Notify_push set wants me to add gateway IP to trusted_proxies array

vasyugan · May 24, 2021, 8:21pm

So, one of my Nextcloud instances is running on a raspberrypi in my living room and is connected to the internet.

I have set up the notify_push service, because it seems to decrease load on this rather low-end device.

What is weird is that when I run occ notify_push:setup, it complains that the IP address where the proxy requests are coming from is not in the trusted_proxies array, even though both 127.0.0.1 and the private IP address of the device are in the trusted proxies array:

 🗴 push server is not a trusted proxy, please add '192.162.10.1' to the list of trusted proxies or configure any existing reverse proxy to forward the 'x-forwarded-for' send by the push server.
   See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies for how to set trusted proxies.
   The following trusted proxies are currently configured: "127.0.0.1", "::1", "192.168.10.2"
   The following x-forwarded-for header was received by Nextcloud: 1.2.3.4
     from the following remote: 192.168.10.1

Why is that? The address it wants me to add is the address of the gateway of my local lan to the internet. Why does it say that requests are coming from there, when instead they are coming from the very same machine where nextcloud is running? And why does it say “Nextloud: 1.2.3.4”? That’s not an IP address I am using

If the alternative is setting the environment variable “NEXTCLOUD_URL”, where can I set it? Actually, it is already being set in the service file for the notify_push systemd service.

I am asking because, while adding the gateway address as a trusted proxy makes the notify_push service work, it yields an error message in the security check:

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.

Is notify_push incompatible with NAT or what could be the problem?

bb77 · May 25, 2021, 7:41am

Hi @vasyugan

Did you read this section of the documentation?

https://github.com/nextcloud/notify_push#push-server-is-not-a-trusted-proxy

If you are behind NAT and you didn’t setup an internal DNS server, NAT reflection is used to redirect internal LAN traffic to the correct IP address of your server. This means for the Nextcloud server, every requestst is coming from the IP address of you router instead of the actual IP address of the device, that startetd the request.

wwe · May 25, 2021, 12:20pm

from your log it looks like the services are running on different machines (request comes from 192.168.10.1, trusted proxy is 192.168.10.2) - are you using docker or other virtualization technology?

Setup of notify_push is little tricky - maybe this thread helps you to understand the config.

vasyugan · May 25, 2021, 1:45pm

No, and that’s the thing that irritates me. Nextcloud is running natively on 192.168.10.2. (no docker), while 192.168.10.1 is the gateway address. But it seems that NAT is the problem and I have to replace the SERVER_URL in the systemd service file by the local IP address of the server running nextlcoud. Obviously, Nextcloud sees the request as coming from the gateway because of NAT reflection.

wwe · May 25, 2021, 8:22pm

this could happen If you Nextcloud DNS name resolves to a public IP this makes the notify_push app to talk to this public ip which returns to your router… If you have an option the better way would be to configure local DNS within your network to resolve to server IP.

local DNS gives you other advantages as well - this makes clients in local network talk to the server without hitting the internet/router/firewall/NAT first - should work much faster… Maybe not a factor for Raspi but in general a preferred config.

vasyugan · May 28, 2021, 10:25am

So you suggest I should add a static dns entry to my router? Because, the first thing I tried was adding an entry to /etc/hosts but that somehow did not work as notify_push complains that

the connection is unencrypted,
The ip points to localhost (although I did not use 127.0.0.1 but the local LAN ip assigned to eth0) and therefore the server cannot be reached from outside.

I find this somewhat confusing. I

wwe · May 28, 2021, 11:44am

in this post I show docker config. You see there I use unencrypted connection to nextcloud app container (because going out of docker and returning back to the https interface of the reverse proxy didn’t work for some reason).

    environment:
      - PORT=7867
      - NEXTCLOUD_URL=http://dev-nextcloud-app/  # NC app container name

if you access https (maybe because of http: >> https: redirection) you should configure notify_push app to use https:// The thread shows lot of different config examples and number references - most likely you find matching setup there… or you just add your router as trusted proxy…

vasyugan · August 29, 2021, 11:28am

Thanks! To be honest, I have given the thing (push notifications behind NAT) for now… I will (probably) try again at a later time…