Nextcloud version 20.0.4
Operating system and version Ubuntu 20.04
Apache or nginx version Apache 2.4.41-4ubuntu3.1
PHP version 7.4
The issue you are facing:
All logins are given a brute-force warning banner, and after checking the table (oc_bruteforce_attempts
), Nextcloud is recording the IP of my reverse proxy instead of the client IP in the logs.
For reference, Nextcloud is at 192.168.5.44
, the proxy (HAProxy) is 192.168.5.200
.
The device I’ve used mostly for testing usually resides at 192.168.5.225
.
Is this the first time you’ve seen this error? Y
Steps to replicate it:
- Configure Nextcloud behind HTTP-mode HAProxy with TLS termination, with
option forwardfor
. - Attempt to login
- Note incorrect IP address logged when manually querying the
oc_bruteforce_attempts
table
The output of your Nextcloud log in Admin > Logging: (Way too many deprecation warnings to show raw)
{"reqId":"qMiy2qGh9aiB0a4XTuB0","level":2,"time":"2021-02-09T02:42:54-05:00","remoteAddr":"192.168.5.200","user":"--","app":"no app in context","method":"POST","url":"/index.php","message":"Login failed: me@my.nextcloud.instance (Remote IP: 192.168.5.200)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36","version":"20.0.4.0"}
{"reqId":"qMiy2qGh9aiB0a4XTuB0","level":1,"time":"2021-02-09T02:42:55-05:00","remoteAddr":"192.168.5.200","user":"--","app":"core","method":"POST","url":"/index.php","message":"Bruteforce attempt from \"192.168.5.200\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36","version":"20.0.4.0"}
The output of your config.php file in /path/to/nextcloud
:
<?php
$CONFIG = array (
'trusted_domains' =>
array (
0 => 'localhost',
1 => '192.168.5.200',
2 => 'border', // Note: this is 192.168.5.200
3 => 'files', // Note: domain name for self
),
'forwarded_for_headers' =>
array (
0 => 'HTTP_X_FORWARDED_FOR',
),
'datadirectory' => '/mnt/ncdata',
'dbtype' => 'pgsql',
'version' => '20.0.4.0',
'overwrite.cli.url' => 'https://files',
'overwritehost' => 'files',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
'dbname' => 'nextcloud_db',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'ncadmin',
'dbpassword' => '*****',
'installed' => true,
'instanceid' => 'ocado5c8khdc',
'log_type' => 'file',
'logfile' => '/var/log/nextcloud/nextcloud.log',
'loglevel' => 0,
'log.condition' =>
array (
'apps' =>
array (
0 => 'admin_audit',
),
),
'mail_smtpmode' => 'smtp',
'remember_login_cookie_lifetime' => '1800',
'log_rotate_size' => '10485760',
'trashbin_retention_obligation' => 'auto, 180',
'versions_retention_obligation' => 'auto, 365',
'simpleSignUpLink.shown' => false,
'memcache.local' => '\\OC\\Memcache\\APCu',
'filelocking.enabled' => true,
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.5,
'dbindex' => 0,
'password' => '*****',
),
'logtimezone' => 'America/Indiana/Indianapolis',
'htaccess.RewriteBase' => '/nextcloud',
'app_install_overwrite' =>
array (
0 => 'joplin',
1 => 'uploaddetails',
2 => 'dropit',
3 => 'breezedark',
),
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
'updater.release.channel' => 'stable',
);
The output of your Apache/nginx/system log in /var/log/apache2
:
files:80 192.168.5.200 - - [09/Feb/2021:02:42:53 -0500] "POST /login HTTP/1.1" 303 804 "https://files/login?redirect_url=/settings/admin/logging" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36"
files:80 192.168.5.200 - - [09/Feb/2021:02:42:55 -0500] "GET /login?redirect_url=/settings/admin/logging&user=me@my.nextcloud.instance HTTP/1.1" 200 7055 "https://files/login?redirect_url=/settings/admin/logging" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36"
Additional notes:
Captured request is showing that it’s sending the header (check the bottom):
GET /login?redirect_url=/settings/admin/logging&user=me@my.nextcloud.instance HTTP/1.1
cache-control: max-age=0
sec-ch-ua: "Chromium";v="87", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.142 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
host: files
x-forwarded-for: 192.168.5.225
The only strange thing I see about that request is that HTTP/1
headers are usually capitalized, such as X-Forwarded-For
, but since the front-end connection is HTTP/2
, in which headers are lowercase, HAProxy isn’t trying to case-convert, but I don’t think case should make a difference?