Failed logins with Docker image + Apache reverse proxy

Nextcloud version: 21.0.4
Operating system and version: Ubuntu 20.04
Apache: 2.4.41
PHP version: -

Apache on the host machine is running as a reverse proxy for the Nextcloud Docker image (the version with Apache). I migrated all data from a previous installation following this guide.

I can login via browser with a warning We have detected multiple invalid login attempts from your IP. Therefore your next login is throttled up to 30 seconds.

Checking the log, I can see that there are a lot of failed logins all from the same IP, i.e. the IP of the docker gateway.
No surprise getting throttled if all clients appear as the same IP, although I don’t understand why, since I didn’t change any login credentials.

I’m not able to configure Nextcloud and Apache such that the real client IP is forwarded…
Is there something obviously wrong in my config below?

The output of your Nextcloud log in Admin > Logging:

[core] Warning: Login failed: 'my.account' (Remote IP: '172.22.0.1')

PROPFIND /nextcloud/remote.php/webdav/some_file
from 172.22.0.1 at 2021-11-11T19:27:21+00:00

config.php edited via environment variables in docker-compose.yml:

- OVERWRITEHOST=my.domain
- OVERWRITEPROTOCOL=https
- OVERWRITEWEBROOT=/nextcloud
- APACHE_DISABLE_REWRITE_IP=1
- TRUSTED_PROXIES=127.0.0.1

Apache site-config 000-default-le-ssl.conf

<IfModule mod_ssl.c>                                                                                               
<VirtualHost *:443>                                                                                                
        ServerName my.domain                                                                               
        DocumentRoot /var/www/html

        <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        </IfModule>
         
        ProxyRequests off
        SSLProxyEngine on
        RemoteIPHeader X-Forwarded-For 
         
        ## Nextcloud config
        <Location /nextcloud>
            ProxyPreserveHost on
            ProxyPass http://localhost:8080
            ProxyPassReverse http://localhost:8080
            Order allow,deny 
           Allow from all
        </Location>         
        RewriteEngine On
        RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/nextcloud/remote.php/dav/ [R=301,L]
        RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/nextcloud/remote.php/dav/ [R=301,L]
        RewriteRule ^/\.well-known/webfinger https://%{SERVER_NAME}/nextcloud/index.php/.well-known/webfinger [R=30
1,L]
        RewriteRule ^/\.well-known/nodeinfo https://%{SERVER_NAME}/nextcloud/index.php/.well-known/nodeinfo [R=301,
L]
        ## End Nextcloud config

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/my.domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem
</VirtualHost>
</IfModule>

Edit: Found the issue:
Inside the container, the hosts reverse proxy isn’t located at 127.0.0.1 but the docker networks gateway address.

BUT, if the docker network isn’t created manually beforehand, this gateway address will probably change. That’s no good, if I need to provide a static IP or subnet to TRUSTED_PROXIES.

So, I created a network: docker network create nextcloud_net. With docker network inspect nextcloud_net I can find out the now static subnet of this network.

It finally works with the following additions/changes to docker-compose.yml:

networks:
  nextcloud_net:
    external: true

services:
  app:
    # Add this network to every service
    networks: ["nextcloud_net"]
    environment:
      TRUSTED_PROXIES=<subnet>

I’d be interested whether there is a better way… Also a bit surprised that it isn’t documented anywhere.