Caddy with restricted local access is working but the headers are broken

Hi all,

I run 29.0.2 and it could work without problems when I would make the cloud accessible from the internet.
But I want the instance to be private and only available via VPN or LAN.

My setup:

I run Nextcloud on Unraid as Docker Container.
My dedidacted OPNsense appliance has caddy as reverse proxy targeting my nextcloud instance.

I also have a domain I want my cloud to be accessible with SSL encryption. I am no fan of http cert warnings…

To avoid reaching out to cloudflare, to ask the DNS (what is the IP of my domain = nextcloud.example.com?) I established an Host-Override on my local DNS Server, to serve my clients the local IP of my caddy reverse proxy. In this case it’s 192.168.1.1
If I dont use the Host-Override, my Clients reach out to the internet, which are getting blocked by the access list.

Here is my simple caddy config:

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# Global Options
{
	log {
		include http.log.access.37fc6c8b-42c2-41e0-baba-c38516660295
		output net unixgram//var/caddy/var/run/log {
		}
		format json {
			time_format rfc3339
		}
	}

	email <redacted>
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "37fc6c8b-42c2-41e0-baba-c38516660295"
*.example.com {
	log 37fc6c8b-42c2-41e0-baba-c38516660295

	@3bc73ecf-09b3-40ed-9ae2-1a29fc02bca6 {
		host nextcloud.example.com
	}
	handle @3bc73ecf-09b3-40ed-9ae2-1a29fc02bca6 {
		@0ca7ce31-a10f-46f1-90a0-b8a87f40a05f {
			client_ip 100.65.0.0/24 192.168.1.0/24
		}

		handle @0ca7ce31-a10f-46f1-90a0-b8a87f40a05f {
			handle {
				reverse_proxy nasty.example.com:8666 { 
					fail_duration 30s
				}
			}
		}
	}
}


Before I switched to caddy, I used nginx with naxsi, but that turned out to be a buggy mess in terms of WAF capabilities and rules… However, the cloud is / was working with each proxy tool.

I could make the cloud publicly accessible, but I would miss some WAF abilities and thus some protection. That’s why I wanted to limit my access to private networks only.

It’s working in both ways (public or private), but when I limit the access to local only, I see a lot of warnings and errors in the security report on the admin page. There are no warnings when I access nextcloud from public.

When I browse private, I see the following in the logs:
legacy:

  • 192.168.200.1 # Unraid Server IP (The Docker Host System)
  • 172.17.0.1 #The Docker Subnet on the Unraid system
  • 127.0.0.1 #localhost
192.168.200.1 - - [03/Jul/2024:19:31:46 +0200] "GET /settings/admin/overview HTTP/1.1" 200 14534 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
127.0.0.1 - - [03/Jul/2024:19:31:47 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
192.168.200.1 - - [03/Jul/2024:19:31:47 +0200] "GET /dist/updatenotification-updatenotification.js?v=29238fa6-0 HTTP/1.1" 200 9275 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:47 +0200] "GET /dist/core-files_fileinfo.js?v=29238fa6-0 HTTP/1.1" 200 1054 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:47 +0200] "GET /dist/core-files_client.js?v=29238fa6-0 HTTP/1.1" 200 4814 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:47 +0200] "GET /apps/firstrunwizard/l10n/de.js?v=29238fa6-0 HTTP/1.1" 200 5662 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
127.0.0.1 - - [03/Jul/2024:19:31:48 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
127.0.0.1 - - [03/Jul/2024:19:31:49 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
192.168.200.1 - - [03/Jul/2024:19:31:49 +0200] "GET /ocs/v2.php/cloud/groups/details HTTP/1.1" 200 920 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:49 +0200] "GET /ocs/v2.php/search/providers?from=%2Fsettings%2Fadmin%2Foverview HTTP/1.1" 200 1404 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:49 +0200] "POST /contactsmenu/contacts HTTP/1.1" 200 2667 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:50 +0200] "GET /ocs/v2.php/apps/user_status/api/v1/user_status HTTP/1.1" 200 920 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:50 +0200] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 920 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
172.17.0.1 - - [03/Jul/2024:19:31:50 +0200] "PROPFIND /remote.php/webdav HTTP/1.1" 401 1774 "-" "Nextcloud Server Crawler"
192.168.200.1 - - [03/Jul/2024:19:31:50 +0200] "GET /cron.php HTTP/1.1" 200 861 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
127.0.0.1 - - [03/Jul/2024:19:31:50 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
192.168.200.1 - - [03/Jul/2024:19:31:51 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 927 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:51 +0200] "GET /avatar/odin/64/dark?v=0 HTTP/1.1" 200 2091 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
127.0.0.1 - - [03/Jul/2024:19:31:51 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
192.168.200.1 - - [03/Jul/2024:19:31:51 +0200] "GET /apps/theming/favicon/settings?v=6ac70968 HTTP/1.1" 200 90914 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:51 +0200] "GET /apps/theming/icon/settings?v=6ac70968 HTTP/1.1" 200 26450 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
192.168.200.1 - - [03/Jul/2024:19:31:49 +0200] "GET /ocs/v2.php/apps/updatenotification/api/v1/applist/29.0.3.4 HTTP/1.1" 200 1004 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
127.0.0.1 - - [03/Jul/2024:19:31:52 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
127.0.0.1 - - [03/Jul/2024:19:31:53 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
172.17.0.1 - - [03/Jul/2024:19:31:54 +0200] "HEAD /apps/settings/js/esm-test.mjs HTTP/1.1" 200 518 "-" "Nextcloud Server Crawler"
127.0.0.1 - - [03/Jul/2024:19:31:54 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
127.0.0.1 - - [03/Jul/2024:19:31:55 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
127.0.0.1 - - [03/Jul/2024:19:31:56 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
127.0.0.1 - - [03/Jul/2024:19:31:57 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
127.0.0.1 - - [03/Jul/2024:19:31:58 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
127.0.0.1 - - [03/Jul/2024:19:31:59 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.59 (Debian) PHP/8.2.20 (internal dummy connection)"
172.17.0.1 - - [03/Jul/2024:19:31:59 +0200] "GET /.well-known/webfinger HTTP/1.1" 404 1580 "-" "Nextcloud Server Crawler"
172.17.0.1 - - [03/Jul/2024:19:31:59 +0200] "GET /.well-known/nodeinfo HTTP/1.1" 404 1575 "-" "Nextcloud Server Crawler"
172.17.0.1 - - [03/Jul/2024:19:31:59 +0200] "PROPFIND /.well-known/caldav HTTP/1.1" 301 751 "-" "Nextcloud Server Crawler"
172.17.0.1 - - [03/Jul/2024:19:31:59 +0200] "GET /remote.php/dav/ HTTP/1.1" 401 1921 "-" "Nextcloud Server Crawler"
172.17.0.1 - - [03/Jul/2024:19:31:59 +0200] "PROPFIND /.well-known/carddav HTTP/1.1" 301 751 "-" "Nextcloud Server Crawler"
172.17.0.1 - - [03/Jul/2024:19:31:59 +0200] "GET /remote.php/dav/ HTTP/1.1" 401 1925 "-" "Nextcloud Server Crawler"
192.168.200.1 - - [03/Jul/2024:19:31:50 +0200] "GET /settings/ajax/checksetup HTTP/1.1" 200 4336 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"

You can clearly see that it has some 404, 401 and 301 in the end resulting in my errors/warnings when I check the admin page…

What do I need to change to get rid of these errors? Do I need to change something on the config.php to tell nextcloud, you are not being accessed by the internet? I dont want to work with IP’s instead of FQDN’s. It’s easier to work with for non IT-affiliated people…

Like I said, it’s working without errors when I remove my host-override, limited acces and making it publicly available.