] => https
    [HTTP_X_ORIGINAL_FORWARDED_FOR] => 10.27.252.1, 10.27.252.1
    [HTTP_USER_AGENT] => curl/7.58.0
    [HTTP_ACCEPT] => */*
    **[HTTP_X_CLIENT_IP] => 10.27.252.1**
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    [SERVER_SIGNATURE] => <address>Apache/2.4.38 (Debian) Server at snc.internal.lan Port 80</address>
    [SERVER_SOFTWARE] => Apache/2.4.38 (Debian)
    [SERVER_NAME] => snc.internal.lan
    [SERVER_ADDR] => 10.233.96.152
    [SERVER_PORT] => 80
    **_[REMOTE_ADDR] => 10.233.90.131_**
    [DOCUMENT_ROOT] => /var/www/html
    [REQUEST_SCHEME] => http
    [CONTEXT_PREFIX] => 
    [CONTEXT_DOCUMENT_ROOT] => /var/www/html
    [SERVER_ADMIN] => webmaster@localhost
    [SCRIPT_FILENAME] => /var/www/html/index.php
    [REMOTE_PORT] => 57024
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /
    [SCRIPT_NAME] => /index.php
    [PHP_SELF] => /index.php
    [REQUEST_TIME_FLOAT] => 1586475103.394
    [REQUEST_TIME] => 1586475103
    [argv] => Array
        (
        )
    [argc] => 0
)

We can see that [REMOTE_ADDR] is set to the proxy IP as expected, but HTTP_X_REAL_IP, HTTP_X_FORWARDED_FOR and HTTP_X_CLIENT_IP all point to my real ip.

[cfelicio]

@jsalatiel thanks so much for this! I'm using IIS as a reverse proxy, and could not figure out why I was getting a warning on Nextcloud, even after configuring the options recommended on the instructions.

Turns out IIS by default will attach the port to the IP on the X-FORWARDED-FOR, and this breaks Nextcloud. Here is how to fix, in case anyone runs into it:

By unchecking that box, IIS will only pass the IP, and then everything works.

[noci2012]

For nginx also check if these are needed...
http://nginx.org/en/docs/http/ngx_http_realip_module.html

set_real_ip_from your.local.net;
real_ip_header X-Forwarded-for ;
real_ip_recursive on;

[approached]

It use traefik V2, for me work this very well:

...
  'trusted_proxies' =>
   array (
 	  0 => '172.0.0.0/8',
   ),
  'overwritehost'     => 'next.example.com',
  'overwriteprotocol' => 'https',

[bobpaul]

It should be sufficient to just add the docker gateway to the trusted_proxies array. That's the address which docker exposes to the internet and can be found by:
docker network inspect yourtraefiknetwork --format='{{(index .IPAM.Config 0).Gateway}}'

Whenever you docker compose down the traefik composition, docker will delete the network and it might get a different address schema when it's re-created in the future. Instead, use docker's DNS system. In my traefik compose.yaml, my traefik service is called router. When I start the service, the container is called traefik-router. My traefik network is called traefik-public. So any of the following work as FQDNs for other services to see my traefik proxy: router, router.traefik-public, traefik-router.traefik-public

So in NextCloud's config.php I set:

  'trusted_proxies' => array (
    0=> '127.0.0.1',
    1=> '127.0.0.1/8',
    2=> 'router.traefik-public',
  ),

Now it's not hardcoded to some internal network IP that I don't have control over.

[tarbib]

It use traefik V2, for me work this very well:

...
  'trusted_proxies' =>
   array (
 	  0 => '172.0.0.0/8',
   ),
  'overwritehost'     => 'next.example.com',
  'overwriteprotocol' => 'https',

Hello did you do it in the config/config.php file?
Thanks

[facorazza]

It use traefik V2, for me work this very well:

...
  'trusted_proxies' =>
   array (
 	  0 => '172.0.0.0/8',
   ),
  'overwritehost'     => 'next.example.com',
  'overwriteprotocol' => 'https',

The CIDR block for the private class B network is 172.16.0.0/12. With /8 you're including public IPs which is probably not ideal for trusted proxies