How to solve "Access through untrusted domain" when using DuckDNS and OMV/Docker

GuiPoM · August 22, 2021, 2:39pm

Hello,

I am installing nextcloud on openmediavault as a docker image, using a ducksdns.org domain name and using subfolders. Something like ‘https://mycustomdomaing.duckdns.org/nextcloud’.

I am using the standard docker-compose file from openmediavault: [How-To] Nextcloud with Letsencrypt using OMV and docker-compose - Guides - openmediavault and of course I configured nginx proxy for the subdirectory as well as nextcloud config.php file for trusted domains.

This is working fine but is of course not safe as trusted domain contain a star instead of IPs or a domain name

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'ocapj1ywa0lp',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' =>
  array (
    0 => '192.168.1.80',
  ),
  'dbtype' => 'mysql',
  'version' => '22.0.0.11',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextclouddb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_admin',
  'dbpassword' => 'apo3Y6kXTPkvguOTqyl9gBSjokWYDD',
  'installed' => true,
  'trusted_proxies' =>
  array (
    0 => 'swag',
  ),
  'overwritewebroot' => '/nextcloud',
  'overwrite.cli.url' => 'https://mycustomdomain.dyndns.org/nextcloud',
  'trusted_domains' =>
  array (
    0 => '*',
  ),
);

But if I replace it with

'trusted_domains' =>
  array (
    0 => 'mycustomdomain.dyndns.org',
  ),

Note: yes, trusted_domains are defined two time, but I can also merge it in a single entry with 0=> and 1=> but it has no impact at all on the final behavior.

Then I cannot log to nextcloud with the famous error “Access through untrusted domain”. I am looking for any log file where I can understand why the incoming request is rejected. It must have something to do with the use of swag as nextcloud works with a direct https access (and thus an untrusted certificate) or with that star.
But I can’t find any technical log explaining why it is rejected and how to solve it.

Here is the full docker-compose config, just in case:

version: "2"
services:
  nextcloud:
    image: ghcr.io/linuxserver/nextcloud
    container_name: nextcloud
    environment:
      - PUID=998
      - PGID=100
      - TZ=Europe/Paris #change Time Zone if needed
    volumes:
      - /srv/dev-disk-by-uuid/appdata/nextcloud/config:/config
      - /srv/dev-disk-by-uuid/appdata/nextcloud/data:/data
    depends_on:
      - mariadb
    ports: # uncomment this and the next line if you want to bypass the proxy
      - 450:443
    restart: unless-stopped
  mariadb:
    image: ghcr.io/linuxserver/mariadb
    container_name: nextclouddb
    environment:
      - PUID=998
      - PGID=100
      - MYSQL_ROOT_PASSWORD=mariadbpassword  #change password
      - TZ=Europe/Paris #Change Time Zone if needed
    volumes:
      - /srv/dev-disk-by-uuid/appdata/nextclouddb:/config
    restart: unless-stopped
  swag:
    image: linuxserver/swag         #swag is the replacement for letsencrypt (see link below)
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=998
      - PGID=100
      - TZ=Europe/Paris
      - URL=mycustomdomain.duckdns.org #insert your domain name - yourdomain.url
      - SUBDOMAINS=www,
      - VALIDATION=http 
      - EMAIL=mymail@mailme.fr
    volumes:
      - /srv/dev-disk-by-uuid/appdata/swag:/config
    ports:
      - 10443:443
      - 10080:80
    restart: unless-stopped

As it works well by disabling the trusted_domains, I hope it is quite easy to fix !

Thanks

j-ed · August 22, 2021, 3:32pm

In general the trusted_domain parameter need to be set to the name under which you’re going to access the server. It doesn’T contain the networks etc. from which you’re accessing the server. If you, by any kind, proxy an access and use an ip address in the configuration to access the server, that need to be added to the Nextcloud configuration too.
The log file of your web server should usually show from which ip address an access is coming and to which server or ip address it is going. So I would recommend to start there with your investigations.

GuiPoM · August 23, 2021, 8:49pm

Thank you for your answer.

I manage to find a clue by activating the verbose logs and having a look to nextcloud logs.
I don’t know for which reason (swag, nginx …) but the incoming url name was www.mycustomdomain.duckdns.org and not mycustomdomain.duckdns.org.

I never have seen that in any tutorial I have found, it might have something to do with the subdomain from the docker-compose file, but even on the omv forum where this file is there is no mention of a required www. prefix.

But it seems to be working. I have a full backup, I will try it again from scratch to check if I manage to have it working again and if it was the proper fix to have all containers working together.