Nextcloud accessible from everywhere except own IP

Klemens · August 26, 2019, 3:53pm

Nextcloud version: 16.0.4
Operating system and version: Ubuntu 18
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.29
PHP version (eg, 7.1): PHP 7.2.19-0ubuntu0.18.04.1
Running on a QNAP TS-253A, installed with a VM from hanssonit.se / techandme.se

I can acces my nextcloud from other PCs with other IPs, via Hotspot with my mobile but not with any device from my home IP (Laptop, PC, mobile,…).

The problem occured yesterday evening the frist time. Long story: I had the hanssonit-Nextcloud running for some month, but as it was a little slow, a friend of mine transferred the data from my nextcloud on a new installation of a clean minimalized nextcloud. As we had problems with this nextcloud-version (all downloads stopped at 16 KB and we were not abled to find the problem) we decided to reactivate the old nextcloud. We just changed the internal IP on the router to forwarding to the “old” hanssonit-NC instead of the minimal NC. From that time on, we cannot access it from my home IP. But that’s were we have to have the main access with many devices.

Deactivating brutforce-settings didn’t help.

This is the output of my fail2ban-log:


2019-08-24 06:25:41,943 fail2ban.server         [1580]: INFO    rollover performed on /var/log/fail2ban.log
2019-08-25 21:35:25,927 fail2ban.server         [1580]: INFO    Shutdown in progress...
2019-08-25 21:35:25,972 fail2ban.server         [1580]: INFO    Stopping all jails
2019-08-25 21:35:25,973 fail2ban.filter         [1580]: INFO    Removed logfile: '/var/log/auth.log'
2019-08-25 21:35:25,974 fail2ban.filter         [1580]: INFO    Removed logfile: '/var/log/auth.log'
2019-08-25 21:35:25,976 fail2ban.filter         [1580]: INFO    Removed logfile: '/mnt/ncdata/nextcloud.log'
2019-08-25 21:35:26,002 fail2ban.actions        [1580]: NOTICE  [nextcloud] Flush ticket(s) with iptables-multiport
2019-08-25 21:35:26,020 fail2ban.actions        [1580]: NOTICE  [sshd] Flush ticket(s) with iptables-multiport
2019-08-25 21:35:26,021 fail2ban.actions        [1580]: NOTICE  [ssh] Flush ticket(s) with iptables-multiport
2019-08-25 21:35:26,402 fail2ban.actions        [1580]: NOTICE  [nextcloud] Unban !!!MY IP!!!
2019-08-25 21:35:26,579 fail2ban.jail           [1580]: INFO    Jail 'sshd' stopped
2019-08-25 21:35:27,265 fail2ban.jail           [1580]: INFO    Jail 'ssh' stopped
2019-08-25 21:35:27,266 fail2ban.jail           [1580]: INFO    Jail 'nextcloud' stopped
2019-08-25 21:35:27,322 fail2ban.database       [1580]: INFO    Connection to database closed.
2019-08-25 21:35:27,323 fail2ban.server         [1580]: INFO    Exiting Fail2ban
2019-08-25 21:38:16,664 fail2ban.server         [1643]: INFO    --------------------------------------------------
2019-08-25 21:38:16,702 fail2ban.server         [1643]: INFO    Starting Fail2ban v0.10.2
2019-08-25 21:38:17,593 fail2ban.database       [1643]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-08-25 21:38:18,357 fail2ban.jail           [1643]: INFO    Creating new jail 'sshd'
2019-08-25 21:38:21,761 fail2ban.jail           [1643]: INFO    Jail 'sshd' uses pyinotify {}
2019-08-25 21:38:21,784 fail2ban.jail           [1643]: INFO    Initiated 'pyinotify' backend
2019-08-25 21:38:21,795 fail2ban.filter         [1643]: INFO      maxLines: 1
2019-08-25 21:38:21,881 fail2ban.server         [1643]: INFO    Jail sshd is not a JournalFilter instance
2019-08-25 21:38:22,302 fail2ban.filter         [1643]: INFO    Added logfile: '/var/log/auth.log' (pos = ..., hash = ...
2019-08-25 21:38:22,316 fail2ban.filter         [1643]: INFO      encoding: UTF-8

In Apache error.log i find this (and more, but I think this is relevant and I don’t know what information to delete for identificational purposes):

[Sun Aug 25 21:35:27.084891 2019] [proxy_fcgi:error] [pid 15476:tid 140089451009792] [client MY-IP!!!:61882] AH01079: failed to make connection to backend: httpd-UDS
[Sun Aug 25 21:35:28.064489 2019] [proxy:error] [pid 15476:tid 140089526544128] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /run/php/php7$

Thanks in advance for help.

Steven · August 26, 2019, 6:42pm

I am having the same problem, any progress on your end?

Klemens · August 26, 2019, 7:29pm

No, unfortunately. At the moment I just have no idea where to proceed to find a solution.

gas85 · August 27, 2019, 8:08am

And what it “your IP”? Is this some laptop within the same network with Nextcloud? Or it is the same machine that running nextcloud?
Because in first case your IP will be e.g. 10.0.0.10 and IP of Nextcloud Server e.g. 10.0.0.200. Now you have to check if you can access directly via https://10.0.0.200/index.php --> You have to see Trusted Domain Error or open NC (depends on your config). In this case transport between you Laptop and NC Server works fine and lets dig it.

If it is the same local machine - you will access usually via 127.0.0.1 local host, or goes “out” via router and back to the machine. It is other use case.

In any way you have proxy error posted. PHP FCGI could not communicate it correctly, lets see why.

Klemens · August 27, 2019, 5:26pm

Thank you for you reply!

I access NC via a domain, like my.nextcloud.com . As I have a fix IP from my internet provider (at least it hasn’t changed since months) there is a A-name forwarding to the external IP of my router. The router has port forwarding for port 443 and port 80 to the internal IP of NC. From within the homenetwork (internet connection via my router) I wasn’t able to access nextcloud a) via domain, b) via the external IP and c) via the internal IP. As changing the trusted domains in config, I am now able to access via the internal IP.

I’ll try to learn about solving the proxy error.

gas85 · August 28, 2019, 6:55am

Glad to hear it! Seems you have some config problem to access VM. Not sure why trusted domains can solve it at least partly, basically it only tells Nextcloud from which Domain you should be able to open it.

Klemens · August 28, 2019, 6:53pm

Yeah, and it’s not really a solution for me, just a little step forward. At the end I have to access NC via the domain because some of the devices (Laptop, Mobiles) we need to access from our LAN/WLAN (here we could just us the internal IP) but as well from outside…

gas85 · August 29, 2019, 7:02am

Please check your QNAP setup. Is there is a kind of IP white/black listing enabled? Is there access per IP restricted?

You can also try the test with you hosts file on local PC, e.g. added NC domain with a local IP to your /etc/hosts as:

10.0.0.200    yourNCDomain.com

this will helps you to check if it is now accessible via Domain in LAN only. In this case something wrong with access settings.

Emmanuel · September 6, 2019, 11:13am

You might also look into whether your router supports hairpin NAT, which would allow you to use the same external domain name from systems on your LAN without having to bug around with the trusted domains and use different ones depending on location.

KarlF12 · September 6, 2019, 12:51pm

Are you accessing it via private IP, public IP, or FQDN? Does the name resolve correctly on devices on your LAN?

Klemens · October 21, 2019, 4:52pm

Thanks very much to all of you and “Sorry” for my late reply!

I decided to reinstall my nextcloud because there where even more problems appearing in the admin protocoll…

Very much appreciating you help!

Reinhardw · January 25, 2022, 5:28pm

Faced the same issue lately (Jan 2022)

Fixed:

fail2ban jail:
Added my external IP to “ignoreip”
deleted my external ip from mysql database “brute force”
Brute force protection needs Improvements
downloaded “brute force” App and whitelisted my external IP