La configuration des entĂȘtes du reverse proxy est incorrecte

Bonjour,

J’ai du rĂ©installer mon instance sur une nouvelle VM, tout en gardant une configuration trĂšs proche de l’ancienne. Et je n’arrive pas Ă  comprendre pourquoi j’ai ce message d’erreur qui s’affice :

La configuration des entĂȘtes du reverse proxy est incorrecte. C’est un problĂšme de sĂ©curitĂ©, qui peut permettre Ă  un attaquant d’usurper l’adresse IP affichĂ©e Ă  Nextcloud. Pour plus d’information, voir la documentation :arrow_upper_right:.

Voici ma config nginx sur mon reverse proxy (qui n’est pas sur la mĂȘme machine) :

server {
	server_name cloud.domain.com;

	listen 80;
	listen [::]:80;

	location ^~ /.well-known/acme-challenge {
		alias /var/www/html/cloud.domain.com/.well-know;		
		#proxy_pass http://cloud.domain.com/;
	}
	
	location / {
		return 301 https://$host$request_uri;
	}
}

server {
	server_name cloud.domain.com;

	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	location / {
		
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		
		proxy_pass https://cloud.domain.com;

        	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        	client_max_body_size 0;

        	
		access_log /var/log/nginx/nextcloud.access.log;
        	error_log /var/log/nginx/nextcloud.error.log;
	}

	location /.well-known/carddav {
		return 301 $scheme://$host/remote.php/dav;
	}

	location /.well-known/caldav {
		return 301 $scheme://$host/remote.php/dav;
	}

	ssl_certificate /etc/letsencrypt/live/cloud.domain.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/cloud.domain.com/privkey.pem; # managed by Certbot
	ssl_trusted_certificate /etc/letsencrypt/live/cloud.domain.com/chain.pem;
	
	include /etc/nginx/snippets/header.conf;
	include /etc/nginx/snippets/ssl.conf;

	access_log /var/log/nginx/cloud.domain.com.access.log;
	error_log /var/log/nginx/cloud.domain.com.error.log;

}

La config du nginx sur la VM de l’instance :

upstream php-handler {
    server unix:/run/php/php8.2-fpm.sock;
}

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default ", immutable";
}

server {
    listen 80;
    listen [::]:80;
    server_name cloud.domain.com;
    
    real_ip_header X-Forwarded-For;
    set_real_ip_from  10.0.0.0/8; 
    
    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # Enforce HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443      ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.domain.com;

    # Path to the root of your installation
    root /var/www/nextcloud;

    real_ip_header X-Forwarded-For;
    set_real_ip_from  10.0.0.0/8;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_certificate     /etc/ssl/certs/cloud.domain.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/cloud.domain.com/privkey.pem;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

    # set max upload size and increase upload timeout:
    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # The settings allows you to optimize the HTTP2 bandwidth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
    # for tuning hints
    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Set .mjs and .wasm MIME types
    # Either include it in the default mime.types list
    # and include that list explicitly or add the file extension
    # only for Nextcloud like below:
    include mime.types;
    types {
        text/javascript mjs;
	application/wasm wasm;
    }

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

    # Serve static files
    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
        try_files $uri /index.php$request_uri;
        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
        add_header Referrer-Policy                   "no-referrer"       always;
        add_header X-Content-Type-Options            "nosniff"           always;
        add_header X-Frame-Options                   "SAMEORIGIN"        always;
        add_header X-Permitted-Cross-Domain-Policies "none"              always;
        add_header X-Robots-Tag                      "noindex, nofollow" always;
        add_header X-XSS-Protection                  "1; mode=block"     always;
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

Et enfin mon fichier config.php :

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxx',
  'passwordsalt' => 'xxxxx',
  'secret' => 'xxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => 'cloud.domain.com',
    1 => 'rp.otherdomain.com',
    2 => '10.0.0.3',
  ),
  'overwritehost' => 'rp.otherdomain.com',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '',
  'overwritecondaddr' => '^10\\.0\\.0\\.3$',
  'overwrite.cli.url' => 'https://cloud.domain.com/',
  'datadirectory' => '/var/nc_datas',
  'dbtype' => 'mysql',
  'version' => '29.0.5.1',
  'dbname' => 'nextcloud_db',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxxxxxx',
  'installed' => true,
  'maintenance_window_start' => 1,
  'filelocking.enabled' => 'true',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0.0,
    'password' => 'xxxxxxxxxx',
  ),
  'default_phone_region' => 'FR',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'admin',
  'mail_domain' => 'otherdomain.com',
  'mail_smtphost' => 'mail.otherdomain.com',
  'mail_smtpport' => '587',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'admin@otherdomain.com',
  'mail_smtppassword' => 'xxxxxxxxxxx',
  'log_type' => 'file',
  'loglevel' => 2,
  'logfile' => '/var/nc_datas/nextcloud.log',
  'log_rotate_size' => 1048576,
  'log_type_audit' => 'file',
  'logfile_audit' => '/var/nc_datas/audit.log',
  'maintenance' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' => 
  array (
    0 => 'admin',
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
  'theme' => '',
  'mail_smtpsecure' => 'ssl',
);

Auriez-vous une idĂ©e de ce qui peut poser problĂšme ? J’ai revu la doc et je pense avoir mis les bonnes variables.

Merci beaucoup

Personne n’a d’idĂ©e ? :slight_smile:

Bonjour, j’ai la mĂȘme difficultĂ© que vous et j’ai beau chercher et essayer plusieurs possibilitĂ© je n’arrive pas Ă  trouver. J’ai effectuer l’installation de nextcloud via une image NextcloudPi_RaspberryPi4_v1.55.1 sur mon Raspberry pi 4 et c’est la seul chose que je n’arrive pas Ă  solutionner.

L’erreur est la suivante :
La configuration des entĂȘtes du reverse proxy est incorrecte, ou vous accĂ©dez Ă  Nextcloud depuis un proxy de confiance. Si ce n’est pas le cas, c’est un problĂšme de sĂ©curitĂ©, qui peut permettre Ă  un attaquant d’usurper l’adresse IP affichĂ©e Ă  Nextcloud. Pour plus d’information, voir la documentation :arrow_upper_right:.

Le lien de la documentation est trĂšs utile mais ne corrige pas l’erreur de mon cĂŽtĂ©, voici mon fichier config.php :

<?php
$CONFIG = array (
  'default_phone_region' => 'FR',
  'passwordsalt' => '*****************************',
  'secret' => '*****************************************',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    7 => 'nextcloudpi',
    5 => 'nextcloudpi.local',
    8 => 'nextcloudpi.lan',
    3 => 'mondomaine.ddns.net',
    11 => '****:****:****:****:****:****:****:****',
    1 => '***.***.*.**',
    14 => 'nextcloudpi',
    2 => 'mondomaine.ddns.net',
  ),
  'datadirectory' => '/media/USBdrive/ncdata/data',
  'dbtype' => 'mysql',
  'version' => '29.0.4.1',
  'overwrite.cli.url' => 'https://mondomaine.ddns.net/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'ncadmin',
  'dbpassword' => '************************************',
  'installed' => true,
  'instanceid' => '************',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
    'password' => '**********************************',
  ),
  'tempdirectory' => '/media/USBdrive/ncdata/data/tmp',
  'mail_smtpmode' => 'sendmail',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_from_address' => 'noreply',
  'mail_domain' => 'nextcloudpi.com',
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'overwriteprotocol' => 'https',
  'maintenance' => false,
  'maintenance_window_start' => 1,
  'logfile' => '/media/USBdrive/ncdata/data/nextcloud.log',
  'trusted_proxies' =>
  array (
    11 => '***.*.*.*',
    12 => '::1',
    14 => '**.**.***.**',
    15 => '***.***.*.**',
  ),
  'loglevel' => '2',
  'log_type' => 'file',
  'htaccess.RewriteBase' => '/',
  'overwritewebroot' => '/',
  'overwritehost' => 'mondomaine.ddns.net',
  'overwritecondaddr' => '^192\\.168\\.1\\.12$',
);

Et j’ai bien regarder dans mon fichier apache2/sites-enabled/001-nextcloud.conf mais il ne conseille pas de le modifier :

### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###

Donc je me suis rabattue sur l’accùs " nano /etc/apache2/sites-enabled/000-default.conf " qui me paraüt correct :

<VirtualHost _default_:80>
  DocumentRoot /var/www/nextcloud
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^.well-known/acme-challenge/ - [L]
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
  </IfModule>
  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
  </Directory>
</VirtualHost>

Il ne me reste donc plus que " nano /etc/apache2/sites-enabled/ncp.conf " :

Listen 4443
<VirtualHost _default_:4443>
  DocumentRoot /var/www/ncp-web
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/mondomaine.ddns.net/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/mondomaine.ddns.net/privkey.pem
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>

  # 2 days to avoid very big backups requests to timeout
  TimeOut 172800

  <IfModule mod_authnz_external.c>
    DefineExternalAuth pwauth pipe /usr/sbin/pwauth
  </IfModule>

</VirtualHost>
<Directory /var/www/ncp-web/>

  AuthType Basic
  AuthName "ncp-web login"
  AuthBasicProvider external
  AuthExternal pwauth

  <RequireAll>

   <RequireAny>
      Require host localhost
      Require local
      Require ip ***.*** #Il n'y a que les 6 premiers chiffres de mon IP
      Require ip 172
      Require ip 10
      Require ip fe80::/10
      Require ip fd00::/8
   </RequireAny>

   Require user ncp

  </RequireAll>

</Directory>

Est ce qu’un Ăąme de passage :innocent: par ici Ă  eu le mĂȘme cas afin de partager une solution Ă  ceci ?
Et par ailleurs m’expliquer ce qui manquait temps à ma config :man_teacher: !

Vous remerciant par avance noble communauté
Votre serviteur :slight_smile:

Je viens de remarquer cela dans la documentation pour Apache2

RewriteEngine On
RewriteRule ^/.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

Je vais regarder demain mais me pose la question sur quelle fichier conf dois je ajouter ces lignes ?
Et est ce ” SERVER_NAME ” correspond au nom de domaine ?

Je viens de trouver ! :tada:

Se connecter Ă  son fichier config.php puis dans

  'trusted_proxies' =>
  array (
    11 => '127.0.0.1', 
    12 => '::1',

Il suffisait de ne laisser que l’adresse de bouclage en IPV4 et IPV6 !
Depuis le message d’erreur ne s’affiche plus, mĂȘme en redemarrant le raspberry pi

J’espùre que ça en aidera d’autre :pray: