Nextcloud version 20.0.4
Operating system and version Ubuntu 20.04
Apache or nginx version Apache 2.4.41-4ubuntu3.1
PHP version 7.4
The issue you are facing:
All logins are given a brute-force warning banner, and after checking the table (oc_bruteforce_attempts), Nextcloud is recording the IP of my reverse proxy instead of the client IP in the logs.
For reference, Nextcloud is at 192.168.5.44, the proxy (HAProxy) is 192.168.5.200.
The device I’ve used mostly for testing usually resides at 192.168.5.225.
Is this the first time you’ve seen this error? Y
Steps to replicate it:
- Configure Nextcloud behind HTTP-mode HAProxy with TLS termination, with
option forwardfor. - Attempt to login
- Note incorrect IP address logged when manually querying the
oc_bruteforce_attemptstable
The output of your Nextcloud log in Admin > Logging: (Way too many deprecation warnings to show raw)
{"reqId":"qMiy2qGh9aiB0a4XTuB0","level":2,"time":"2021-02-09T02:42:54-05:00","remoteAddr":"192.168.5.200","user":"--","app":"no app in context","method":"POST","url":"/index.php","message":"Login failed: me@my.nextcloud.instance (Remote IP: 192.168.5.200)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36","version":"20.0.4.0"}
{"reqId":"qMiy2qGh9aiB0a4XTuB0","level":1,"time":"2021-02-09T02:42:55-05:00","remoteAddr":"192.168.5.200","user":"--","app":"core","method":"POST","url":"/index.php","message":"Bruteforce attempt from \"192.168.5.200\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36","version":"20.0.4.0"}
The output of your config.php file in /path/to/nextcloud:
<?php
$CONFIG = array (
'trusted_domains' =>
array (
0 => 'localhost',
1 => '192.168.5.200',
2 => 'border', // Note: this is 192.168.5.200
3 => 'files', // Note: domain name for self
),
'forwarded_for_headers' =>
array (
0 => 'HTTP_X_FORWARDED_FOR',
),
'datadirectory' => '/mnt/ncdata',
'dbtype' => 'pgsql',
'version' => '20.0.4.0',
'overwrite.cli.url' => 'https://files',
'overwritehost' => 'files',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
'dbname' => 'nextcloud_db',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'ncadmin',
'dbpassword' => '*****',
'installed' => true,
'instanceid' => 'ocado5c8khdc',
'log_type' => 'file',
'logfile' => '/var/log/nextcloud/nextcloud.log',
'loglevel' => 0,
'log.condition' =>
array (
'apps' =>
array (
0 => 'admin_audit',
),
),
'mail_smtpmode' => 'smtp',
'remember_login_cookie_lifetime' => '1800',
'log_rotate_size' => '10485760',
'trashbin_retention_obligation' => 'auto, 180',
'versions_retention_obligation' => 'auto, 365',
'simpleSignUpLink.shown' => false,
'memcache.local' => '\\OC\\Memcache\\APCu',
'filelocking.enabled' => true,
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.5,
'dbindex' => 0,
'password' => '*****',
),
'logtimezone' => 'America/Indiana/Indianapolis',
'htaccess.RewriteBase' => '/nextcloud',
'app_install_overwrite' =>
array (
0 => 'joplin',
1 => 'uploaddetails',
2 => 'dropit',
3 => 'breezedark',
),
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
'updater.release.channel' => 'stable',
);
The output of your Apache/nginx/system log in /var/log/apache2:
files:80 192.168.5.200 - - [09/Feb/2021:02:42:53 -0500] "POST /login HTTP/1.1" 303 804 "https://files/login?redirect_url=/settings/admin/logging" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36"
files:80 192.168.5.200 - - [09/Feb/2021:02:42:55 -0500] "GET /login?redirect_url=/settings/admin/logging&user=me@my.nextcloud.instance HTTP/1.1" 200 7055 "https://files/login?redirect_url=/settings/admin/logging" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36"
Additional notes:
Captured request is showing that it’s sending the header (check the bottom):
GET /login?redirect_url=/settings/admin/logging&user=me@my.nextcloud.instance HTTP/1.1
cache-control: max-age=0
sec-ch-ua: "Chromium";v="87", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
host: files
x-forwarded-for: 192.168.5.225
The only strange thing I see about that request is that HTTP/1 headers are usually capitalized, such as X-Forwarded-For, but since the front-end connection is HTTP/2, in which headers are lowercase, HAProxy isn’t trying to case-convert, but I don’t think case should make a difference?