Admin check shows ip of reverse proxy

sidewyz1 · April 11, 2024, 12:58am

Nginx reverse proxy to Nextcloud is giving me a brute force error indicating the IP it sees. That IP is the reverse proxy lan address. I’m wracking my melon trying to figure out why it can’t see the ip from the pc client on the same network.
192.168.40.1 - router
192.168.40.10 - pc
192.168.40.52 - reverse proxy
192.168.40.60 - nextcloud

I know this is a lot of data to go through and I seriously thank you for your time!
I’ve read the entire internet trying to fix this and something is just not clicking…

Nextcloud version (eg, 20.0.5): 27.1.8
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.52
PHP version (eg, 7.4): 8.1

The issue you are facing:
setup warning
Your remote address was identified as “192.168.40.52” and is brute-force throttled at the moment slowing down…

Is this the first time you’ve seen this error? (Y/N):
Yes
Steps to replicate it:

Security and setup warnings

The output of your Nextcloud log in Admin > Logging:

nothing pertaining to issue

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

trusted_domains' => 
  array (
    0 => '127.0.0.1',
    1 => 'domain.tld',
  ),

  'overwritehost' => 'nextcloud1.domain.tld',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'overwrite.cli.url' => 'https://nextcloud1.domain.tld',

  'htaccess.RewriteBase' => '/',

  'trusted_proxies' => 
  array (
    0 => '127.0.0.1',
    1 => '192.168.40.1/24',

  ),

  'forwarded_for_headers' => 
  array (
    0 => 'X-Forwarded-For',
    1 => 'HTTP-X-Forwarded-For',
  ),

Nginx config

log_format custom_log1 '"Request: $request\n Status: $status\n Request_URI: $request_uri\n Host: $host\n Client_IP: $remote_addr\n Proxy_IP(s): $proxy_add_x_forwarded_for\n Proxy_Hostname: $proxy_host\n Real_IP:  $http_x_real_ip\n User_Client: $http_user_agent"';


server {
        server_name     nextcloud1.domain.tld www.nextcloud1.domain.tld;
            access_log      /var/log/nginx/nextcloud1.domain.tld.access.log custom_log1;
            error_log       /var/log/nginx/nextcloud1.domain.tld.error.log;

#           proxy directives in /nginx/proxy_params

        location / {
                proxy_pass      http://192.168.40.60;
                proxy_max_temp_file_size 2000m;
                client_max_body_size 0;

                }


    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

nginx/proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

The output of your Apache/nginx/system log in /var/log/____:
access.log

192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/Jon HTTP/1.0" 200 120
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /.well-known/webfinger HTTP/1.0" 404 37
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /.well-known/nodeinfo HTTP/1.0" 404 36
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /ocs-provider/ HTTP/1.0" 200 839
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /heartbeat HTTP/1.0" 200 -
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "PROPFIND /remote.php/webdav HTTP/1.0" 207 1313
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /ocm-provider/ HTTP/1.0" 200 177
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /data/.ocdata?t=1712794766740 HTTP/1.0" 404 11929
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.0" 200 834
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "PROPFIND /remote.php/dav/ HTTP/1.0" 207 345
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "PROPFIND /remote.php/dav/ HTTP/1.0" 207 345
192.168.40.52 - - [10/Apr/2024:17:19:27 -0700] "GET /ocs/v2.php/cloud/groups/details HTTP/1.0" 200 230
192.168.40.52 - - [10/Apr/2024:17:19:28 -0700] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.0" 200 5254
192.168.40.52 - - [10/Apr/2024:17:19:26 -0700] "GET /settings/ajax/checksetup HTTP/1.0" 200 1392
192.168.40.52 - - [10/Apr/2024:17:19:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 158
192.168.40.52 - - [10/Apr/2024:17:20:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 158
192.168.40.52 - - [10/Apr/2024:17:21:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 158
192.168.40.52 - - [10/Apr/2024:17:22:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 158
192.168.40.52 - - [10/Apr/2024:17:23:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 158
192.168.40.52 - - [10/Apr/2024:17:24:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 158
192.168.40.52 - - [10/Apr/2024:17:25:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 159
192.168.40.52 - - [10/Apr/2024:17:26:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 159
192.168.40.52 - - [10/Apr/2024:17:27:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 159
192.168.40.52 - - [10/Apr/2024:17:29:43 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 159
192.168.40.52 - - [10/Apr/2024:17:30:43 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 159
192.168.40.52 - - [10/Apr/2024:17:31:25 -0700] "GET /settings/admin/logging HTTP/1.0" 200 10867
192.168.40.52 - - [10/Apr/2024:17:31:25 -0700] "GET /apps/logreader/js/logreader-main.js?v=49f2e143-0 HTTP/1.0" 200 161389
192.168.40.52 - - [10/Apr/2024:17:31:26 -0700] "GET /ocs/v2.php/search/providers?from=%2Fsettings%2Fadmin%2Flogging HTTP/1.0" 200 238
192.168.40.52 - - [10/Apr/2024:17:31:26 -0700] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/Jon HTTP/1.0" 200 120
192.168.40.52 - - [10/Apr/2024:17:31:26 -0700] "GET /apps/logreader/settings HTTP/1.0" 200 109
192.168.40.52 - - [10/Apr/2024:17:31:26 -0700] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.0" 200 834
192.168.40.52 - - [10/Apr/2024:17:31:26 -0700] "GET /apps/logreader/get?offset=0&count=50&levels=00111 HTTP/1.0" 200 4223
192.168.40.52 - - [10/Apr/2024:17:31:27 -0700] "GET /apps/logreader/poll?lastReqId=axb1EZWLOYtRFuJfVhrl HTTP/1.0" 200 3420
192.168.40.52 - - [10/Apr/2024:17:31:28 -0700] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.0" 200 5254
192.168.40.52 - - [10/Apr/2024:17:31:43 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 156
192.168.40.52 - - [10/Apr/2024:17:31:27 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:31:49 -0700] "GET /settings/admin/logging HTTP/1.0" 200 10874
192.168.40.52 - - [10/Apr/2024:17:31:50 -0700] "GET /ocs/v2.php/search/providers?from=%2Fsettings%2Fadmin%2Flogging HTTP/1.0" 200 238
192.168.40.52 - - [10/Apr/2024:17:31:50 -0700] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/Jon HTTP/1.0" 200 120
192.168.40.52 - - [10/Apr/2024:17:31:50 -0700] "GET /apps/logreader/settings HTTP/1.0" 200 109
192.168.40.52 - - [10/Apr/2024:17:31:50 -0700] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.0" 200 834
192.168.40.52 - - [10/Apr/2024:17:31:50 -0700] "GET /apps/logreader/get?offset=0&count=50&levels=00111 HTTP/1.0" 200 4216
192.168.40.52 - - [10/Apr/2024:17:31:50 -0700] "GET /apps/logreader/poll?lastReqId=axb1EZWLOYtRFuJfVhrl HTTP/1.0" 200 3396
192.168.40.52 - - [10/Apr/2024:17:31:51 -0700] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.0" 200 5254
192.168.40.52 - - [10/Apr/2024:17:31:47 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:32:07 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:32:43 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 156
192.168.40.52 - - [10/Apr/2024:17:32:27 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:32:48 -0700] "GET /apps/logreader/get?offset=314&count=11&levels=00111 HTTP/1.0" 200 1491
192.168.40.52 - - [10/Apr/2024:17:32:47 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:33:12 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 156
192.168.40.52 - - [10/Apr/2024:17:33:08 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:33:28 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:33:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 156
192.168.40.52 - - [10/Apr/2024:17:33:48 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:34:08 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:34:28 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:34:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 156
192.168.40.52 - - [10/Apr/2024:17:34:48 -0700] "GET /apps/logreader/poll?lastReqId=9y4YN2tRPSKLvBfwO7ce HTTP/1.0" 200 1242
192.168.40.52 - - [10/Apr/2024:17:35:02 -0700] "GET /apps/logreader/poll?lastReqId=rRBfrWuqlcGM1arBon56 HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:35:22 -0700] "GET /apps/logreader/poll?lastReqId=rRBfrWuqlcGM1arBon56 HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:35:51 -0700] "GET /apps/files/api/v1/stats HTTP/1.0" 200 156
192.168.40.52 - - [10/Apr/2024:17:35:42 -0700] "GET /apps/logreader/poll?lastReqId=rRBfrWuqlcGM1arBon56 HTTP/1.0" 200 22
192.168.40.52 - - [10/Apr/2024:17:36:02 -0700] "GET /apps/logreader/poll?lastReqId=rRBfrWuqlcGM1arBon56 HTTP/1.0" 200 22

error.log

Wed Apr 10 15:18:09.330607 2024] [access_compat:error] [pid 1283] [client 192.168.40.52:56494] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

[Wed Apr 10 15:22:28.883668 2024] [access_compat:error] [pid 1734] [client 192.168.40.52:60196] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

[Wed Apr 10 15:27:40.154609 2024] [access_compat:error] [pid 1207] [client 192.168.40.52:55026] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

[Wed Apr 10 16:04:01.491401 2024] [php:error] [pid 1655] [client 192.168.40.52:55092] PHP Fatal error: Uncaught Error: Typed static property OC::$server must not be accessed before initialization in /var/www/nextcloud1.domain.tld/index.php:88\nStack trace:\n#0 {main}\n thrown in /var/www/nextcloud1.domain.tld/index.php on line 88

[Wed Apr 10 16:04:01.638737 2024] [php:error] [pid 1656] [client 192.168.40.52:55100] PHP Fatal error: Uncaught Error: Typed static property OC::$server must not be accessed before initialization in /var/www/nextcloud1.domain.tld/index.php:88\nStack trace:\n#0 {main}\n thrown in /var/www/nextcloud1.domain.tld/index.php on line 88

[Wed Apr 10 16:04:03.153886 2024] [php:error] [pid 1657] [client 192.168.40.52:55112] PHP Fatal error: Uncaught Error: Typed static property OC::$server must not be accessed before initialization in /var/www/nextcloud1.domain.tld/index.php:88\nStack trace:\n#0 {main}\n thrown in /var/www/nextcloud1.domain.tld/index.php on line 88, referer: https://nextcloud1.domain.tld/index.php/apps/files/preview-service-worker.js

[Wed Apr 10 16:05:15.002136 2024] [access_compat:error] [pid 1707] [client 192.168.40.52:45334] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

[Wed Apr 10 16:10:33.320895 2024] [access_compat:error] [pid 1323] [client 192.168.40.52:40106] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

[Wed Apr 10 16:47:06.582223 2024] [access_compat:error] [pid 1204] [client 192.168.40.52:40284] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

[Wed Apr 10 16:49:05.017755 2024] [access_compat:error] [pid 1218] [client 192.168.40.52:38272] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

[Wed Apr 10 17:05:20.563002 2024] [access_compat:error] [pid 1202] [client 192.168.40.52:47778] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

[Wed Apr 10 17:19:26.798558 2024] [access_compat:error] [pid 1202] [client 192.168.40.52:34040] AH01797: client denied by server configuration: /var/www/nextcloud1.domain.tld/data/.ocdata

custom nginx access.log - interesting to me here is the client ip is the router
192.168.40.1 - router
192.168.40.60 - nextcloud server
192.168.40.10 - pc

"Request: GET /apps/logreader/poll?lastReqId=V1IR89mNd17KOzuyyR4W HTTP/1.1
 Status: 200
 Request_URI: /apps/logreader/poll?lastReqId=V1IR89mNd17KOzuyyR4W
 Host: nextcloud1.domain.tld
 Client_IP: 192.168.40.1
 Proxy_IP(s): 192.168.40.1
 Proxy_Hostname: 192.168.40.60
 Real_IP: -
 User_Client: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
"Request: GET /apps/logreader/poll?lastReqId=V1IR89mNd17KOzuyyR4W HTTP/1.1
 Status: 200
 Request_URI: /apps/logreader/poll?lastReqId=V1IR89mNd17KOzuyyR4W
 Host: nextcloud1.domain.tld
 Client_IP: 192.168.40.1
 Proxy_IP(s): 192.168.40.1
 Proxy_Hostname: 192.168.40.60
 Real_IP: -
 User_Client: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
"Request: GET /apps/logreader/poll?lastReqId=V1IR89mNd17KOzuyyR4W HTTP/1.1
 Status: 200
 Request_URI: /apps/logreader/poll?lastReqId=V1IR89mNd17KOzuyyR4W
 Host: nextcloud1.domain.tld
 Client_IP: 192.168.40.1
 Proxy_IP(s): 192.168.40.1
 Proxy_Hostname: 192.168.40.60
 Real_IP: -
 User_Client: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
"Request: GET /apps/files/api/v1/stats HTTP/1.1
 Status: 200
 Request_URI: /apps/files/api/v1/stats
 Host: nextcloud1.domain.tld
 Client_IP: 192.168.40.1
 Proxy_IP(s): 192.168.40.1
 Proxy_Hostname: 192.168.40.60
 Real_IP: -
 User_Client: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
"Request: GET /apps/logreader/poll?lastReqId=V1IR89mNd17KOzuyyR4W HTTP/1.1
 Status: 200
 Request_URI: /apps/logreader/poll?lastReqId=V1IR89mNd17KOzuyyR4W
 Host: nextcloud1.domain.tld
 Client_IP: 192.168.40.1
 Proxy_IP(s): 192.168.40.1
 Proxy_Hostname: 192.168.40.60
 Real_IP: -
 User_Client: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"

jtr · April 11, 2024, 3:45pm

You likely meant 192.168.40.0/24 here. Though given what you’ve shared, I would specify 192.168.40.52 since your proxy’s IP is limited to that.

sidewyz1 · April 11, 2024, 6:04pm

I have tried both of those settings, didn’t change the problem at hand and will use .40.52.

see anything else out of whack?

sidewyz1 · April 12, 2024, 6:02pm

Testing other services that nginx proxies is leading me to believe it’s a problem with the Nginx configuration. How could I see the traffic going into the server and out the backside? And would this be useful information?