Nginx Reverse Proxy and Nextcloud

Savimaki · July 26, 2021, 3:47pm

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 20.0.5): 22.0.0
Operating system and version (eg, Ubuntu 20.04): Debian 10
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.38 (Debian)
PHP version (eg, 7.4): PHP 7.3.29-1

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

Install Nextcloud
Configure Nginx Proxy Manager on same or different device
Try to log in incorrectly

The output of your Nextcloud log in Admin > Logging:

{"reqId":"3lkvvhxsutwMmDdBJjAV","level":2,"time":"2021-07-26T15:09:54+00:00","remoteAddr":"192.168.0.136","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: asdasdad (Remote IP: 192.168.0.136)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"22.0.0.11"}
{"reqId":"fTihwqjBYczCB2B1HTlE","level":2,"time":"2021-07-26T15:11:16+00:00","remoteAddr":"192.168.0.136","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: asdasdasd (Remote IP: 192.168.0.136)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"22.0.0.11"}
{"reqId":"J5qpuSN9dfv5CzLHpiOd","level":2,"time":"2021-07-26T15:11:27+00:00","remoteAddr":"192.168.0.136","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: asdasdasd\u00e4\u00e4\u00e4 (Remote IP: 192.168.0.136)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"22.0.0.11"}
{"reqId":"xB1ckbYGmpnvZ8VaUYi3","level":2,"time":"2021-07-26T15:11:57+00:00","remoteAddr":"192.168.0.136","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: asdasdasd\u00e4\u00e4\u00e4 (Remote IP: 192.168.0.136)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"22.0.0.11"}
{"reqId":"aOxOg4pRqntbSg5WBWXX","level":2,"time":"2021-07-26T15:13:15+00:00","remoteAddr":"192.168.0.136","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: asdasdasd\u00e4\u00e4\u00e4 (Remote IP: 192.168.0.136)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"22.0.0.11"}
{"reqId":"GbJL14ZwvP1LvJptDpi1","level":2,"time":"2021-07-26T15:13:18+00:00","remoteAddr":"192.168.0.136","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: asdasdasd\u00e4\u00e4\u00e4 (Remote IP: 192.168.0.136)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"22.0.0.11"}
{"reqId":"CBR3DMVbm9ICxMn3sXci","level":2,"time":"2021-07-26T15:13:26+00:00","remoteAddr":"192.168.0.136","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: asdasdasd\u00e4\u00e4\u00e4erwerwr (Remote IP: 192.168.0.136)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"22.0.0.11"}
{"reqId":"EQNsclt7WAwr1klsN8Qp","level":2,"time":"2021-07-26T15:13:43+00:00","remoteAddr":"192.168.0.136","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: asdasdasd\u00e4\u00e4\u00e4erwerwrasdasd (Remote IP: 192.168.0.136)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"22.0.0.11"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'ocnkpza26wwr',
  'passwordsalt' => '[REDACTED]',
  'secret' => '[REDACTED]',
  'trusted_domains' =>
  array (
    0 => '192.168.0.136',
    1 => 'nextcloud.[REDACTED].cc',
    2 => '192.168.0.135',
  ),
  'trusted_proxies' => ['172.18.0.3', '192.168.0.0/24', '192.168.0.136',],
  'auto_logout' => false,
  'datadirectory' => '/drives/raid1/NextCloud',
  'dbtype' => 'mysql',
  'version' => '22.0.0.11',
  'overwrite.cli.url' => 'https://nextcloud.[REDACTED].cc',
  'dbname' => 'nextclouddb',
  'overwriteprotocol' => 'https',
  'dbhost' => 'localhost',
  'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'X-Forwarded-For'],
  'overwritecondaddr' => '',
  'overwritewebroot' => '',
  'dbport' => '',
  'overwritehost' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextclouduser',
  'htaccess.RewriteBase' => '/',
  'dbpassword' => '[REDACTED]',
  'installed' => true,
  'default_phone_region' => 'FI',
  'apc.enable_cli' => '1',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0,
    'password' => '',
    'dbindex' => 0,
  ),
  'app_install_overwrite' =>
  array (
    0 => 'camerarawpreviews',
  ),
  'maintenance' => false,
);

The output of your Apache/nginx/system log in /var/log/____:

Not necessary

So, I am running my Nextcloud instance on server 1, which is located at 192.168.0.135 (on port 32531) and my Nginx Reverse Proxy (NPM for short onward) on server 2, which is located at 192.168.0.136.
No matter what I try, I cannot get Nextcloud to see the correct ip of the end user on failed login attempt. Only the proxy ip. I have added the IP of NPM to trusted_proxies and added ‘forwarded_for_headers’ -line as advised. There is multiple entries on the trusted_proxies -line, because I was testing EVERYTHING. First I had NPM on the same machine, and then the IP was 172.18.0.3 but I moved it to a separate machine. My NPM entry is as follows:

Domain names: Nextcloud.[REDACTED].cc, Scheme: HTTP, Forward Hostname/IP: 192.168.0.135, Forward Port: 32531.
Websocket support and Block Common Exploits are turned on but haven't made a difference whilst off. SSL is forced with HTTP/2 support.

I tried adding this to the NPM advanced configuration, but having the first line breaks NPM and the proxy host goes offline.

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Even if I have the others, still nothing.

The instance does work very well, but its a bit unusable, when brute-force protection blocks EVERYONE from signing in if some 3rd party tried to log in.

ChristophWurst · July 26, 2021, 4:14pm

I see your overwritehost is empty. Could you check with https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?

Savimaki · July 26, 2021, 5:32pm

Same thing as in “Hostname -I”? So 192.168.0.136? Or server URL or what? None of these have made any difference so far.

Savimaki · July 26, 2021, 8:27pm

I have scanned through the documentation several tens of times to no avail.

Savimaki · July 27, 2021, 8:38pm

Any ideas why this happens? @ChristophWurst

ChristophWurst · July 28, 2021, 6:09am

No, no other ideas.

Savimaki · July 29, 2021, 9:19am

SOLVED! (Debian 10)

Steps:

Enable mod_remoteip using

sudo a2enmod remoteip

Create remoteip.conf at /etc/apache2/mods-available/remoteip.conf
Add the following lines to remoteip.conf

RemoteIPInternalProxy your_proxy_ip
RemoteIPHeader X-Forwarded-For

Restart apache using

sudo systemctl restart apache2

Edit nextcloud configuration file.

sudo nano /var/www/nextcloud/config/config.php

Add the following lines:

‘forwarded_for_headers’ => [‘X-Forwarded-For’],
‘trusted_proxies’ => [‘your_proxy_ip’],

and that should be it. Test by using the wrong credentials with your phone, and see that nextcloud logged the correct IP address. For me, in my local network, it logged the gateway IP for some reason, but it doesn’t really matter

castillo92 · July 31, 2021, 6:58pm

I investigated this a couple of month ago and wrote in my NetxCloud Install Instruction the following:

Nextcloud use by default the standart header ‘X-Forwarded-For’ so basically:

Add this directive in the proxy virtual host:

    ProxyPreserveHost On
    ProxyPass /          http://192.168.1.63/
    ProxyPassReverse /   http://192.168.1.63/

And this in the file config.php of Nextcloud:

	  'forwarded_for_headers' => ['HTTP_X_FORWARDED_FOR','HTTP_X_FORWARDED'],

And today it work =)