Log generated in a nextcloud instance behind a caddy reverse proxy

merkleID · February 9, 2022, 11:47am

This is apache_access.log generated by nextcloud when behind a caddy reverse proxy:

10.50.4.1 is the Caddy reverse proxy ip

1.2.3.4 is the redacted real origin ip

apache_access.log:

10.50.4.1 1.2.3.4 - - [09/Feb/2022:12:18:07 +0100] “PROPFIND /remote.php/dav/files/RedactedUsername/ HTTP/1.1” 207 7096 “-” “Mozilla/5.0 (Windows) mirall/3.4.1stable-Win64 (build 20211221) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)”

10.50.4.1 1.2.3.4 - - [09/Feb/2022:12:18:36 +0100] “PROPFIND /remote.php/dav/files/RedactedUsername/ HTTP/1.1” 207 7096 “-” “Mozilla/5.0 (Windows) mirall/3.4.1stable-Win64 (build 20211221) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)”

10.50.4.1 1.2.3.4 - - [09/Feb/2022:12:19:07 +0100] “PROPFIND /remote.php/dav/files/RedactedUsername/ HTTP/1.1” 207 7096 “-” “Mozilla/5.0 (Windows) mirall/3.4.1stable-Win64 (build 20211221) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)”

10.50.4.1 1.2.3.4 - - [09/Feb/2022:12:19:36 +0100] “PROPFIND /remote.php/dav/files/RedactedUsername/ HTTP/1.1” 207 7096 “-” “Mozilla/5.0 (Windows) mirall/3.4.1stable-Win64 (build 20211221) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)”

10.50.4.1 1.2.3.4 - - [09/Feb/2022:12:20:06 +0100] “PROPFIND /remote.php/dav/files/RedactedUsername/ HTTP/1.1” 207 7096 “-” “Mozilla/5.0 (Windows) mirall/3.4.1stable-Win64 (build 20211221) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)”

nextcloud.log:

{“reqId”:“REDACTED”,“level”:2,“time”:“2022-02-09T11:27:09+00:00”,“remoteAddr”:“10.50.4.1”,“user”:“RedactedUsername”,“app”:“suspicious_login”,“method”:“OPTIONS”,“url”:"/remote.php/dav/calendars/RedactedUsername",“message”:“Detected a login from a suspicious login. user=Test ip=10.50.4.1 strategy=ipv4”,“userAgent”:“curl/7.54”,“version”:“22.2.3.0”}

My question is:

what is nextcloud taking into account as origin ip for security concerns and actions, like geoblocker, brute force attempts, suspicious logins and so on?

Is Nextcloud aware that the real origin ip is the one in the second field in apache_access.log?

I am asking this because I am having the same problem with fail2ban examining nextcloud.log which logs/contains only reverse proxy ip

Thanks!