Bruteforce protection triggers for reverse proxy + port forwarding

sgzmd · February 25, 2021, 10:04am

Hi everyone,

I’m running Nextcloud 20.0.07 on Debian buster (10), using TurnKey Linux config. My set up is as follows:

A public domain is connected to my home external dynamic IP address via dynamic DNS (Google Domains)
OpenWRT router forwards 443 requests to dmz.lan, running Debian 10 and nginx in reverse-proxy mode, configured for a subdomain of that domain
Nginx forwards requests to my Nextcloud

Here’re relevant pieces of config:

nginx:

server {
        location / {
        proxy_pass http://nextcloud.lan:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
                proxy_cache off;
        }

        server_name subdomain.my_tld.com;

       listen [::]:443 ssl ipv6only=on; # managed by Certbot
       listen 443 ssl; # managed by Certbot
       ssl_certificate /etc/letsencrypt/live/subdomain.my_tld.com/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/subdomain.my_tld.com/privkey.pem; # managed by Certbot
       include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

      client_max_body_size 10G;
      client_body_buffer_size 400M;

      real_ip_header X-Forwarded-For;
      real_ip_recursive on;
}

Nextcloud’s config.php:

$CONFIG = array (
 3   'passwordsalt' => '....',
 4   'secret' => '....',
 5   'trusted_domains' =>
 6   array (
 7     0 => 'localhost',
 8     1 => 'nextcloud.lan',
 9     2 => 'subdomain.my_tld.com',
10   ),
11   'trusted_proxies' => ['dmz.lan',
13                         '192.168.0.1'], # my router's IP address
14   'datadirectory' => '/var/www/nextcloud/data',
15   'dbtype' => 'mysql',
16   'version' => '20.0.7.1',
17   'overwrite.cli.url' => 'https://subdomain.my_tld.com',
18   'overwritehost' => 'subdomain.my_tld.com',
19   'overwriteprotocol' => 'https',
20   'dbname' => 'nextcloud',
21   'dbhost' => 'localhost',
22   'dbport' => '',
23   'dbtableprefix' => 'oc_',
24   'mysql.utf8mb4' => true,
...

The set up generally works fine, but very often bruteforce protection kicks in:

{"reqId":"nqF0kVNI5QP0JL2hpIuE","level":1,"time":"2021-02-25T10:01:21+00:00",
"remoteAddr":"192.168.0.1","user":"--","app":"core","method":"PROPFIND",
"url":"/remote.php/webdav/Documents/some_file_name",
"message":"Bruteforce attempt from \"192.168.0.1\" detected for action \"login\".",
"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.13.1","version":"20.0.7.1"}

Please tell me I’m doing something wrong I am not sure I can find a way of passing a real IP address in remoteAddr in my setup. A reasonable recourse is to listen on a local domain, but then my set up would not be available outside local network.

sgzmd · February 25, 2021, 12:14pm

I have temporarily resolved this issue by making subdomain.my_tld.com resolve to IP address of dmz.lan on the router, effectively short-circuiting any requests from lan zone, but the question still remains open on how to fix it properly?

rokondo · December 13, 2021, 5:31pm

Well I have the same problem and cannot change my zone so easily