Nextcloud with Docker Compose behind reverse proxy (nginx) with proxy_pass (leaking images)

bendim · October 14, 2022, 1:23pm

Hello,
i have Nextcloud running with the following docker-compose.yml file and i use Plesk with nginx as reverse proxy.

My problem is, that the images are accessible without a login.
I can open a image with the following url https://nc.mydomain.com/core/preview?fileId=30&x=2880&y=1800&a=true

I tried the nginx directives from the Nextcloud docker-compose example on Github.
Problem here is it does not work, because i have to use proxy_pass http://127.0.0.1:8080/;

Can someone help, to prevent accessing the images without the login?

make the nginx settings work with proxy_pass, but how.

version: '3'

services:
  db:
    image: mariadb:10.5
    container_name: nextcloud-mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    environment:
      - MARIADB_AUTO_UPGRADE=1
      - MARIADB_DISABLE_UPGRADE_BACKUP=1
    env_file:
      - db.env
    volumes:
      - volumes/mariadb:/var/lib/mysql

  redis:
    image: redis:alpine
    container_name: nextcloud-redis
    restart: always
    command: /bin/sh -c "redis-server --requirepass $$REDIS_HOST_PASSWORD"
    env_file:
      - redis.env

  app:
    image: nextcloud:apache
    container_name: nextcloud-app
    restart: always
    ports:
      - 127.0.0.1:8080:80
    volumes:
      - volumes/nextcloud:/var/www/html
    depends_on:
      - db
      - redis
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - NEXTCLOUD_TRUSTED_DOMAINS=nc.mydomain.com
    env_file:
      - db.env
      - redis.env

  cron:
    image: nextcloud:apache
    container_name: nextcloud-cron
    restart: always
    volumes:
      - volumes/nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

volumes:
  db:
  nextcloud:

“Additional nginx directives” in the Plesk settings for the Nextcloud Subdomain.

location / {
  proxy_set_header    Host $host;
  proxy_set_header    X-Real-IP $remote_addr;
  proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header    X-Forwarded-Proto $scheme;
  proxy_pass          http://127.0.0.1:8080/;
  proxy_read_timeout  36000s;
  #Only use secure connection
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
  #Allow big files to upload
  client_max_body_size 0;
}

location /.well-known/carddav {
  return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}

wwe · October 15, 2022, 5:11pm

I made a short test and can’t repro the problem in my NC 24.0.5 (docker+traefik) - accessing the preview URL requires login.

Are you sure your browser didn’t cache the session somehow? try “private” mode or even better another browser (you didn’t use so far…

bendim · October 16, 2022, 8:49am

I feel so dump. You are right. I was logged out, but the image was cached.
Open the url in a different browser and login page was shown.

So do you think the “Additional nginx directives” from the initial post is secure?

wwe · October 16, 2022, 9:28am

I’m not using Nginx but for me the config looks same as recommended.

Please review official docs Reverse proxy — Nextcloud latest Administration Manual latest documentation