Nextcloud blocks login via IP though whitelisted

CyberNet · October 25, 2023, 8:09am

Hi all and greetings!
I am new to the forum, brought a difficult issue (at least for me obviously), and hope someone got the time to read my post and an idea what I am missing.

My goal is to get Nextcloud up on my Proxmox-HomeServer which is runing on a NUC behind my FritzBox Router.

I am using

Proxmox 8.0.4
Nextcloud Turnkey 17.2/1 Template
Nginx Proxy Manager LXC (Proxmox VE Helper-Scripts | Scripts for Streamlining Your Homelab with Proxmox VE) with an additional DDclient for dynDNS management.

I have Nginx PM up, and can reach my Router, Proxmox GUI, other containers runing stuff like Jira, Jellyfin and so on via a dynDNS subdomain

I edited the nextcloud config.php to whitelist my local machines IPs.

  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'nextcloud.<mySubdomain>',
    2 => '192.168.13.202',
    3 => '192.168.13.22',
    4 => '192.168.13.1',
    5 => '192.168.13.200',
  ),

The IPs being

202: Proxmox LXC with Nextcloud
200: Proxmox LXC with NginX
22: my local machine
1: my router

The issue is
If I setup Nextcloud, I can login as admin one time via the container IP like
https://<myNextcloudIP>
then I logout, and after that I get a
warning about invalid login attemps from my IP. The ‘Overview’ page in the admin account says my action are ‘bruteforce throttled’
I can successfully delete the entry if I login via URL over the proxy and use
occ:security:bruteforce:reset

Login via URL over the Proxy works just fine.

So since I can’t make much sense of it and have no clue where to look further I hope this rings a bell somewhere.

Thanks a lot guys!
cheers
Mirko

P.S.: I just changed php.ini opcache.interned_strings_buffer=32 (was 8) due to a hint in the overview page.
Now if I try to open the local IP of nextcloud the page doesn’t even load…
Wireshark reporst a
Destination unreachable (Port unreachable)
Seems very odd…

CyberNet · October 25, 2023, 1:12pm

Hi ernolf,
read your post and tryied to implement a few hints, so many thanks for reaching out.

At this time at least the login via my Subdomain URL works.
I read the manual and the config.sample.php and came up with these changes to networking settings

 'trusted_domains' => 
  array (
    0 => 'localhost',
	1 => 'nextcloud.<mySubdomain>',
	2 => '192.168.13.202',
  ),
  
  'trusted_proxies' => 
	array (
	0 => '192.168.13.200',
	1 => '192.168.13.1'
  ),
  'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'],

With the IPS
202: being my Nextcloud Container
200: My Nginx Container
1: My Router

BUT
Connection to Nextcloud-IP 192.168.13.202 via
Desktop PC connected via LAN - Does not work
MobilePhone in local WLAN - works
Desktop PC switched to WLAN - does not work

I am a bit baffled.
I can’t make any sense out of the headers config, any hints here or source I should read???

The Overview Page in the Admin section states

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation .

Appreciate any help, really need to ge this setup going…

THX!!

As a sidenote
the webmin gui, terminal and adminer pages under
192.168.13.202:12320-12322 work just fine…

CyberNet · November 13, 2023, 1:17pm

Wanted to catch up quickly to bring this post to end.

The problem was the Linux Firewall.

Under Fail2ban-client I found my PC IP blocked. I assume when I rolled back to a backup point an didn’t reconnect my Desktop Nextcloud client it tryed to reconnect with probably an outdate token of some kind that triggered the Fail2Ban block.
The point is, this block doesn’t show up in the nextcloud PHP commandline interface unter security:bruteforce:attempts or in the admin interface.

So clearing that block and propperly reconnecting the desktop client did the job.

Cheers