Nextcloud Docker - reverse proxy issues

ℹ️ Support
, , , ,
1
Configuration Question - reverse proxy and IP Blacklist

Nextcloud version: 29.0.3
Operating system and version: Ubuntu 24.04e
Container: Docker

The issue you are facing:

I would like some advice on how to configure my reverse proxies as I’m getting the “Your IP 10.0.0.1 was blacklisted and throttled” error message when accessing nextcloud.

Here is the setup:

Internet----->cloudflare proxy---->Router (int IP: 10.0.0.1) with HaProxy ---->Docker Host (intIP: 10.0.0.10) with Traefik V3 (intIP: 192.168.0.1) —>Nextcloud Docker (IP: 192.168.0.2)

Nextcloud is installed and works fine (incl. CalDAV).
Proxy Config:

  • HaProxy: backend points to Traefik IP (10.0.0.10), SSL enabled, SSL check off, no other special redirects etc
  • Traefik: letsencypt SSL with cloudflare DNS, HTTP redirect to https, routes URL to internal docker nextcloud IP and port

Traefik labels used:

  - traefik.enable=true
  - traefik.http.routers.nextcloud.entrypoints=web
  - traefik.http.routers.nextcloud.rule=Host(`${nextcloud.example.com}`)
  - traefik.http.middlewares.nextcloud-https-redirect.redirectscheme.scheme=https
  - traefik.http.routers.nextcloud.middlewares=nextcloud-https-redirect
  - traefik.http.routers.nextcloud-secure.entrypoints=websecure
  - traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.example.com`)
  - traefik.http.routers.nextcloud-secure.tls.certresolver=letsencrypt
  - traefik.http.routers.$nextcloud-secure.tls=true
  - traefik.http.routers.nextcloud-secure.middlewares=nextcloud-dav,nextcloud-header
  - traefik.http.services.nextcloud-secure.loadbalancer.server.port=80
  - traefik.http.middlewares.nextcloud-dav.redirectRegex.regex=https://(.*)/.well-known/(card|cal)dav
  - traefik.http.middlewares.nextcloud-dav.redirectRegex.replacement=https://$${1}/remote.php/dav/
  - traefik.http.middlewares.nextcloud-dav.redirectRegex.permanent=true
  - traefik.http.middlewares.nextcloud-header.headers.referrerPolicy=no-referrer
  - traefik.http.middlewares.nextcloud-header.headers.stsSeconds=15552000
  - traefik.http.middlewares.nextcloud-header.headers.forceSTSHeader=true
  - traefik.http.middlewares.nextcloud-header.headers.stsPreload=true
  - traefik.http.middlewares.nextcloud-header.headers.stsIncludeSubdomains=true
  - traefik.http.middlewares.nextcloud-header.headers.browserXssFilter=true
  - traefik.http.middlewares.nextcloud-header.headers.customRequestHeaders.X-Forwarded-Proto=https
  - com.centurylinklabs.watchtower.monitor-only=true

Nextcloud Proxy config
(to get rid of the proxy error message)

  - TRUSTED_PROXIES=192.168.0.0/24
  - OVERWRITEPROTOCOL=https

Only way how I could overcome the blacklist issue is by whitelisting my router IP: 10.0.0.1

Any help is appreciated. Thanks

2

If you chain multiple reverse proxies you must ensure each subsequent proxy trusts the previous one and forwarded http headers remain intact. this is the only way to know the origin of the request real-ip most likely traefik doesn’t trust Router/HaProxy or cloudflare proxy so headers added there are are not trusted.

For traefik set --entrypoints.web-secure.forwardedHeaders.trustedIPs=10.0.0.1/32 command option or add this to your static configuration file (yaml syntax):

entryPoints:
  web-secure:
    ...
    forwardedHeaders:
      trustedIPs: 10.0.0.1/32

and make haProxy trust cludflare IPs as trusted proxy

3

brilliant ! Thanks !