Cannot get rid of the reverse proxy warning

i have been trying for days to upgrade from NC 15 to NC 17 (by way of a fresh install via docker), and i cannot for the life of me get rid of the reverse proxy warning. i’ve tried following every tutorial and support post i can find, and nothing has worked.

can someone take a look at my docker-compose and traefik config files and tell me if something is obviously wrong here? and/or what i’m supposed to put in the nextcloud config to make this work? i’ve already tried the traefik IP as well as many others (i’ve literally been trying for days and have lost track at this point of what i’ve tried, but nothing has worked)…

i also messed around with the source code inside the NC container (to echo phpinfo), and have verified that the external ip is in fact getting through from traefik (at least outside my home network, from inside it’s showing my router IP), so that doesn’t seem to be the issue. nextcloud just isn’t using it for some reason.

version: '3'

services:
  nextcloud_db:
    image: mariadb
    container_name: nextcloud_db
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=xxx
    env_file:
      - db.env
    networks:
      - nextcloud

  nextcloud:
    image: nextcloud:17-apache
    container_name: nextcloud
    restart: always
    volumes:
      - /home/crackers8199/nextcloud/config:/var/www/html/config
    labels:
      - "traefik.frontend.rule=Host:nextcloud.mydomain.com"
      - "traefik.frontend.entryPoints=https"
      - "traefik.frontend.whiteList.useXForwardedFor=true"
      - "traefik.frontend.passHostHeader=true"
    depends_on:
      - nextcloud_db
    networks:
      - nextcloud

  traefik:
    image: traefik:1.7 # The official Traefik docker image
    container_name: traefik
    command: --docker
    environment:
      - DO_AUTH_TOKEN=xxx
    ports:
      - "80:80"     # The HTTP port
      - "443:443"   # https
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
      - /home/crackers8199/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /home/crackers8199/traefik/acme/acme.json:/acme.json
    networks:
      - nextcloud

volumes:
  db:

networks:
  nextcloud:

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[docker]

[acme]
email = "xxx@xxx.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
  [acme.dnsChallenge]
    provider = "digitalocean"
    delayBeforeCheck = 0

So is it a new installation or an upgrade?

Can you post the exact error?

What about the documentation?

https://docs.nextcloud.com/server/18/admin_manual/configuration_server/reverse_proxy_configuration.html

it’s a new install…that’s why i said “by way of a fresh install via docker.” my NC 15 install was on another server.

it’s the standard reverse proxy warning that shows up in the settings overview.

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.

i’ve read it, multiple times. it doesn’t tell me exactly what to put there, it just says:

Set the trusted_proxies parameter as an array of IPv4 addresses, IPv4 ranges in CIDR notation or IPv6 addresses to define the servers Nextcloud should trust as proxies. This parameter provides protection against client spoofing, and you should secure those servers as you would your Nextcloud server.

that doesn’t tell me what ip exactly is supposed to go there, and clearly i have no idea because nothing i have tried has worked. most of the tutorials i have seen have said to put the docker IP of the traefik container, but that hasn’t solved anything. the error still persists.

I can tell you that the IP address should be the source IP the reverse proxy will use to connect to Nextcloud. Beyond that, I would suspect something in the traefik config because it works as the documentation says with an Apache reverse proxy.

If you want a working example to compare against, I wrote a guide for doing this with Apache, but I haven’t really used traefik.

that’s the strange thing…i’ve used that, more than once, and it doesn’t work. i did go into the container though and echo phpinfo, and it does look like the correct forwarding info is being passed into the NC container. it’s all just really strange, and incredibly frustrating…

Could you substitute an Apache reverse proxy just to isolate whether the issue is with traefik?

i don’t know how to set one up. i can try using your guide, i guess…i used traefik because i’m familiar with it.

People run it in traefik, so it’s not like it doesn’t work. It’s just a matter of figuring out what isn’t right.

If you run occ config:system:get trusted_proxies The sole entry in that list should be the LAN IP that traefik will be coming from when it proxies traffic. Now, I see above that you’re running the reverse proxy also in Docker (I run it in the host OS) and that you have it attached to a Docker network.

So is the IP that you have set for trusted_proxies the IP of the host server, or the IP that the traefik container is using internally?

Hi Karl,

I have a similar problem with configure the reverse proxy option in nextcloud. Should I open a new topic? I think the my problem could be the same.

My finding: I can set the trusted_proxies by editing the config file or by executing the command occ config:system:set trusted_proxies 0 --value=192.168.0.10. But when I execute your command occ config:system:get trusted_proxies I get an empty line. Also after restarting it, I still get an empty line.
To find out if the problems has to do something with traefik, I installed a fresh “test” nextcloud via docker on a different notebook and tested it with nginx as reverse proxy or without reverse proxy et all. I always get an empty line back from the command occ config:system:get trusted_proxies. (I verified that the config.php contained a trsuted_proxies entry)
So I was wondering if I doing something wrong or that there is maybe a problem with reading the trusted_proxies from the config file.

When I run occ config:system:get trusted_proxies it correctly shows the IP address. Make sure yours is entered correctly.

well, i guess that’s the issue…running that command returns a blank line, even though i’ve already set the value in config.php. even setting it with the occ command does nothing.

That’s strange, and it wouldn’t have anything to do with traefik. Does it look right in your config.php?

  'trusted_proxies' =>
  array (
    1 => '127.0.0.1',
  ),

Did you use occ to set it originally or manually edit the file?

i’ve done it both ways now, manually and using the occ command. both times it looks correct in the config file, but the get command returns nothing.

root@4e4cdcb389c0:/var/www/html# sudo -u www-data php occ config:system:set trusted_proxies 0 --value=192.168.64.3
System config value trusted_proxies => 0 set to string 192.168.64.3
root@4e4cdcb389c0:/var/www/html# sudo -u www-data php occ config:system:get trusted_proxies

root@4e4cdcb389c0:/var/www/html# 

root@4e4cdcb389c0:/var/www/html# cat config/config.php
<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.64.3',
  ),
  'overwriteprotocol' => 'https',
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => 'nextcloud.mydomain.com:7647',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '17.0.5.0',
  'overwrite.cli.url' => 'http://nextcloud.mydomain.com:7647',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextcloud_db:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxx',
  'installed' => true,
);

@KarlF12 i’m seeing the same thing as edenhaus. it’s always a blank line.

was there a bug introduced somehow in 17.0.5 that is causing this? what version are you on?

edit: this is exactly the problem. there must have been a bug introduced 17.0.5 that broke trusted proxies. i switched to the 17.0.4 image, set the trusted proxy ip accordingly (the ip of the traefik container), and i can now both see the ip when using the occ command and the warning is gone.

I am on 17.0.5 but have not changed my trusted proxy settings since 16.

i wonder if it’s only broken if you start on the 17.0.5 image somehow…all i know is that as soon as i rolled back to 17.0.4 and started over with a clean install, everything now works. i had been trying for literally three days to get it working on 17.0.5, and it never did.

now that i know i can at least get a clean install of .4 working, i’ll try upgrading to .5 and see if it still works. give me a few mins and i’ll report back.

edit: upgrading to 17.0.5 after starting with a clean install of 17.0.4 works. the warning is still gone, and the occ command now correctly returns the traefik IP.

very strange.

now i can’t get rid of the STS header warning. ugh. this seems to be a traefik issue because i’m not seeing the header at all, but still…this shouldn’t be this complicated to get up and running lol

nvm, got it working. had to add this label to the nextcloud container:

"traefik.frontend.headers.customResponseHeaders=Strict-Transport-Security: max-age=15552000; includeSubDomains"

Ok that is very strange. I can confirm your analysis.
I have seen you have already open an issue.
For the others: https://github.com/nextcloud/server/issues/20441