Docker: The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy

Not sure if I 100% understand the problem, but yes you probably have to set 'trusted_proxies' and 'forwarded_for_headers' in your config.php if you're using a reverse proxy.
Just map the config folder to the host as a volume so it'll keep the settings: ./app/config:/var/www/html/config

Btw X-Forwarded-Forwarded-For sounds incorrect.

Hi,

I also have problems with clients' IP addresses after going through my HAProxy reverse proxy.

Packet captured from the HAProxy to the server running the Nextcloud Docker container :
    172.31.0.65.10745 > 172.31.2.15.8080: Flags [P.], cksum 0x44f7 (correct), seq 1:1061, ack 1, win 513, options [nop,nop,TS val 675952469 ecr 2918894607], length 1060: HTTP, length: 1060
    GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1
    accept: application/json, text/plain, */*
    requesttoken: HIDDEN=
    user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
    accept-encoding: gzip, deflate, br
    accept-language: en-US,en;q=0.9,fr;q=0.8
    host: nextcloud.mydomain.org
    cookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_music_shuffle=true; oc_music_repeat=true; oc_music_volume=78; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; _ga=GA1.2.946075303.1556416883; nc_username=HIDDEN; oc_sessionPassphrase=HIDDEN; nc_token=HIDDEN
    X-Forwarded-Proto: https
    X-Forwarded-For: 172.31.3.64

So the X-Forwarded-For tag is there and correct.

'trusted_proxies' =>
        array (
                '172.31.0.65',
                '172.17.0.1',
                '127.0.0.1',
        ),

The first IP should be enough, but doing debugging, I also added the IP address for the Docker gateway (172.17.0.1) and the loopback...

I also tried to fix the header manually, without success :

'forwarded_for_headers' => array ('HTTP_X_FORWARDED_FOR'),

I also tried to modify the remoteip module of Apache, without success. As of now, that Apache module is back to the container's default because I would rather not have to modify / fix it every time I do an upgrade.

Running the latest version of the :latest docker container...

Any idea what is wrong and why I still have this in my raw log ? (client IP is still marked as the Proxy's internal IP)

<30>Jul  6 18:10:05 nextcloud[3415]: 172.31.0.65 - HIDDEN [06/Jul/2019:22:10:05 +0000] "PROPFIND /remote.php/dav/files/HIDDEN/ HTTP/1.1" 207 1102 "-" "Mozilla/5.0 (Linux) mirall/2.5.2git (Nextcloud)"

Thanks for your help,

You have to manually modify the apache2.conf in /etc/apache2/. Apache isn't logging forwarded IPs from proxies by default. Find the lines with LogFormat and replace every occurrence of %h with %{X-Forwarded-For}i.
Also try this for the header configuration:

 'forwarded_for_headers' => 
  array (
    0 => 'X-Forwarded-For',
    1 => 'HTTP_X_FORWARDED_FOR',
  ),

One should work.

Hi,

Thanks for your help. Indeed, I now have the client's IP in my RAW log. Comments in the Apache conf say not to do that and I will now have to re-fix this manually every time I upgrade the container, but it is now doable...

Hope the container will be improved for this setting to survive from configs only in the config.php file...

In all cases, thanks again

@DatAres37 Thanks for the answer :+1: :grinning: Yeah a typo there in X-Forwarded-Forwarded-For and I fixed it, then I edited the file config/config.php like you guys mentioned above and the error went away. Maybe there should be a new environment variable? Like NEXTCLOUD_TRUSTED_PROXIES and NEXTCLOUD_FORWARDED_FOR_HEADER? Isn't that a more recommended practice for docker?

Maybe there should be a new environment variable? Like NEXTCLOUD_TRUSTED_PROXIES and NEXTCLOUD_FORWARDED_FOR_HEADER? Isn't that a more recommended practice for docker?

This 100%...I'm trying to migrate to Docker to simplify my setup and it would be great to be able to use envvars instead of a custom config file.

@budimanjojo Hey, I'm also using traefik and am getting the same error. I'm not entirely sure how to fix it yet. I added the traefik labels you mentioned but what exactly do I have to change in the config/config.php? Do I still have to edit the apache2.conf? Would I then have to restart apache somehow? Sorry for all these questions but I'm really lost here...

@chmanie This are what I have in my config/config.php (You need to suit the ip addresses to your system configuration)

  'trusted_proxies' =>
  array (
    0 => '172.18.0.5',
    1 => '127.0.0.1',
    2 => '172.29.0.1',
  ),
  'forwarded-for-headers' =>
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
  ),

If you are using traefik then just do it in traefik, you don't need to edit apache config file. You can restart your nextcloud docker container.

Thanks @budimanjojo, that helped!

_Just a side note to this well documented solution:_
It should be sufficient to just add the docker gateway to the trusted_proxies array. Thats the address which docker exposes to the internet and can be found by:
docker network inspect yourtraefiknetwork --format='{{(index .IPAM.Config 0).Gateway}}'

In my case I am running nextcloud container on kubernetes and I just can not get rid of that message.
My setup warning page shows me three warnings that I think somehow are related:

    The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
    Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
    Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

The last two makes no sense for me. It complains of /.well-known/caldav and /.well-known/carddav, but if i try to get those address I see they are being correctly redirected to dav:

Concerning the "reverse proxy header" ( this issue ),

I tried to add the following to my config.php

'trusted_proxies' =>
array (
0 => '10.233.90.131',
1 => '127.0.0.1',
2 => '10.233.96.141',
),
'forwarded-for-headers' =>
array (
0 => 'X-Forwarded-For',
1 => 'HTTP_X_FORWARDED_FOR'
),

where 10.233.90.131 and 10.233.96.141 are my nginx ingress ips.

But that does not fix it. I am out of ideas.

If i replace index.php for a very simple file like the one below, i can see all headers.

<?php
print_r($_SERVER);
?>

(
    [HTTP_AUTHORIZATION] => 
    [htaccessWorking] => true
    [front_controller_active] => true
    [PATH_INFO] => 
    [HTTP_HOST] => snc.internal.lan
    [HTTP_X_REQUEST_ID] => ddefd30062b55007ef3c4765665969cc
    **[HTTP_X_REAL_IP] => 10.27.252.1**
    **[HTTP_X_FORWARDED_FOR] => 10.27.252.1**
    [HTTP_X_FORWARDED_HOST] => snc.internal.lan
    [HTTP_X_FORWARDED_PORT] => 443
    [HTTP_X_FORWARDED_PROTO] => https
    [HTTP_X_SCHEME] => https
    [HTTP_X_ORIGINAL_FORWARDED_FOR] => 10.27.252.1, 10.27.252.1
    [HTTP_USER_AGENT] => curl/7.58.0
    [HTTP_ACCEPT] => */*
    **[HTTP_X_CLIENT_IP] => 10.27.252.1**
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    [SERVER_SIGNATURE] => <address>Apache/2.4.38 (Debian) Server at snc.internal.lan Port 80</address>
    [SERVER_SOFTWARE] => Apache/2.4.38 (Debian)
    [SERVER_NAME] => snc.internal.lan
    [SERVER_ADDR] => 10.233.96.152
    [SERVER_PORT] => 80
    **_[REMOTE_ADDR] => 10.233.90.131_**
    [DOCUMENT_ROOT] => /var/www/html
    [REQUEST_SCHEME] => http
    [CONTEXT_PREFIX] => 
    [CONTEXT_DOCUMENT_ROOT] => /var/www/html
    [SERVER_ADMIN] => webmaster@localhost
    [SCRIPT_FILENAME] => /var/www/html/index.php
    [REMOTE_PORT] => 57024
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /
    [SCRIPT_NAME] => /index.php
    [PHP_SELF] => /index.php
    [REQUEST_TIME_FLOAT] => 1586475103.394
    [REQUEST_TIME] => 1586475103
    [argv] => Array
        (
        )
    [argc] => 0
)

We can see that [REMOTE_ADDR] is set to the proxy IP as expected, but HTTP_X_REAL_IP, HTTP_X_FORWARDED_FOR and HTTP_X_CLIENT_IP all point to my real ip.

@jsalatiel thanks so much for this! I'm using IIS as a reverse proxy, and could not figure out why I was getting a warning on Nextcloud, even after configuring the options recommended on the instructions.

Turns out IIS by default will attach the port to the IP on the X-FORWARDED-FOR, and this breaks Nextcloud. Here is how to fix, in case anyone runs into it:

By unchecking that box, IIS will only pass the IP, and then everything works.