IIS Reverse Proxy Works But Can Be Spoofed


We recently set up a Nextcloud server with an IIS reverse proxy and we’re using SSL offloading. When accessing Nexcloud from an external IP address, and when we’re in the admin section, we get the following message:

The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our documentation.

There is probably some simple thing that we are missing, but we’re stuck trying to figure it out. :confused: Our configuration is the following:

IIS web.config File
<?xml version="1.0" encoding="UTF-8"?>
<rule name="ReverseProxyInboundRule1" stopProcessing="false">
<match url="(.*)" />
<action type="Rewrite" url="http://192.168.[mailserver].[ip]/{R:1}" />
<set name="HTTP_ACCEPT_ENCODING" value="True" />
<clear />
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1" enabled="true">
<match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://192.168.[mailserver].[ip]/(.*)" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="true">
<action type="Rewrite" value="https://cloud.[our].[domain]/{R:2}" />
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
Nextcloud config.php File
$CONFIG = array (
'instanceid' => '[redacted]',
'passwordsalt' => '[redacted]',
'trusted_domains' =>
array (
0 => 'localhost',
1 => 'nextcloud',
2 => '192.168.[nextcloud].[ip]',
3 => 'cloud.[our].[domain]',
'datadirectory' => '/var/ncdata',
'version' => '',
'dbtype' => 'mysql',
'dbhost' => 'localhost',
'dbport' => '',
'dbname' => '[redacted]',
'dbuser' => '[redacted]',
'dbpassword' => '[redacted]',
'dbtableprefix' => '[redacted]',
'installed' => true,
'default_language' => 'en',
'force_language' => 'en',
'knowledgebaseenabled' => true,
'allow_user_to_change_display_name' => false,
'auth.bruteforce.protection.enabled' => true,
'mail_domain' => '[our].[domain]',
'mail_from_address' => 'cloud',
'mail_smtpdebug' => true,
'mail_smtpmode' => 'smtp',
'mail_smtphost' => '192.168.[mailserver].[ip]',
'mail_smtpport' => '25',
'mail_smtptimeout' => 10,
'mail_smtpauth' => 1,
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpname' => 'cloud',
'mail_smtppassword' => '[redacted]',
'overwritehost' => 'cloud.[our].[domain]',
'overwriteprotocol' => 'https',
'overwritewebroot' => '',
'overwritecondaddr' => '192\\.168\\.[mailserver]\\.[ip]$',
'overwrite.cli.url' => 'https://cloud.[our].[domain]/',
'htaccess.RewriteBase' => '/',
'trashbin_retention_obligation' => 'D10,D28',
'check_for_working_webdav' => true,
'check_for_working_wellknown_setup' => true,
'check_for_working_htaccess' => true,
'log_type' => 'file',
'logfile' => '/var/ncdata/nextcloud.log',
'loglevel' => '2',
'logdateformat' => 'F d, Y H:i:s',
'logtimezone' => 'America/Chicago',
'log_rotate_size' => '10485760',
'ldapUserCleanupInterval' => 41,
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
'maintenance' => false,
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/var/run/redis/redis.sock',
'port' => 0,
'timeout' => 0,
'dbindex' => 0,
'password' => '[redacted]',
'mysql.utf8mb4' => true,
'secret' => '[redacted]',
'trusted_proxies' =>
array (
0 => '192.168.[mailserver].[ip]',
 * Headers that should be trusted as client IP address in combination with
 * `trusted_proxies`. If the HTTP header looks like 'X-Forwarded-For', then use
 * If set incorrectly, a client can spoof their IP address as visible to
 * Nextcloud, bypassing access controls and making logs useless!
 * Defaults to ``'HTTP_X_FORWARED_FOR'``
'forwarded_for_headers' =>
array (
'filelocking.enabled' => true,
'filelocking.ttl' => 5400,
'memcache.locking' => '\\OC\\Memcache\\Redis',
'filelocking.debug' => false,
'debug' => false,
'mail_smtpsecure' => 'ssl',

We should note the mail server and the proxy server are one and the same.

When reading the config.sample.php file in the Nextcloud folder, we’re a bit confused because it talks about ‘X-Forwarded-For’ and ‘HTTP_X_FORWARDED_FOR’ in the headers section, but then lists ‘HTTP_X_FORWARDED’ and ‘HTTP_FORWARDED_FOR’ as the options in the array. Every single one of these variables are different from each other. We’ve tried different combinations in the array, and still are unable to clear the spoof message.

Do you have any suggestions for us to try?

Thank you!


Anyone please?

Finally got the reverse proxy working most of the way except for the home page image. I was able to disable SSL offloading from IIS and the warnings disappeared.