Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error on reverse proxy header configuration after update to 28 #2130

Closed
leolivier opened this issue Dec 23, 2023 · 9 comments
Closed

Error on reverse proxy header configuration after update to 28 #2130

leolivier opened this issue Dec 23, 2023 · 9 comments
Labels
needs info Additional info needed to triage question

Comments

@leolivier
Copy link

Hi
Not sure if it's an image or a server issue but after upgrading from 27 to 28 this morning, I get this error in the setup and security warnings:

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. For more details see the [documentation ↗](https://docs.nextcloud.com/server/28/go.php?to=admin-reverse-proxy).

I didn't have this error yesterday.
My setup in config.php for these parameters (unchanged since yesterday):

 'trusted_proxies' =>
   array (
     0 => '192.168.1.254',
     1 => '192.168.1.8',
   ),
   'overwritehost' => 'nextcloud.<my domain>',
   'overwrite.cli.url' => 'https://nextcloud.<my domain>',
   'overwriteprotocol' => 'https',
   'trusted_domains' =>
   array (
     0 => 'localhost',
     1 => '192.168.1.8',
     2 => 'nextcloud.<my domain>',
     3 => 'blog.<my domain>',
   ),
@TBI-NS
Copy link

TBI-NS commented Dec 27, 2023

What proxy do you use ?

@leolivier
Copy link
Author

I'm using an apache2 proxy and its setup is:

Define NCInternalURI http://<my internal IP>:8081

<VirtualHost *:443>
  SSLProxyEngine on
  ServerName nextcloud.<my domain>
  DocumentRoot /var/none
  ServerAdmin <my email>

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/<my domain>/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

  # enable HTTP/2, if available
  Protocols h2 http/1.1

  # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
  Header always set Strict-Transport-Security "max-age=63072000"

  CustomLog  ${APACHE_LOG_DIR}/nextcloud-access.log combined
  ErrorLog  ${APACHE_LOG_DIR}/nextcloud-error.log

  LogLevel error ssl:warn
  ProxyPreserveHost On
# no proxy for letsencrypt challenges
  ProxyPass "/.well-known/acme-challenge" !
# special proxy for carddav/caldav
  ProxyPass "/.well-known/carddav" "${NCInternalURI}/remote.php/dav"
  ProxyPass "/.well-known/caldav" "${NCInternalURI}/remote.php/dav"
  ProxyPass "/.well-known/webfinger" "${NCInternalURI}/index.php/.well-known/webfinger"
  ProxyPass "/.well-known/nodeinfo" "${NCInternalURI}/index.php/.well-known/nodeinfo"

  ProxyPass "/" "${NCInternalURI}/"
  ProxyPassReverse "/"  "${NCInternalURI}/"

  RequestHeader set X-Forwarded-Proto "https"
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off

</VirtualHost>

@joshtrichards
Copy link
Member 

 'trusted_proxies' =>
   array (
     0 => '192.168.1.254',
     1 => '192.168.1.8',
   ),

What is 192.168.1.254? Is it, by chance, your nearest NAT router and not really your proxy (i.e. it doesn't belong there)?

@joshtrichards joshtrichards added question needs info Additional info needed to triage labels Dec 27, 2023
@leolivier
Copy link
Author

This is my IP set top box address (so my gateway) but it also serves as a NAT router. If you are speaking of the reverse proxy address, it's on the 192.158.1.2 (actually, the same raspberrypi as the one running nextcloud).
I had to add 192.168.1.254 several years ago but I don't remember exactly why (and it used to work with previous versions).
I will try to remove the gateway from the list and see if it works...

@leolivier
Copy link
Author

I tested removing the gateway from the list, leaving only:

   'trusted_proxies' =>
   array (
     0 => '192.168.1.8',
   ),

and the error disappeared, and it looks that I can login from both my internal network and from my smartphone on 5G.

But, I still don't get why it used to work and it doesn't anymore.
Is it a breaking change in nextcloud server 28 or in the image, I don't know...
Anyway, thanks a lot @joshtrichards

@joshtrichards
Copy link
Member

But, I still don't get why it used to work and it doesn't anymore.
Is it a breaking change in nextcloud server 28 or in the image, I don't know...

The checks may have gotten better. They were migrated to a newer API recently and I haven't reviewed the latest iteration in-depth. The configuration situation you just described technically would have always been an issue, but maybe just wasn't detected previously. Glad it's working cleanly for you!

@leolivier
Copy link
Author

Here is the reason why I added the gateway in the list of trusted proxies:
image

How can I get rid of this issue w/o doing this way?

@joshtrichards
Copy link
Member

@leolivier It looks like you have the optional suspicious_login app enabled. Maybe you simply disable it if not using it? Otherwise it's theoretically just doing what it's supposed to: https://github.com/nextcloud/suspicious_login I suggest following up there or the Nextcloud Help Forum - https://help.nextcloud.com

@leolivier
Copy link
Author

thanks @joshtrichards it looks it's a default application, setup by nextcloud at install since v25 as explained in https://github.com/nextcloud/suspicious_login
I deactivated it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs info Additional info needed to triage question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshtrichards @leolivier @TBI-NS