Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Real clients IPs behind cloudflare issues --> forbidden access to public shares #45450

Open
5 of 8 tasks
l3ochan opened this issue May 22, 2024 · 6 comments
Open
5 of 8 tasks

[Bug]: Real clients IPs behind cloudflare issues --> forbidden access to public shares #45450

l3ochan opened this issue May 22, 2024 · 6 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 29-feedback bug

Comments

@l3ochan
Copy link

l3ochan commented May 22, 2024

⚠️ This issue respects the following points: ⚠️

Bug description

Hi,
I'm experiencing an issue with getting my clients ips back behind cloudflare.
I was able to do everything nedded with the CF_CONNECTING_IP flag.
The apache and nextcloud logs get the right ips and not the cloudfare's one.
The issue is that external share links don't work anymore.
I get an access forbidden error when I try to load a share link.
If I undo the changes I made, everything works again.

Here are the details of my install

Steps to reproduce

  1. Configure your server to get clients ip back with the CF_CONNECTING_IP Remote ip header
  2. Configure nextcloud to accept this header
  3. Make a file or folder and create a public share link
  4. Open the share link you just created in a pivate window

Expected behavior

Share should open displlaying all files or the file if its a shared document

Installation method

Community Manual installation with Archive

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

<?php
$CONFIG = array (
  'instanceid' => '*REDACTED*',
  'passwordsalt' => '*REDACTED*',
  'secret' => '*REDACTED*',
  'trusted_domains' =>
  array (
    0 => '*REDACTED*'
  ),
   'trusted_proxies' => array (
    0 => '127.0.0.1',
    1 => '::1',
    2 => '173.245.48.0/20',
    3 => '103.21.244.0/22',
    4 => '103.22.200.0/22',
    5 => '103.31.4.0/22',
    6 => '141.101.64.0/18',
    7 => '108.162.192.0/18',
    8 => '190.93.240.0/20',
    9 => '188.114.96.0/20',
    10 => '197.234.240.0/22',
    11 => '198.41.128.0/17',
    12 => '162.158.0.0/15',
    13 => '104.16.0.0/12',
    14 => '172.64.0.0/13',
    15 => '131.0.72.0/22',
  ),

  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_CF_CONNECTING_IP',
  ),
  'overwriteprotocol' => 'https',
  'datadirectory' => '/var/www/Nekocorp-User-data/*REDACTED*/data',
  'dbtype' => 'mysql',
  'version' => '29.0.0.19',
  'overwrite.cli.url' => 'http://*REDACTED*',
  'dbname' => '*REDACTED*',
  'dbhost' => '*REDACTED*',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '*REDACTED*',
  'dbpassword' => '*REDACTED*',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '127.0.0.1',
    'port' => '6379',
  ),
  'default_phone_region' => 'FR',
  'mail_from_address' => '*REDACTED*',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '*REDACTED*.fr',
  'mail_smtphost' => '*REDACTED*',
  'mail_smtpport' => '*REDACTED*',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '*REDACTED*',
  'mail_smtppassword' => '*REDACTED*',
  'app_install_overwrite' =>
  array (
    0 => 'officeonline',
    1 => 'whiteboard',
    2 => 'files_antivirus',
    3 => 'googledocsredirect',
    4 => 'apporder',
    5 => 'integration_moodle',
    6 => 'group_default_quota',
    7 => 'keeporsweep',
    8 => 'files_mindmap',
    9 => 'printer',
    10 => 'integration_whiteboard',
    11 => 'video_converter',
    12 => 'carnet',
    13 => 'caniupdate',
    14 => 'impersonate',
    15 => 'ocsms',
    16 => 'hancomoffice',
    17 => 'wopi',
    18 => 'admin_notifications',
    19 => 'pdfdraw',
    20 => 'cfg_share_links',
    21 => 'shifts',
    22 => 'richdocumentscode',
    23 => 'files_downloadactivity',
    24 => 'camerarawpreviews',
    25 => 'hibp',
    26 => 'metadata',
    27 => 'externalportal',
    28 => 'extract',
    29 => 'files_downloadlimit',
    30 => 'circles',
    31 => 'integration_ews',
    32 => 'fulltextsearch',
    33 => 'guests',
    34 => 'secrets',
    35 => 'twofactor_email',
    36 => 'user_cas',
    37 => 'workspace',
  ),
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'maintenance_window_start' => '“19”',
  'updater.release.channel' => 'stable',
  'mail_smtpsecure' => 'ssl',
);

List of activated Apps

Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - announcementcenter: 6.8.1
  - audioplayer: 3.4.1
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.4
  - certificate24: 0.3.1
  - cfg_share_links: 5.1.0
  - checksum: 1.2.4
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - collectives: 2.11.0
  - comments: 1.19.0
  - contacts: 6.0.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - deck: 1.13.0
  - drawio: 3.0.2
  - end_to_end_encryption: 1.15.2
  - event_update_notification: 2.4.0
  - external: 5.4.0
  - externalportal: 1.3.0
  - extract: 1.3.6
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_accesscontrol: 1.19.1
  - files_downloadlimit: 2.0.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - forms: 4.2.3
  - guests: 3.1.0
  - impersonate: 1.16.0
  - integration_ews: 1.0.37
  - integration_openai: 2.0.1
  - integration_reddit: 2.0.3
  - integration_youtube: 0.2.1
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.6.1
  - notes: 4.10.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - onlyoffice: 9.2.0
  - password_policy: 1.19.0
  - photos: 2.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - quota_warning: 1.19.0
  - related_resources: 1.4.0
  - secrets: 1.5.2
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - side_menu: 3.12.0
  - sociallogin: 5.6.4
  - socialsharing_email: 3.1.0
  - spreed: 19.0.0
  - suspicious_login: 7.0.0
  - tables: 0.7.2
  - tasks: 0.16.0
  - terms_of_service: 2.4.0
  - text: 3.10.0
  - theming: 2.4.0
  - twofactor_admin: 4.5.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_email: 2.7.4
  - twofactor_nextcloud_notification: 3.9.0
  - twofactor_totp: 11.0.0-dev
  - twofactor_webauthn: 1.4.0
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - welcome: 1.1.0
  - workflowengine: 2.11.0
Disabled:
  - encryption: 2.17.0 (installed 2.16.0)
  - files_antivirus: 5.5.1 (installed 5.5.1)
  - files_external: 1.21.0 (installed 1.20.0)
  - fulltextsearch: 29.0.0 (installed 29.0.0)
  - integration_github: 2.0.7 (installed 2.0.7)
  - nextcloud_announcements: 1.18.0 (installed 1.17.0)
  - oidc: 0.8.1 (installed 0.8.1)
  - recommendations: 2.1.0 (installed 2.0.0)
  - support: 1.12.0 (installed 1.8.0)
  - survey_client: 1.17.0 (installed 1.16.0)
  - systemtags: 1.19.0 (installed 1.15.0)
  - user_ldap: 1.20.0
  - user_saml: 6.1.3 (installed 6.1.3)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"Zk3hV1GuNQSFpdV3fqo2XgAAAAs","level":3,"time":"2024-05-22T12:13:11+00:00","remoteAddr":"*REDACTED*","user":"--","app":"webdav","method":"PROPFIND","url":"/public.php/dav/files/mAzbZ9gXLMKw8Pf/","message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"29.0.0.19","exception":{"Exception":"OCA\\DAV\\Connector\\Sabre\\Exception\\Forbidden","Message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","Code":0,"Trace":[{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Tree.php","line":218,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":900,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":982,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":1662,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":1647,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/apps/dav/appinfo/v2/publicremote.php","line":155,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/public.php","line":101,"args":["/var/www/next.cloud.com/apps/dav/appinfo/v2/publicremote.php"],"function":"require_once"}],"File":"/var/www/next.cloud.com/apps/dav/lib/Connector/Sabre/Directory.php","Line":256,"message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","exception":[],"CustomMessage":"No read permissions. This might be caused by files_accesscontrol, check your configured rules"},"id":"664de15c8803f"}

Additional info

In case its useful to find out if its a problem with my configuration or a real bug
my apache2 config

<VirtualHost *:80>
    DocumentRoot "/var/www/nextcloud"
    ServerName *REDACTED*
    RemoteIPHeader CF_CONNECTING_IP

    <Directory "/var/www/nextcloud/">
        Options MultiViews FollowSymlinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    ServerSignature Off
    CustomLog /var/log/apache2/*REDACTED*_access.log access_logs
    ErrorLog /var/log/apache2/*REDACTED*_error.log

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =*REDACTED*
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/var/www/nextcloud"
    ServerName *REDACTED*
    RemoteIPHeader CF_CONNECTING_IP
    RemoteIPTrustedProxy 127.0.0.1 ::1
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    <Directory "/var/www/nextcloud/">
        Options MultiViews FollowSymlinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog /var/log/apache2/*REDACTED*_error.log
    CustomLog /var/log/apache2/*REDACTED*_access.log access_logs
    ServerSignature Off

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/*REDACTED*/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/*REDACTED*/privkey.pem
</VirtualHost>
@l3ochan l3ochan added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels May 22, 2024
@l3ochan l3ochan mentioned this issue May 22, 2024
Closed
@kesselb
Copy link
Contributor

kesselb commented May 22, 2024

I see several apps in app_install_overwrite. That means those apps are enabled even if they are not declared as compatible with Nextcloud 29. You may want to go over the list and see if the apps are really compatible. There is a log message about files_accesscontrol. Is there maybe a rule configured to block access for a given file?

@l3ochan
Copy link
Author

l3ochan commented May 22, 2024

I know the log line is about file access controls but with the same link and without making any modifications to access controls of the file when I remove the config to get the read clients IPs, it starts to show the files and there's no error in the logs. This is caused by the server getting IPs moved around in the header. I don't understand why it's doing this.

@joshtrichards
Copy link
Member 

    RemoteIPHeader CF_CONNECTING_IP
    RemoteIPTrustedProxy 127.0.0.1 ::1

  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_CF_CONNECTING_IP',
  ),

So you're trying to use Apache's header overrides and Nextcloud's trusted_proxies support simultaneously? Is that really what you want? Those would seem to be in conflict (or at least redundant).

@kesselb
Copy link
Contributor

kesselb commented May 22, 2024

I know the log line is about file access controls but with the same link and without making any modifications to access controls of the file when I remove the config to get the read clients IPs, it starts to show the files and there's no error in the logs.

Did you configure a file_accesscontrol rule using remote address? 1

If Nextcloud was seeing the internal IP address before and now the right one, then you may have to update existing rules.

Those would seem to be in conflict (or at least redundant).

I think that depends. If mod_remoteip rewrites the REMOTE_ADDR header, then it's not possible anymore to use the trusted proxies feature because it's already handled before.

Footnotes

  1. https://github.com/nextcloud/server/blob/master/apps/workflowengine/lib/Check/RequestRemoteAddress.php

@l3ochan
Copy link
Author

l3ochan commented May 22, 2024
edited
Loading

Did you configure a file_accesscontrol rule using remote address?

I did not, I don't use workflows

So you're trying to use Apache's header overrides and Nextcloud's trusted_proxies support simultaneously? Is that really what you want? Those would seem to be in conflict (or at least redundant).

I think that depends. If mod_remoteip rewrites the REMOTE_ADDR header, then it's not possible anymore to use the trusted proxies feature because it's already handled before.

So before doing anything in nextcloud's config file I tried with apache only and had the same issue but regardless of if you have both, only apache or nextcloud's config, the result is exactly the same.

UPDATE, I just tried it out and its partially working but I'm still getting errors in the logs, here is one

{"reqId":"Zk5R9mejtkTAmSoG5zq0jAAAAAA","level":3,"time":"2024-05-22T20:13:42+00:00","remoteAddr":"*RECACTED*","user":"Leo","app":"PHP","method":"PROPFIND","url":"/remote.php/dav/files/Leo/Cours","message":"Optional parameter $userId declared before required parameter $path is implicitly treated as a required parameter at /var/www/next.cloud.com/apps/deck/lib/Service/ConfigService.php#234","userAgent":"Mozilla/5.0 (Windows) mirall/3.13.0stable-Win64 (build 20240423) (Nextcloud, windows-10.0.22631 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"29.0.0.19","data":{"app":"PHP"},"id":"664e51fb7db20"}

so I only have the CF headers thingy in my nextcloud's config and its showing the right ips as expected and shares started working again ! But I'm still having logs entries like the one above and to my knowledge it doesn't make any sense...

@kesselb
Copy link
Contributor

kesselb commented May 22, 2024

The last message will be fixed by an upcoming deck ap p update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 29-feedback bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joshtrichards @kesselb @szaimen @l3ochan