Help configuring apache reverse proxy after moving existing nextcloud instance to new server?

I had a fully up to date Nextcloud 26.0.2 server running on apache2 2.5.52 and a mysql server on a single box. I recently installed a new hypervisor and moved the mysql server to its own vm (that migration went fine) I then moved nextcloud to it’s own VM, backed by apache2 2.5.52, then converting the other server’s site to a reverse proxy. This is mostly working, but I’m pretty sure I messed something up in the reverse proxy configuration as I’m seeing this on my admin page intermittently…when I refresh, sometimes it goes away:

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation :arrow_upper_right:.

I followed the documentation, but I think I have issues around SSL. First of all, I have a wildcard SSL cert on my reverse proxy for all sites, so “https://nextcloud.domain.tld” works fine. I have an internal CA, and provision internal SSL certs for “hostname.home.domain.tld”. This CA is trusted by all my clients and servers; before moving nextcloud I tried to troubleshoot over there by having an index.php with phpinfo() and found a reverse proxy configuration that worked. The jist is this:

<VirtualHost *:80>
	ServerName nextcloud.domain.tld
	ServerAlias nextcloud.domain.tld
	ServerAlias *.nextcloud.domain.tld
	Redirect permanent / https://nextcloud.domain.tld
	ErrorLog ${APACHE_LOG_DIR}/error.nextcloud.log
	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/access.nextcloud.log combined
	LimitRequestLine 20000
</VirtualHost>

<VirtualHost *:443>
	ServerName nextcloud.domain.tld
	ServerAlias nextcloud.domain.tld
	ServerAlias *.nextcloud.domain.tld
	<IfModule mod_headers.c>
		Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
	</IfModule>
	RewriteEngine On
	ProxyPreserveHost On
	AllowEncodedSlashes NoDecode
	ProxyPass / https://nextcloudhostname.home.domain.tld/ nocanon
	ProxyPassReverse / https://nextcloudhostname.home.domain.tld/
	TimeOut 120
	ProxyTimeout 120
	RewriteCond %{HTTP:Upgrade} websocket [NC]
	RewriteCond %{HTTP:Connection} upgrade [NC]
	RewriteRule ^/\.well-known/carddav https://nextcloud.domain.tld/remote.php/dav [R=301,L]
	RewriteRule ^/\.well-known/caldav https://nextcloud.domain.tld/remote.php/dav [R=301,L]
	RewriteRule ^/\.well-known/webfinger https://nextcloud.domain.tld/index.php/.well-known/webfinger [R=301,L]
	RewriteRule ^/\.well-known/nodeinfo https://nextcloud.domain.tld/index.php/.well-known/nodeinfo [R=301,L]
	Protocols h2 h2c http/1.1
	H2WindowSize 5242880
	TraceEnable off
	<Files ".ht*">
		Require all denied
	</Files>
	LimitRequestBody 0
	ErrorLog ${APACHE_LOG_DIR}/error.nextcloud.log
	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/access.nextcloud.log combined
	SSLEngine on
	SSLCertificateFile /etc/ssl/certs/wildcard.domain.tld.crt
	SSLCertificateKeyFile /etc/ssl/private/wildcard.domain.tld.key
	SSLCACertificateFile /etc/ssl/certs/RapidSSL.Intermediate.crt
	SSLProxyEngine on
	SSLStrictSNIVHostCheck off
	SSLProxyVerify require
	SSLProxyCheckPeerName off
	SSLProxyCheckPeerCN off # Required
	SSLProxyCheckPeerExpire on
	SSLProxyProtocol TLSv1.2
	SSLProxyCheckPeerName off # Required
	SSLProxyCACertificateFile /etc/ssl/certs/home.domain.tld.rootca.2032.08.24.pem
	SSLVerifyClient none
	SSLVerifyDepth  10
	SSLHonorCipherOrder On
	SSLProtocol all -SSLv2 -SSLv3
	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
	SSLInsecureRenegotiation off
	<FilesMatch "\.(cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>
	<FilesMatch \.php$>
	SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost/"
	</FilesMatch>
	BrowserMatch "MSIE [2-6]" \
		nokeepalive ssl-unclean-shutdown \
		downgrade-1.0 force-response-1.0
	# MSIE 7 and newer should be able to use keepalive
	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
	ProxyRequests	   On
	RequestHeader	   set		 X-Forwarded-Proto "https"
</VirtualHost>

Ok, fine. I wanted SSL termination but it didn’t really work, hence all the ssl verification off. On the actual server itself, this is my config.php:

<?php
$CONFIG = array (
  'instanceid' => '-----',
  'passwordsalt' => '------',
  'secret' => '-------',
  'trusted_domains' => 
  array (
    0 => 'home.domain.tld',
    1 => 'domain.tld',
    2 => 'nextcloud.domain.tld',
    3 => 'nextcloudhostname.home.domain.tld',
  ),
  'trusted_proxies' => 
  array (
    0 => '10.2.2.10',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'defaultapp' => 'files',
  'version' => '26.0.2.1',
  'overwritehost' => 'nextcloud.domain.tld',
  'overwrite.cli.url' => 'https://nextcloud.domain.tld',
  'htaccess.RewriteBase' => '/',
  'dbname' => 'nextcloud',
  'dbhost' => 'sqlhostname.home.domain.tld:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'usr_nextcloud',
  'dbpassword' => '------',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'maintenance' => false,
  'theme' => '',
  'localstorage.umask' => 2,
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => 2,
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'mailhostname.home.domain.tld',
  'mail_smtphost' => 'localhost',
  'mail_smtpport' => '25',
  'default_phone_region' => 'US',
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'app_install_overwrite' => 
  array (
    0 => 'files_3d',
    1 => 'files_texteditor',
    2 => 'printer',
    3 => 'epubreader',
    4 => 'richdocumentscode',
    5 => 'breezedark',
    6 => 'apporder',
    7 => 'ldap_write_support',
  ),
  'trashbin_retention_obligation' => 'auto,15',
  'allow_local_remote_servers' => true,
  'updater.secret' => '-----',
  'mail_smtpsecure' => 'ssl',
);

I want to call attention to trustedproxies, where I have tried several different syntax formats, but none of them seem to work. That is the correct IP of the reverse proxy. I guess I’m not technically seeing any issues, but the warning bothers me, and I’m wondering if there’s anything else I should do about it?