The Basics
- Nextcloud Server version (e.g., 29.x.x):
- Nextcloud Hub 10 (31.0.5)
- Operating system and version (e.g., Ubuntu 24.04):
- Debian GNU/Linux 12 (bookworm)
- Web server and version (e.g, Apache 2.4.25):
- No idea – whatever is in the Docker container
- Reverse proxy and version _(e.g. nginx 1.27.2)
- Caddy 2.10
- PHP version (e.g, 8.3):
- No idea – whatever is in the Docker container
- Is this the first time you’ve seen this error? (Yes / No):
- No
- When did this problem seem to first start?
- A month ago
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- Docker
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No
Summary of the issue you are facing:
I’m running Nextcloud in a Docker container, with Caddy acting as a reverse proxy and Crowdsec handling, well, security.
A few months ago, whenever I stepped out of the house, I started getting notifications from Crowdsec that the IP I was using my phone from (be it the one of the mobile network or the VPN, if the phone was connected to one) was banned due to crowdsecurity/http-generic-bf scenario. After some digging, I discovered that Crowdsec was being triggered by Caddy log entries such as the one below.
The question I have for you is: am I doing anything wrong with the way I’m proxying Nextcloud? Why is Caddy assuming that the authentication failed, when Nextcloud itself is not reporting any problems and, more importantly, I can sync my contacts without any problems (when I’m not banned, that is)?
For authentication, Nextcloud is configured with Authelia as its OIDC provider. This has been working flawlessly for web, Desktop and mobile apps. Recently, when all these errors began popping up, I replaced the config that the mobile app was generating for my iPhone with manual configuration of the Cal/CardDAV servers, with a separate app password, generated in Nextcloud. Initial setup works fine, syncing works fine – until I step out of the house and am no longer connected to the (whitelisted in Crowdsec) home network.
Log entries
Nextcloud
There are no relevant Nextcloud entries. On some of the days there are no entried whatsoever, and I have set 'loglevel' => 1 in config.php.
Web server / Reverse Proxy
{
"level": "info",
"ts": 1748935246.9288347,
"logger": "http.log.access.log0",
"msg": "handled request",
"request": {
"remote_ip": "212.39.89.45",
"remote_port": "41850",
"client_ip":"212.39.89.45",
"proto":"HTTP/2.0",
"method":"PROPFIND",
"host":"cloud.mydomain.com",
"uri":"/remote.php/dav/addressbooks/users/zkvvoob/z-app-generated--contactsinteraction--recent/",
"headers":{
"Accept":["*/*"],
"Accept-Encoding":["gzip, deflate, br"],
"Content-Length":["181"],
"Content-Type":["text/xml"],
"Depth":["0"],
"Accept-Language":["bg-BG,bg;q=0.9"],
"Prefer":["return=minimal"],
"Brief":["t"],
"User-Agent":["iOS/18.5 (22F76) dataaccessd/1.0"]
},
"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.mydomain.com"}
},
"bytes_read":181,
"user_id":"",
"duration":0.024832559,
"size":477,
"status":401,
"resp_headers":{
"Server":["nginx"],
"X-Content-Type-Options":["nosniff"],
"Content-Type":["application/xml;charset=utf-8"],
"Content-Security-Policy":["default-src 'none';"],
"X-Permitted-Cross-Domain-Policies":["none"],
"Via":["2.0 Caddy"],
"Strict-Transport-Security":["max-age=31536000;"],
"Referrer-Policy": ["no-referrer"],
"Alt-Svc": ["h3=\":443\"; ma=2592000"],
"X-Xss-Protection": [
"1",
"1; mode=block"
],
"Date": ["Tue, 03 Jun 2025 07:20:46 GMT"],
"Set-Cookie": ["REDACTED"],
"X-Frame-Options":["SAMEORIGIN"],
"Www-Authenticate":["Basic realm=\"Nextcloud\", charset=\"UTF-8\""],
"X-Robots-Tag": ["noindex, nofollow"]
}
}
Crowdsec Alert entry
- ID : 4803
- Date : 2025-06-03T07:20:46Z
- Machine : localhost
- Simulation : false
- Remediation : true
- Reason : crowdsecurity/http-generic-bf
- Events Count : 6
- Scope:Value : Ip:212.39.89.45
- Country : BG
- AS : T-Mobile
- Begin : 2025-06-03 07:20:42.231681397 +0000 UTC
- End : 2025-06-03 07:20:45.875052315 +0000 UTC
- UUID : bd35afff-83b7-4aa1-a647-f499250769e5
╭─────────────────────────────────────────────────────────────────────────╮
│ Active Decisions │
├──────────┬─────────────────┬────────┬────────────┬──────────────────────┤
│ ID │ scope:value │ action │ expiration │ created_at │
├──────────┼─────────────────┼────────┼────────────┼──────────────────────┤
│ 22275058 │ Ip:212.39.89.45 │ ban │ 3h46m37s │ 2025-06-03T07:20:46Z │
╰──────────┴─────────────────┴────────┴────────────┴──────────────────────╯
- Context :
╭────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method │ REPORT │
│ method │ PROPFIND │
│ status │ 401 │
│ target_uri │ /remote.php/dav/addressbooks/users/zkvvoob/z-server-generat │
│ │ ed--system/ │
│ target_uri │ /remote.php/dav/addressbooks/users/zkvvoob/1/ │
│ target_uri │ /remote.php/dav/addressbooks/users/zkvvoob/z-app-generated- │
│ │ -contactsinteraction--recent/ │
│ target_uri │ /remote.php/dav/principals/users/zkvvoob/ │
│ target_uri │ /remote.php/dav/addressbooks/users/zkvvoob/ │
│ user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
╰────────────┴──────────────────────────────────────────────────────────────╯
- Events :
- Date: 2025-06-03 10:20:42 +0300 +0300
╭─────────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/z-server-generat │
│ │ ed--system/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ REPORT │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:42+03:00 │
╰─────────────────┴──────────────────────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:43 +0300 +0300
╭─────────────────┬────────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼────────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/1/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ REPORT │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:43+03:00 │
╰─────────────────┴────────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:44 +0300 +0300
╭─────────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/z-app-generated- │
│ │ -contactsinteraction--recent/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ PROPFIND │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:44+03:00 │
╰─────────────────┴──────────────────────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:44 +0300 +0300
╭─────────────────┬────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/principals/users/zkvvoob/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ PROPFIND │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:44+03:00 │
╰─────────────────┴────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:45 +0300 +0300
╭─────────────────┬──────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ PROPFIND │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:45+03:00 │
╰─────────────────┴──────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:45 +0300 +0300
╭─────────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/z-server-generat │
│ │ ed--system/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ REPORT │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:45+03:00 │
╰─────────────────┴──────────────────────────────────────────────────────────────╯
Configuration
Nextcloud
The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):
<?php
$CONFIG = array (
'datadirectory' => '/data',
'instanceid' => 'something',
'passwordsalt' => 'salt',
'secret' => 'secret',
'trusted_domains' =>
array (
0 => '10.0.0.77:10443',
1 => 'cloud.mydomain.com',
),
'trusted_proxies' =>
array (
0 => '10.0.0.0/8',
1 => '172.18.0.0/12',
),
'dbtype' => 'pgsql',
'version' => '31.0.5.1',
'overwrite.cli.url' => 'https://cloud.mydomain.com',
'dbname' => 'nextcloud',
'dbhost' => 'postgres',
'dbport' => '5432',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => 'dbpassword',
'installed' => true,
'default_language' => 'bg',
'default_locale' => 'bg_BG',
'default_phone_region' => 'BG',
'mail_domain' => 'mydomain.com',
'mail_from_address' => 'noreply',
'mail_smtphost' => 'mail.mydomain.com',
'mail_smtpport' => '465',
'mail_smtpsecure' => 'ssl',
'mail_smtpauth' => 1,
'mail_smtpname' => 'noreply@mydomain.com',
'mail_smtppassword' => 'smtppassword',
'mail_smtpdebug' => true,
'overwritehost' => 'cloud.mydomain.com',
'overwriteprotocol' => 'https',
'htaccess.RewriteBase' => '/',
'logtimezone' => 'Europe/Sofia',
'filelocking.enabled' => 'true',
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'redis',
'port' => 6379,
),
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
'oidc_login_provider_url' => 'https://auth.mydomain.com',
'oidc_login_client_id' => 'long-client-id',
'oidc_login_client_secret' => 'client-secret',
'oidc_login_auto_redirect' => true,
'oidc_login_logout_url' => '',
'oidc_login_end_session_redirect' => false,
'oidc_login_default_quota' => '',
'oidc_login_button_text' => 'Log in with Authelia',
'oidc_login_hide_password_form' => true,
'oidc_login_use_id_token' => false,
'oidc_login_attributes' =>
array (
'id' => 'preferred_username',
'name' => 'name',
'mail' => 'email',
'groups' => 'groups',
'login_filter' => 'groups',
'is_admin' => 'groups_admin',
),
'oidc_login_default_group' => '',
'oidc_login_filter_allowed_values' =>
array (
0 => 'admin',
1 => 'nextcloud',
),
'oidc_login_use_external_storage' => false,
'oidc_login_scope' => 'openid email profile groups',
'oidc_login_proxy_ldap' => false,
'oidc_login_disable_registration' => false,
'oidc_login_redir_fallback' => true,
'oidc_login_alt_login_page' => false,
'oidc_login_tls_verify' => true,
'oidc_create_groups' => false,
'oidc_login_webdav_enabled' => false,
'oidc_login_password_authentication' => true,
'oidc_login_public_key_caching_time' => 86400,
'oidc_login_min_time_between_jwks_requests' => 10,
'oidc_login_well_known_caching_time' => 86400,
'oidc_login_update_avatar' => false,
'oidc_login_skip_proxy' => true,
'oidc_login_code_challenge_method' => 'S256',
'maintenance' => false,
'maintenance_window_start' => 1,
'loglevel' => 1,
'upgrade.disable-web' => true,
'allow_local_remote_servers' => true,
'onlyoffice' =>
array (
'verify_peer_off' => true,
'jwt_secret' => 'some-secret',
),
'app_install_overwrite' =>
array (
0 => 'documentserver_community',
1 => 'oidc_login',
2 => 'breezedark',
3 => 'files_markdown',
4 => 'tasks',
),
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'simpleSignUpLink.shown' => false,
'files.chunked_upload.max_size' => 524288000,
);
Apps
- activity: 4.0.0
- app_api: 5.0.2
- breezedark: 29.0.0
- bruteforcesettings: 4.0.0
- calendar: 5.2.4
- cloud_federation_api: 1.14.0
- contacts: 7.1.1
- contactsinteraction: 1.12.0
- dav: 1.33.0
- federatedfilesharing: 1.21.0
- files: 2.3.1
- files_downloadlimit: 4.0.0
- files_markdown: 2.4.1
- files_pdfviewer: 4.0.0
- files_reminders: 1.4.0
- files_sharing: 1.23.1
- files_trashbin: 1.21.0
- files_versions: 1.24.0
- firstrunwizard: 4.0.0
- logreader: 4.0.0
- lookup_server_connector: 1.19.0
- nextcloud_announcements: 3.0.0
- notes: 4.12.0
- notifications: 4.0.0
- oauth2: 1.19.1
- oidc_login: 3.2.2
- password_policy: 3.0.0
- photos: 4.0.0-dev.1
- privacy: 3.0.0
- profile: 1.0.0
- provisioning_api: 1.21.0
- recommendations: 4.0.0
- related_resources: 2.0.0
- serverinfo: 3.0.0
- settings: 1.14.0
- sharebymail: 1.21.0
- tasks: 0.16.1
- text: 5.0.0
- theming: 2.6.1
- twofactor_backupcodes: 1.20.0
- twofactor_totp: 13.0.0-dev.0
- updatenotification: 1.21.0
- viewer: 4.0.0
- weather_status: 1.11.0
- webhook_listeners: 1.2.0
- workflowengine: 2.13.0
Disabled: - admin_audit: 1.21.0
- circles: 31.0.0 (installed 27.0.1)
- comments: 1.21.0 (installed 1.17.0)
- dashboard: 7.11.0 (installed 7.9.0)
- documentserver_community: 0.1.20 (installed 0.1.20)
- encryption: 2.19.0
- federation: 1.21.0 (installed 1.17.0)
- files_external: 1.23.0
- files_rightclick: 1.6.0 (installed 1.6.0)
- maps: 1.5.0 (installed 1.5.0)
- news: 25.3.1 (installed 25.3.1)
- support: 3.0.0 (installed 1.10.0)
- survey_client: 3.0.0 (installed 1.15.0)
- suspicious_login: 9.0.1
- systemtags: 1.21.1 (installed 1.17.0)
- twofactor_nextcloud_notification: 5.0.0
- user_ldap: 1.22.0
- user_oidc: 7.1.0 (installed 7.1.0)
- user_status: 1.11.0 (installed 1.9.0)