So, for other who search for a solution, here is how I solved it:
I’m using reverse proxy with HAproxy, with ssl offloading, running nextcloud in docker
Also using nat reflection so that I can use my external host on my internal network
First added my haproxy to config.php trusted_proxies (nextcloud_config dir)
By enabling X-Forwarded-For header in HA proxy, I did get my client IP’s in nextcloud.log, also verified headers with tcpdump (also easily testet with something like containous/whoami),
apache logs didn’t care about that, first of all, I had to change %h to %a in LogFormat (in apache2.conf), which is the variable that mod_remoteip uses, then I had to add the X-Real-IP header to HAproxy as it doesn’t seem to listen to X-Forwarded-For in this configuration, now I can see the client IP’s of external clients
Clients originates from my local network still just shows the proxy as ip
After some investigation, I did some changes in /etc/apache2/conf-enabled/remoteip.conf
Commented out all RemoteIPTrustedProxy lines and added:
RemoteIPInternalProxy
By doing so, IP’s of clients originating from my local network also hits the apache log
Further I noticed that mod_remoteip only had “RemoteIPHeader X-Real-IP” configured, by changing that to:
RemoteIPHeader X-Forwarded-For
in remoteip.conf, it was unnecessary to add the X-Real-IP header in HAproxy config
I would like to see a persistent solution to this
This is the changes I did from within the container:
sed -i -e 's/RemoteIPHeader X-Real-IP/RemoteIPHeader X-Forwarded-For/g' /etc/apache2/conf-enabled/remoteip.conf
sed -i -e 's/RemoteIPTrustedProxy/#RemoteIPTrustedProxy/g' /etc/apache2/conf-enabled/remoteip.conf
echo "RemoteIPInternalProxy $(env | grep TRUSTED_PROXIES | cut -d= -f2)" >> /etc/apache2/conf-enabled/remoteip.conf
sed -i -e '/LogFormat/s/%h/%a/g' /etc/apache2/apache2.conf
note that TRUSTED_PROXIES env variable has to be set to the reverse proxy ip
Feel free to correct me if I made some mistakes