DNS redirecting to local IP

pastrami · June 5, 2023, 7:17am

Hey all! I previously had the official Nextcloud plugin running on my Truenas Core box, but upon updating it seems to have broken the whole instance (apparently a common occurrence with the official plugin).

Rather than trying to troubleshoot the poorly supported and seemingly largely abandoned plugin, I’m taking the opportunity to go through Samuel Dowling’s fantastic guide on a manual jail installation and configuration, to start up a new Nextcloud from scratch, and hopefully gain a better understanding.

There were some hiccups, but now it’s nearly there and working nicely but there’s one problem:

When I attempt to visit my domain name:

cloud.example.com

It reverts to the local IP of the jail:

https://192.168.0.10/login

I’m using a reverse proxy, so this results in a timeout. To access the site without a timeout, I have to specifically use a URL with a nextcloud page.

For instance:

cloud.example.com/login or cloud.example.com/apps

In my NC Security overview, I have this message which could be related;

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud

I’ve checked my config file again and again, going over every option I can imagine (with my limited experience). But as far as I can tell, the config is ok.

<?php

$CONFIG = array (
'instanceid' => 'redacted',
'passwordsalt' => 'redacted',
'secret' => 'redacted',
'trusted_domains' =>
array (
0 => '192.168.0.10',
1 => 'cloud.example.com',
),
'datadirectory' => '/mnt/data',
'dbtype' => 'mysql',
'version' => '26.0.2.1',
'overwrite.cli.url' => 'https://cloud.example.com',
'htaccess.RewriteBase' => '/',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:/tmp/mysql.sock',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud_admin',
'dbpassword' => 'redacted',
'installed' => true,
'default_phone_region' => 'US',
'trusted_proxies' =>
array (
0 => '192.168.0.11',
),
'overwriteprotocol' => 'https',
'redis' =>
array (
'host' => '/var/run/redis/redis.sock',
'port' => 0,
),
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.locking' => '\\OC\\Memcache\\Redis',

The only possibility I can think of are these settings

'overwrite.cli.url' => 'https://cloud.example.com',

'htaccess.RewriteBase' => '/',

Which I’ve added to enable the “Pretty URLs” feature to remove the ugly index.php/ on all the URLs. But I don’t know if this is the cause or not.

Thanks for sticking with the long post. Any thoughts or suggestions would be much appreciated!

wwe · June 5, 2023, 9:59am

I think you are you are very close - but the most important parameter to generate correct URL behind reverse proxy would be overwritehost => cloud.example.com… and you need to declare a trusted proxy so NC uses x_forwarded.. to know where the request originates

https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html

pastrami · June 5, 2023, 10:17am

Awesome, that did the trick! Thanks so much @wwe !

pastrami · June 5, 2023, 10:33am

When you say declare a trusted proxy, would this be something additional in this section? Because I already do have my reverse proxy listed as a trusted proxy.

'trusted_proxies' =>
array (
0 => '192.168.0.11',
),

I actually am still getting the error message:

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.

So I wonder if it has to be something else

Edit: Apparently that error message will always be there, I guess it’s a bug