NPM Server + AIO Server + trusted_proxies

ℹ️ Support
, ,
2

Hi there,

I noticed your question about seeing 127.0.0.1 as the client IP in your Nextcloud AIO instance when running behind Nginx Proxy Manager (NPM). I’ve experienced a very similar situation, so I wanted to step in and offer a bit of help.

This behavior happens because NPM (acting as a reverse proxy) forwards the requests to your Nextcloud container, but unless Apache is explicitly told how to handle forwarded IPs, it will just assume all requests come from localhost. That causes Nextcloud to misinterpret who’s actually accessing it, leading to brute-force protection warnings, wrong IPs in logs, and even degraded performance for legitimate users.

To properly fix this, two things must be configured together:

  1. Apache must be told to extract the client IP from the X-Forwarded-For header.
  2. Nextcloud must be told to trust your reverse proxy as a trusted proxy.

I’ve written a complete step-by-step guide to help you do exactly that:

:shield: Fixing Incorrect IP Address (127.0.0.1) in Nextcloud AIO Behind Nginx Proxy Manager

:jigsaw: Problem Overview

When you run Nextcloud AIO behind Nginx Proxy Manager (NPM), requests are forwarded through the proxy, which reaches your Nextcloud AIO Apache container.

:arrow_right: By default, the internal Apache server sees every request as coming from 127.0.0.1, not from the real client.

:warning: Consequences:

  • IP-based brute-force protection is broken.
  • Nextcloud may throttle itself (thinking your proxy is attacking).
  • Logs show only 127.0.0.1.
  • IP-based access control, logging, and analysis are inaccurate.

:white_check_mark: Goal

Make sure that:

  • Apache correctly extracts the real IP from the X-Forwarded-For header.
  • Nextcloud trusts your proxy (NPM) and doesn’t block or throttle it.
  • Logs and security functions use the correct client IP.

:hammer_and_wrench: Requirements

  • You’re using Nextcloud AIO in Docker.
  • You use Nginx Proxy Manager (NPM) as a reverse proxy.
  • You know your NPM IP address (e.g., 192.168.1.157).
  • You have SSH access and Docker permissions.

:wrench: Step 1: Configure Apache in the AIO Container

Apache must be explicitly told to trust the proxy and extract the client IP.

1.1 Access the Apache container:

docker exec -it nextcloud-aio-apache bash

1.2 Enable the mod_remoteip module:

a2enmod remoteip

1.3 Create the remoteip.conf configuration:

nano /etc/apache2/conf-available/remoteip.conf

Paste the following (adjust IP to match your NPM):

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1
RemoteIPTrustedProxy ::1
RemoteIPTrustedProxy 192.168.1.157

This tells Apache to trust requests from NPM and to use the X-Forwarded-For header to determine the real client IP.

1.4 Enable the new config:

a2enconf remoteip

1.5 Restart Apache inside the container:

apachectl restart

:file_folder: Step 2: Configure Nextcloud to Trust the Proxy

Now that Apache knows how to find the real IP, you must tell Nextcloud to trust your proxy.

2.1 Access the Nextcloud container as root:

docker exec -u 0 -it nextcloud-aio-nextcloud bash

2.2 Open the config file:

nano /var/www/html/config/config.php

2.3 Add or update the trusted_proxies block:

'trusted_proxies' =>
  array (
    0 => '127.0.0.1',
    1 => '::1',
    2 => '192.168.1.157',  // ← Your NPM IP
    3 => '172.21.0.0/16',   // ← Docker bridge subnet (adjust as needed)
  ),

If the trusted_proxies block doesn’t exist, add it right after other config values like 'overwrite.cli.url'.

2.4 Save and exit (Ctrl + X, then Y and Enter in Nano).

2.5 Exit the container:

exit

:repeat: Step 3: Restart the Containers

Apply the changes by restarting the relevant containers:

docker restart nextcloud-aio-apache nextcloud-aio-nextcloud

Or, if using Docker Compose:

docker compose restart

:test_tube: Step 4: Verify the Fix

  1. Log in to your Nextcloud admin interface.
  2. Go to Settings > Overview.
  3. Look at the reported IP address:
    • If it shows the real client IP (e.g. 192.168.1.x or your WAN IP), it’s working.
    • If it still shows 127.0.0.1, go back and double-check the steps.

:speech_balloon: Final Notes

I hope this is the correct and complete fix when using Nextcloud AIO behind Nginx Proxy Manager. Even if your trusted proxies are set in config.php, you also need Apache to cooperate and correctly handle the forwarded headers.

Let me know if you run into any issues …