Server: wrong ip stored for bruteforce behind a loadbalancer

Created on 28 Jan 2018  路  9Comments  路  Source: nextcloud/server

Steps to reproduce

  1. Install nextcloud behind a (pound) loadbalancer
  2. Login a few times with a wrong password

Expected behaviour

ip field in bruteforce_attempts should include the ip of the user not the one of the loadbalancer

Actual behaviour

The ip field in bruteforce_attempts included the ip of the loadbalancer, not the ip of the user

Server configuration

Operating system: SmartOS

Web server: Apache 2.4.x, Pound 2.8.x

"X-Forwarded-For" header is transmitted from pound to Apache with the current ip of the user

Database: MySQL 5.6.x

PHP version: 7.1.x

Nextcloud version: 11.0.7

Updated from an older Nextcloud/ownCloud or fresh install:

Updated from ownCloud 10.x to 11.0.6 to 11.0.7

Where did you install Nextcloud from:

https://download.nextcloud.com/server/releases/nextcloud-11.0.7.tar.bz2
https://download.nextcloud.com/server/releases/nextcloud-11.0.7.tar.bz2.asc

picture jfqd

All 9 comments

Do you have your trusted proxies configured? https://github.com/nextcloud/server/blob/master/config/config.sample.php#L1434-L1441

rullzer picture rullzer on 28 Jan 2018

@rullzer valid point! I added the proxy-config 

  'trusted_proxies' => array(
    0 => '192.168.1.1',
    1 => '192.168.1.2',
  ),
  'forwarded_for_headers' => array('HTTP_X_FORWARED_FOR'),
  "overwritehost"     => 'nextcloud.example.com',
  'overwriteprotocol' => 'https',

but get a red warning which is not clear enough to me:

The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud.

Either the proxy headers configuration is incorrect or correct? Maybe this message should not be in red?

Furthermore the ip field in bruteforce_attempts is still the ip of the loadbalancer...

jfqd picture jfqd on 29 Jan 2018
👍1 
'forwarded_for_headers' => array('HTTP_X_FORWARED_FOR'),

That looks like a typo:

'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
rullzer picture rullzer on 29 Jan 2018
👍1

@rullzer wow. a typo :/ Thx a lot for looking into this!
It is now working like expected :)

jfqd picture jfqd on 29 Jan 2018

Hi,

I have a similiar problem and got it working using the mentioned settings here,
however, only by giving the exact IP address of the load balancer.

The load balancer is currently at 10.42.178.230.
The documentation says that ranges are also ok, but 10.42.0.0/16 does not work, only 10.42.178.230 does.

Any idea?

maxnoe picture maxnoe on 6 Nov 2018

The documentation says that ranges are also ok, but 10.42.0.0/16 does not work, only 10.42.178.230 does.

For Nextcloud 15

kesselb picture kesselb on 6 Nov 2018

Oh, ok. So this is a new feature in 15?

maxnoe picture maxnoe on 6 Nov 2018

Yes (https://github.com/nextcloud/server/pull/12036)

kesselb picture kesselb on 6 Nov 2018
👍1

Thx!

maxnoe picture maxnoe on 6 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dl5rcw picture dl5rcw  路  3Comments
blackcrack picture blackcrack  路  3Comments
brylie picture brylie  路  3Comments
mama21mama picture mama21mama  路  3Comments
Django-BOfH picture Django-BOfH  路  3Comments