Hi everyone,
I’m running Nextcloud 20.0.07 on Debian buster (10), using TurnKey Linux config. My set up is as follows:
- A public domain is connected to my home external dynamic IP address via dynamic DNS (Google Domains)
- OpenWRT router forwards 443 requests to dmz.lan, running Debian 10 and nginx in reverse-proxy mode, configured for a subdomain of that domain
- Nginx forwards requests to my Nextcloud
Here’re relevant pieces of config:
nginx:
server {
location / {
proxy_pass http://nextcloud.lan:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache off;
}
server_name subdomain.my_tld.com;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/subdomain.my_tld.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/subdomain.my_tld.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
client_max_body_size 10G;
client_body_buffer_size 400M;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
Nextcloud’s config.php
:
$CONFIG = array (
3 'passwordsalt' => '....',
4 'secret' => '....',
5 'trusted_domains' =>
6 array (
7 0 => 'localhost',
8 1 => 'nextcloud.lan',
9 2 => 'subdomain.my_tld.com',
10 ),
11 'trusted_proxies' => ['dmz.lan',
13 '192.168.0.1'], # my router's IP address
14 'datadirectory' => '/var/www/nextcloud/data',
15 'dbtype' => 'mysql',
16 'version' => '20.0.7.1',
17 'overwrite.cli.url' => 'https://subdomain.my_tld.com',
18 'overwritehost' => 'subdomain.my_tld.com',
19 'overwriteprotocol' => 'https',
20 'dbname' => 'nextcloud',
21 'dbhost' => 'localhost',
22 'dbport' => '',
23 'dbtableprefix' => 'oc_',
24 'mysql.utf8mb4' => true,
...
The set up generally works fine, but very often bruteforce protection kicks in:
{"reqId":"nqF0kVNI5QP0JL2hpIuE","level":1,"time":"2021-02-25T10:01:21+00:00",
"remoteAddr":"192.168.0.1","user":"--","app":"core","method":"PROPFIND",
"url":"/remote.php/webdav/Documents/some_file_name",
"message":"Bruteforce attempt from \"192.168.0.1\" detected for action \"login\".",
"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.13.1","version":"20.0.7.1"}
Please tell me I’m doing something wrong I am not sure I can find a way of passing a real IP address in remoteAddr in my setup. A reasonable recourse is to listen on a local domain, but then my set up would not be available outside local network.