Nextcloud.log "Login failed" message always from 127.0.0.1 - can't detect ip for fail2ban

Nextcloud version: 26.0.3
Operating system and version: 22.10
nginx version: 1.22.0

For Ubuntu Nextcloud SNAP installation I want setup fail2ban protection. In /var/snap/nextcloud/current/logs/nextcloud.logLogin failed” message always catch from 127.0.0.1, so I can’t find true ip address of attackers in fail2ban filter.

Output of nextcloud.log:

/var/snap/nextcloud/current/logs/nextcloud.log                                                                                                          822/822               100%
{"reqId":"oz0xoI5Fp4wjifGz54nA","level":2,"time":"2023-07-10T18:19:54+03:00","remoteAddr":"127.0.0.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/logi
n","message":"Login failed: 2345 (Remote IP: 127.0.0.1)","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safa
ri/605.1.15","version":"26.0.3.2","data":[]}
{"reqId":"utqpV8dlkzbsD7fGQhJl","level":2,"time":"2023-07-10T18:20:36+03:00","remoteAddr":"127.0.0.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/logi
n","message":"Login failed: gghh (Remote IP: 127.0.0.1)","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16
.5.1 Mobile/15E148 Safari/604.1","version":"26.0.3.2","data":[]}

Maybe problem in NGINX configuration?

Content of /etc/nginx/sites-available/nextcloud:

server {
        listen 80;

        # If you want to also support ipv6
        listen [::]:80;

        server_name cloud.mydomain.com;

        location / {
                proxy_pass_header   Server;
                proxy_set_header    Host $host;
                proxy_set_header    X-Real-IP $remote_addr;
                proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header    X-Forwarded-Proto $scheme;
                proxy_pass          http://127.0.0.1:8080;
        }
}

The parameter you’re probably interested in and missing is trusted_proxies.

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=trusted_proxies#trusted-proxies

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=trusted_proxies

Thanks for reaction. I add all domains and subdomains, and ip’s to sections trusted_domains, add external ip 64.227.126.100 to trusted_proxies and I still have 127.0.0.1 in logs. Then change trusted_proxies to local ip 10.114.0.2 and nothing again. My reverse proxy NGINX situated at the same VM where snap nextcloud installed. Of course I restarted VM every time when I made changes.

2023-07-10 22_57_07-DO VPS - cascade - Royal TS

nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
include /etc/nginx/tcpconf.d/*;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

/etc/nginx/sites-available/default:

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}
}

/etc/nginx/sites-available/nextcloud:

server {
        listen 80;

        # If you want to also support ipv6
        listen [::]:80;

        server_name cloud.zom****;

        location / {
                proxy_pass_header   Server;
                proxy_set_header    Host $host;
                proxy_set_header    X-Real-IP $remote_addr;
                proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header    X-Forwarded-Proto $scheme;
                proxy_pass          http://127.0.0.1:8080;
        }
}

I think, in your case, trusted_proxies will need to be populated with '127.0.0.1',.

Nope, the same situation. Maybe problem with https configuration? For example I dont leave the snap with HTTPS disabled. I use Lets encrypt in my snap nextcloud installation. I read here NGINX proxy manager · nextcloud-snap/nextcloud-snap Wiki · GitHub that I should stop lets encrypt service for nextcloud et.c. But maybe its only if NGINX proxy manager software used?

I want to say thay I use lets encrypt at snap apache+nextcloud and stream {} block with ssl pass-through, but maybe I should turn off ssl and use lets enrypt certificate at level of NGINX? Damn, I hope that I use stream, I’m starting to doubt that its true.

And its very interesting. When I join page for first time from my clean iPhone with new ip in incognito mode page (not my home pc) I see message “Too much attempt from your ip”, I think nextcloud think that all connections goes from 127.0.0.1, but in real he should see different ip’s. NGINX configuration tell to Nextcloud that connection goes from 127.0.0.1? Or NGINX dont send actual ip in forwarded_for_headers parametr.

Somebody? Help please.