Brute force protection when used behind a reverse proxy

Platform: Docker
Docker image: linuxserver/nextcloud
Version: 20.0.5

Hi,

So I have the latest version of NC running behind my nginx reverse proxy. I was testing the brute force protection by connecting through the reverse proxy form outside and continually entering the wrong password until I get the warning about being delayed for 30 secs. After that, subsequent login attempts are expected to take longer. However, after about 10 seconds, the connection times out and the connection is dropped in the browser. I can refresh the page and I’m back to the login page again. I then enter my username and password again (or another incorrect one), and the wait process continues before being disconnected again. The only way I have seen to get around it is to walk away and wait it out for hours then try again.

I assumed this was down to a timeout issue on my proxy (and am still convinced it is), so I increased it to 300 seconds:

proxy_connect_timeout 300;

proxy_send_timeout 300;

proxy_read_timeout 300;

send_timeout 300;

This doesn’t seem to have had the desired effect however. I’ve confirmed that the issue is definitely the proxy server timing out on NC as I can repeat the test while connecting to the NC instance directly and the brute force wait time implementation works correctly.

Do any of you run your NC instance behind a reverse proxy and if so, have any advice for fixing the above issue?

Thanks.

Maybe this will help…

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/bruteforce_configuration.html

An other way is to disable the brute force protection in Nextcloud and use fail2ban on your server. In theory you can use fail2ban in combination with the Nextcloud bruteforce protection, but if you have problems with it, it is save to disable, when fail2ban is working.

https://docs.nextcloud.com/server/19/admin_manual/installation/harden_server.html?highlight=fail2ban#setup-fail2ban

I also recommend to forward the real client IPs from your Reverse Proxy to your Nextcloud instance, if you not already do so. Because otherwise the Bruteforce Detection, and also fail2ban, only can see the IP of your Reverse-Proxy. This is especially bad if you have multiple external users. But also when you use it only by your self, anybody could go to your site and trigger fail2ban or the bruteforce protectiction, wich leads to locking your self or other legitimate users out too.

Hi bb77,

Thanks for taking the time to reply. I’ll take a look at those links. As for F2B, I use it on my reverse proxy with nginx security guarding a few internal sites. With the Nextcloud setup, I have it running on the LAN in a docker container. The last time I tried to set this up by having the nginx logs write to a shared location then F2B running on the proxy, checking those logs, things started to fail (or just plain didn’t work, it’s been over a year now), so I abandoned that idea.

Aware too of the requirement to forward the real IP as had to set this up for other sites I have behind the proxy so all good on that front.

Would be interesting to know if anyone else actually does it that way with the shared location or even better, a docker hosted NC internally with a reverse proxy fronting it.

for F2B, I use it on my reverse proxy with nginx security guarding a few internal sites. With the Nextcloud setup, I have it running on the LAN in a docker container. The last time I tried to set this up by having the nginx logs write to a shared location then F2B running on the proxy, checking those logs, things started to fail (or just plain didn’t work, it’s been over a year now), so I abandoned that idea.

I have no Experience with the nextcloud docker container, but wouldn’t you use the nextcloud log for your fail2ban jail, instead of the one from nginx? Mine looks like that, but i’am using it on a standard LAMP-Stack without docker.

[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 18000
findtime = 36000
logpath = /var/nextcloud-data/nextcloud.log

Would be interesting to know if anyone else actually does it that way with the shared location or even better, a docker hosted NC internally with a reverse proxy fronting it.

Yep. Cannot really help with that…

Sorry, I probably confused the situation by mentioning running it on the reverse proxy. I meant I have another 4 web hosts internally. My reverse proxy sits in my DMZ, the web hosts (also on docker), sit inside on the LAN. I protect some of those internal sites by using the http password feature on NGINX. I also run F2B on the NGINX reverse proxy and as F2B and the NGINX reverse proxy run on the same box, that’s why F2B is watching NGINX logs.

You’re absolutely right on needing to get F2B to watch the NC logs but based on the layout I have described above, the NC logs would need to be written to a shared location, say my NAS, then F2B running on the reverse proxy (that being the single point of entry into my network), would have to also check the logs on the NAS to determine if it needed to block any IPs.

That might well be this weekend’s little project!

Ah ok. Then the only possible disadvantage I can think of with running Fail2ban on the Reverse Proxy compared to Fail2ban running directly on the Nextcloud host, would be, that if Fail2ban gets triggered, all services would be blocked and not just the Nextcloud. This may or may not be a problem for you. Other than that I think it would/should work fine that way. At least as far as I understnad it :slight_smile:

Ah ok. Then the only possible disadvantage I can think of with running Fail2ban on the Reverse Proxy compared to Fail2ban running directly on the Nextcloud host, would be, that if Fail2ban gets triggered, all services would be blocked and not just the Nextcloud. This may or may not be a problem for you. Other than that I think it would/should work fine that way. At least as far as I understnad it :slight_smile:

Agreed, but if someone is trying to brute force my NC instance, I’m happy that they couldn’t get to anything else I host. :slight_smile: