Nextcloud version: 26.0.3
Operating system and version: 22.10
nginx version: 1.22.0
For Ubuntu Nextcloud SNAP installation I want setup fail2ban protection. In /var/snap/nextcloud/current/logs/nextcloud.log “Login failed” message always catch from 127.0.0.1, so I can’t find true ip address of attackers in fail2ban filter.
Output of nextcloud.log:
/var/snap/nextcloud/current/logs/nextcloud.log 822/822 100%
{"reqId":"oz0xoI5Fp4wjifGz54nA","level":2,"time":"2023-07-10T18:19:54+03:00","remoteAddr":"127.0.0.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/logi
n","message":"Login failed: 2345 (Remote IP: 127.0.0.1)","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safa
ri/605.1.15","version":"26.0.3.2","data":[]}
{"reqId":"utqpV8dlkzbsD7fGQhJl","level":2,"time":"2023-07-10T18:20:36+03:00","remoteAddr":"127.0.0.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/logi
n","message":"Login failed: gghh (Remote IP: 127.0.0.1)","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16
.5.1 Mobile/15E148 Safari/604.1","version":"26.0.3.2","data":[]}
Maybe problem in NGINX configuration?
Content of /etc/nginx/sites-available/nextcloud:
server {
listen 80;
# If you want to also support ipv6
listen [::]:80;
server_name cloud.mydomain.com;
location / {
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
}
}
Thanks for reaction. I add all domains and subdomains, and ip’s to sections trusted_domains, add external ip 64.227.126.100 to trusted_proxies and I still have 127.0.0.1 in logs. Then change trusted_proxies to local ip 10.114.0.2 and nothing again. My reverse proxy NGINX situated at the same VM where snap nextcloud installed. Of course I restarted VM every time when I made changes.
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
/etc/nginx/sites-available/nextcloud:
server {
listen 80;
# If you want to also support ipv6
listen [::]:80;
server_name cloud.zom****;
location / {
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
}
}
Nope, the same situation. Maybe problem with https configuration? For example I dont leave the snap with HTTPS disabled. I use Lets encrypt in my snap nextcloud installation. I read here NGINX proxy manager · nextcloud-snap/nextcloud-snap Wiki · GitHub that I should stop lets encrypt service for nextcloud et.c. But maybe its only if NGINX proxy manager software used?
I want to say thay I use lets encrypt at snap apache+nextcloud and stream {} block with ssl pass-through, but maybe I should turn off ssl and use lets enrypt certificate at level of NGINX? Damn, I hope that I use stream, I’m starting to doubt that its true.
And its very interesting. When I join page for first time from my clean iPhone with new ip in incognito mode page (not my home pc) I see message “Too much attempt from your ip”, I think nextcloud think that all connections goes from 127.0.0.1, but in real he should see different ip’s. NGINX configuration tell to Nextcloud that connection goes from 127.0.0.1? Or NGINX dont send actual ip in forwarded_for_headers parametr.
