NPM Server + AIO Server + trusted_proxies

ℹ️ Support
, ,
1

Sorry for what seems to be the usual question, but normally I never had problems managing these configurations. Also in the old proxy configuration everything worked correctly, so I did not expect to make many changes between one docker and another.

I have a VPS on which runs a docker of nginx proxy manager with public ip X.X.X.X and that I use as a “waf” to mask the public ip of another server (private IP behind NAT of a firewall with public IP). Also its firewall accepts only traffic from the public ip X.X.X.X

This configuration of NPM Server towards the “manual” docker that I had created a couple of years ago forwarded the clients’ ip without problems.

On the server that hosts nextcloud I started a “clean” docker nextcloud-aio with the intention of migrating only the files.

It wasn’t difficult, but by setting the IP X.X.X.X as trusted_proxies, docker sees all clients as 127.0.0.1

Before setting the IP X.X.X.X as trusted_proxies, the IP X.X.X.X was show in the logs as the IP of the clients, so on the docker side everything seems correct.

I checked the guides and forum messages.

As trusted proxies array are set these IP

127.0.0.1
::1
10.b.c.0/16 (the AIO network)
X.X.X.X

and nothing else.

The AIO docker exposes its apache on port 11000 in http. It has been reconfigured following the advice read on the forum (websock ON, Force SSL and HTTP/2 Support enabled. The rest disabled) and the advanced parameters are as follows:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;

I have a doubt that I should intervene on the apache docker aio, but I can’t find any indications on this.

Ideas? Suggestions? Thanks.

2

Hi there,

I noticed your question about seeing 127.0.0.1 as the client IP in your Nextcloud AIO instance when running behind Nginx Proxy Manager (NPM). I’ve experienced a very similar situation, so I wanted to step in and offer a bit of help.

This behavior happens because NPM (acting as a reverse proxy) forwards the requests to your Nextcloud container, but unless Apache is explicitly told how to handle forwarded IPs, it will just assume all requests come from localhost. That causes Nextcloud to misinterpret who’s actually accessing it, leading to brute-force protection warnings, wrong IPs in logs, and even degraded performance for legitimate users.

To properly fix this, two things must be configured together:

  1. Apache must be told to extract the client IP from the X-Forwarded-For header.
  2. Nextcloud must be told to trust your reverse proxy as a trusted proxy.

I’ve written a complete step-by-step guide to help you do exactly that:

:shield: Fixing Incorrect IP Address (127.0.0.1) in Nextcloud AIO Behind Nginx Proxy Manager

:puzzle_piece: Problem Overview

When you run Nextcloud AIO behind Nginx Proxy Manager (NPM), requests are forwarded through the proxy, which reaches your Nextcloud AIO Apache container.

:right_arrow: By default, the internal Apache server sees every request as coming from 127.0.0.1, not from the real client.

:warning: Consequences:

  • IP-based brute-force protection is broken.
  • Nextcloud may throttle itself (thinking your proxy is attacking).
  • Logs show only 127.0.0.1.
  • IP-based access control, logging, and analysis are inaccurate.

:white_check_mark: Goal

Make sure that:

  • Apache correctly extracts the real IP from the X-Forwarded-For header.
  • Nextcloud trusts your proxy (NPM) and doesn’t block or throttle it.
  • Logs and security functions use the correct client IP.

:hammer_and_wrench: Requirements

  • You’re using Nextcloud AIO in Docker.
  • You use Nginx Proxy Manager (NPM) as a reverse proxy.
  • You know your NPM IP address (e.g., 192.168.1.157).
  • You have SSH access and Docker permissions.

:wrench: Step 1: Configure Apache in the AIO Container

Apache must be explicitly told to trust the proxy and extract the client IP.

1.1 Access the Apache container:

docker exec -it nextcloud-aio-apache bash

1.2 Enable the mod_remoteip module:

a2enmod remoteip

1.3 Create the remoteip.conf configuration:

nano /etc/apache2/conf-available/remoteip.conf

Paste the following (adjust IP to match your NPM):

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1
RemoteIPTrustedProxy ::1
RemoteIPTrustedProxy 192.168.1.157

This tells Apache to trust requests from NPM and to use the X-Forwarded-For header to determine the real client IP.

1.4 Enable the new config:

a2enconf remoteip

1.5 Restart Apache inside the container:

apachectl restart

:file_folder: Step 2: Configure Nextcloud to Trust the Proxy

Now that Apache knows how to find the real IP, you must tell Nextcloud to trust your proxy.

2.1 Access the Nextcloud container as root:

docker exec -u 0 -it nextcloud-aio-nextcloud bash

2.2 Open the config file:

nano /var/www/html/config/config.php

2.3 Add or update the trusted_proxies block:

'trusted_proxies' =>
  array (
    0 => '127.0.0.1',
    1 => '::1',
    2 => '192.168.1.157',  // ← Your NPM IP
    3 => '172.21.0.0/16',   // ← Docker bridge subnet (adjust as needed)
  ),

If the trusted_proxies block doesn’t exist, add it right after other config values like 'overwrite.cli.url'.

2.4 Save and exit (Ctrl + X, then Y and Enter in Nano).

2.5 Exit the container:

exit

:repeat_button: Step 3: Restart the Containers

Apply the changes by restarting the relevant containers:

docker restart nextcloud-aio-apache nextcloud-aio-nextcloud

Or, if using Docker Compose:

docker compose restart

:test_tube: Step 4: Verify the Fix

  1. Log in to your Nextcloud admin interface.
  2. Go to Settings > Overview.
  3. Look at the reported IP address:
    • If it shows the real client IP (e.g. 192.168.1.x or your WAN IP), it’s working.
    • If it still shows 127.0.0.1, go back and double-check the steps.

:speech_balloon: Final Notes

I hope this is the correct and complete fix when using Nextcloud AIO behind Nginx Proxy Manager. Even if your trusted proxies are set in config.php, you also need Apache to cooperate and correctly handle the forwarded headers.

Let me know if you run into any issues …

3

Thank you!
Your FAQ is very usefull!

But i’have found an answer looking much more better in forum

This was the missing piece of config in my scenario… Don’t know why these string are enabled by default :slight_smile:

1 Like
4

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.