Hello Nextcloud community,
We’ve recently were alerted that the Internal Server Error page is showing our internal IP in the “Remote Address” section which poses some security concerns on our end as an external individual could use this information.
Is there a way we can disable or remove that information?
Thanks in advance!
John
Hello John @ITMaya you are missing the required support template. Please fill this form out and edit into your post. This will give us the technical info and logs needed to help you in case the machine in question in spitting out errors! Since you’ve provided zero technical details it is impossible to help you as-is. Thanks.
I the mindset about disclosing internal IPs to become a security risk… It is not the case - security by obscurity doesn’t work - but providing good customized error pages rather than default one might improve your service. Once you add required information you might receive the advice you are looking for.
Hello,
Sorry about the missing details, I assumed that my problem was “generic enough” as it is by default how Nextcloud behaves.
Nextcloud version 25.0.2
Ubuntu 22.04
Apache 2.4.57
PHP version 8.0.29
Database mysql Ver 15.1 Distrib 10.3.38-MariaDB
Is this the first time you’ve seen this error? no
I’d disagree with the statement that security by obscurity doesn’t work. It’s the first step to protecting a company’s configuration. It isn’t sufficient but displaying it easily is clearly not helping companies to fight against cyber crime.
Most of security tools will trigger alerts such as → Private IP addresses disclosed - PortSwigger
The internal IP address is disclosed through verbose error message responses from the affected web application. This information can aid threat actors in carrying out network layer attacks that aim to penetrate the internal infrastructure.
What would you recommend to change the default page? Is it possible?
Thank you for your help.
Best,
John
Are you sure that page you are referring to is generated by Nextcloud? At least on my test instance Nextcloud doesn’t show any IP information on the “Internal Server Error” page, but just a simple generic text message:
So if I had to guess, I would say that the page you are referring to is either coming from the Apache web server or from your reverse proxy if you are using one.
In Apache, you can disable the output of potentially sensitive information by adapting the following lines in /etc/apache2/conf-available/security.conf:
ServerTokens Prod
ServerSignature Off
Other web servers / reverse proxies most likely have similar configuration options, which you should find in the documentation of the respective products.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
Hello bb77,
I can confirm that this isn’t an Apache notification but a NextCloud one.
Please see the image below.
Thank you for your help.
John
please provide complete description when and how it happens together with all related logs e.g. client, server, reverse proxy… I have no idea what causes the message you show… in my case server issues e.g. stopping the DB resulted in a message like bb77 posted. but at the end this is a user-facing error message and I expect to see the client IP there and as the user can always know his IP there is no issue. In case you have reverse proxy in the middle and this IP is shown then you better check reverseproxy config so real-ip is provided to Nextcloud (and logs and likely in this message).
Oh I think you just nailed it.
We use a reverse proxy so that is where we should be looking at.
I have no idea how to reproduce it as it was the result of a PenTest, but no need to look further as you’re right, we should be displaying the original IP.
Thanks so much for your help!
John
For the record, this was triggered using the SAML plugin and the following URL
→ https://domain/index.php/apps/user_saml/saml/login?idp=1&idp=sdfsty
Despite the right configuration in Nginx
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
As well as this in the NextCloud configuration file
‘forwarded_for_headers’ => array(‘HTTP_X_FORWARDED_FOR’),
I can’t seem to have it working properly.
I followed this thread as well, no luck so far → How to get the real IPs in logs - #37 by wwe
@wwe you may close this one.
It turned out that I was missing this in my config file
'trusted_proxies' =>
array (
0 => '10.10.10.1',
),
Info - Running Nextcloud behind NGINX reverse proxy | Zuckerbude
Thanks!
John
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.