Nginx reverse proxy trusted_proxies hostname

šŸš§ Installation
1

Hi everyone,

Iā€™ve configured Nextcloud behind a ngingx reverse proxy both in docker.

Everything works great. though, I have a specific problem and I canā€™t find a hint in the docs nor in the existing forum posts. Hope anybody can help me.

I can ping my proxy form my nextcloud server:
root@nextcloud:/var/www/html/config# ping system-servers_nginx.ramaekers-stassartbe_internal
PING system-servers_nginx.ramaekers-stassartbe_internal (172.19.0.4) 56(84) bytes of data.
64 bytes from system-servers_nginx.ramaekers-stassartbe_internal (172.19.0.4): icmp_seq=1 ttl=64 time=0.060 ms

If I configure my config.php with the hostname in trusted_proxies, my proxy isnā€™t trusted.
ā€˜trusted_proxiesā€™ =>
array (
0 => ā€˜10.9.0.253ā€™,
1 => ā€˜system-servers_nginx.ramaekers-stassartbe_internalā€™,
),
Nextcloud canā€™t be accessedā€¦

If I use the ip-adress, all is ok
ā€˜trusted_proxiesā€™ =>
array (
0 => ā€˜10.9.0.253ā€™,
1 => ā€˜172.19.0.4ā€™,
),

My problem is that depending on starting and restarting services, the ip of the nginx server can differā€¦

My question:
Why canā€™t nextcloud resolve the hostname of my nginx server like ping can regarding the array trusted_proxies?

Other services work nicely with hostnames
ex mariadb:
ā€˜dbhostā€™ => ā€˜ramaekers-stassartbe_drive_db.ramaekers-stassartbe_internalā€™,
is no problemā€¦ I donā€™t have to resort to entering an ip-addres.

For now Iā€™ve done a dirty fix by using 172.0.0.1/8 in the arrayā€¦ but i donā€™t like that because maybe in the future the subnet wonā€™t be 172,x,y,zā€¦

Thanks for the help,

Dominique.

2

Just a few followup questions since Iā€™m just curious about how this proxy thing works with the config.php file

Does nextcloud docker have a nginx webserver already baked into the container?

In terms of your reverse proxy ā€“ Iā€™m interpreting that you are running two separate containers ā€“ both an nginx container and a nextcloud container? Is this correct?

Could you mind sharing your docker-compose file?

In terms of the config.php, once you made the changes to your config.php and added your proxy by name, did you restart the the docker network?

A couple other things you could try.

  1. Create a docker routed network where container is identified by IP address. Basically assigns static IP addresses to each of the containers.
  2. If your IP address of the reverse proxy changes, however you are fairly confident its going to be an address in the 172.19.0.0/24 block then you could add 172.19.0.0/24 to your list of trusted proxies rather than just 172.19.0.4.
3

Iā€™m running two nextcloud on docker behind a traefik router. and my config looks like:

  'trusted_proxies' =>
  array (
    0 => 'traefik',
  ),

talkig about the docker internal ip subnet? you can configure this. described for example here: https://serverfault.com/questions/916941/configuring-docker-to-not-use-the-172-17-0-0-range

1 Like
4

I create my own dockerfilesā€¦

Yes they are

version: "3.6"
services:
  drive:
    container_name: ramaekers-stassartbe_drive
    volumes:
      - type: volume
        source: drive-data
        target: /srv/persistent
    hostname: nextcloud
    networks:
      - internal
    build:
      context: ./images/apache_php_forNextcloud/
    depends_on:
      - drive_db
    restart: always
  drive_db:
    container_name: ramaekers-stassartbe_drive_db
    volumes:
      - type: volume
        source: drive_db-data
        target: /srv/persistent
    hostname: mariadb
    networks:
      - internal
    build:
      context: ./images/mariadb/
    restart: always

volumes:
   drive-data:
   drive_db-data:

networks:
   internal:
     driver: bridge

on starting these services, I also run this line (in a startup script):
docker network connect ramaekers-stassartbe_internal system-servers_nginx

Regarding the remarks about the subnets: I would like to install my services on ā€˜setup-and-forgetā€™ principle. So if the standard setup of docker changed the docker subnet, I would like to have it start my services out of the box without the need of changing my config.phpā€¦

6

@dominique would you mind to use the markdown language to format the docker-compose file? please use a line with three ``` before and after. the file will become readable.

7

@Reiner_Nippes

Just curious ā€“ didnā€™t you have a post about having a domain name rather than an IP address within your trusted_proxies array with using the traefik reverse proxy?

@dominique In terms of the ā€œsetup and forget itā€, the best would be to probably use domain names like you are trying to do, but I suppose you might try creating a routed docker network where you control all the IP addresses (so they wont change in the future) ā€“ itā€™s kind of like you are assigning static IP addresses to all your containers. Iā€™ve done this a few times but I usually find other means:

8

I still find it strange the trusted_proxies wonā€™t resolve the hostname. I have now implemented a redis server. The redis server is in the same compose file as the nginx server with similar network configuration. I configuring the redis server in config.php with its hostname and it works perfectly.

@kevdog, thanks for the tip though.

I donā€™t like to handle my ipā€™s. Itā€™s more work and Iā€™m realy lasy :wink:
Iā€™ll contemplate a bit on the way to handle thisā€¦
If I find a better way, Iā€™ll post it here.

9

@dominique

Iā€™ll keep searching for a solution. Iā€™ve yet to actually explore your problem. Iā€™m still configuring everything here for intra-LAN communication, Iā€™ve yet to add the reverse proxy in front of my Nexcloud installation in order to make in available to the outside world. I would agree based on the documentation Iā€™ve seen thus far from Nextcloud, that the need to specifically specify an IP address rather than a host name is problematic. Maybe Iā€™ll find a workaround when I get there.

10

This might not be exactly OPs problem, but in case someone comes across this while googling:

I thought I had this issue using the official nextcloud-apache image (nexcloud didnā€™t pick up on the https), but in my case it seems like apache itself trusted the traefik proxy (I assume because itā€™s using an IP in a private ip range), so nextcloud already received the real client IP in the REMOTE_ADDR parameter and thus ignored the HTTP_X_FORWARDED_PROTO part.