NC behind Cloudflare tunnel doesn't show real IP

Nextcloud version (eg, 20.0.5): 25.0.2
Operating system and version (eg, Ubuntu 20.04): Docker x86_64
Apache or nginx version (eg, Apache 2.4.25): The one given with Nextcloud 25.0.2
PHP version (eg, 7.4): The one given with Nextcloud 25.0.2

The issue you are facing: I want to get reliable IP in the log file, but It always write:

{"reqId":"GApN3WSbOONM4t82sT2c","level":2,"time":"2022-12-29T18:53:10+00:00","remoteAddr":"172.24.0.1","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: USER (Remote IP: 172.24.0.1)","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","version":"25.0.2.3","data":[]}

172.24.0.1 is the IP of the Docker Gateway.

I have the following configuration (only relevant parts)

<?php
$CONFIG = array (
  'forwarded_for_headers' =>
  [
    "HTTP_CF_CONNECTING_IP",
    "HTTP_X_FORWARDED_FOR"
  ],
  'trusted_domains' =>
  [
    '192.168.1.200',
    'mycloud.URL.tld'
  ],
  'trusted_proxies' =>
  array (
    0 => '103.21.244.0/22',
    1 => '103.22.200.0/22',
    2 => '103.31.4.0/22',
    3 => '104.16.0.0/13',
    4 => '104.24.0.0/14',
    5 => '108.162.192.0/18',
    6 => '131.0.72.0/22',
    7 => '141.101.64.0/18',
    8 => '162.158.0.0/15',
    9 => '172.64.0.0/13',
    10 => '173.245.48.0/20',
    11 => '188.114.96.0/20',
    12 => '190.93.240.0/20',
    13 => '197.234.240.0/22',
    14 => '198.41.128.0/17',
    15 => '2400:cb00::/32',
    16 => '2405:8100::/32',
    17 => '2405:b500::/32',
    18 => '2606:4700::/32',
    19 => '2803:f800::/32',
    20 => '2a06:98c0::/29',
    21 => '2c0f:f248::/32'
  ),
  'version' => '25.0.2.3',
);

IPs in the trusted proxies are those here given by Cloudflare here: https://www.cloudflare.com/en/ips/

I don’t know what I’m doing wrong, if someone has an idea.

And… all my links on Google are purple :smiling_face_with_tear:

UPDATE: I have a part of a solution, but I don’t like it.
I added the gateway as trusted proxy BUT if for some reason, I (or an automated task) have to destroy my Docker network and my containers, Docker won’t guarantee me It’ll have the same network IP range, so I’ll have to manually update them. Isn’t a more elegant solution?

Hi,

CIDR notation for IPv6 is currently work in progress and thus not available yet:

1 Like

Noted, thanks.
I removed them but It didn’t solve the issue.

take a look at this wiki article… this is a good starting point

2 Likes