Preserving Client IP To Allow fail2ban To Work

I’ve searched this forum but can’t seem to find a solution.

I have a NextCloud instance running on Ubuntu 16.04.1 (xenial) sitting behind Sophos. I’ve setup Webserver Protection and can access the server properly. All of this is working perfectly. However, I wanted to be able to use fail2ban to block IPs with excessive incorrect logins. The problem is that fail2ban is only recording the UTM IP address in its logs. I’ve seen posts about a solution when using IIS but I’m not using MS IIS. The NextCloud server is Apache on Ubuntu 16.04.1. I also recognize that I could use DNAT instead of Webserver Protection however, I have more than 1 webserver using port 443 and I need Webserver Protection to be able to route properly otherwise I can only use a single server on that port.

Any thoughts on how this can be resolved? I’d like for the users’ IP addresses to be recorded rather than the UTM IP address.

I’ve also read articles about using ‘trusted_proxies’ and ‘forwarded_for_headers’ but those are beyond my understanding at this time. Hoping someone can help me close the knowledge gap and explain how this will help me maintain the original IP address. Not sure it can since the issue is likely to do with the UTM and I would have to configure the UTM to allow passing through the client IP. So if you have experience with Sophos and Nextcloud using Webserver Protection and Fail2ban, would love to hear from you.

You need your proxy to add forwarded_for_headers. A different way would be to set up a filter already on your proxy. Not sure if it is possible and easy to configure such rules with your proxy server.

Ok so I’ve finally figured out how to resolve this issue.

The documentation on https://docs.nextcloud.com/server/10/admin_manual/configuration_server/reverse_proxy_configuration.html was really light on the solution so after a bunch of digging and trial and error, here is what worked for me. As I’m still a newbie at these it took me some time to figure this out.

config/config.php
Add the following 2 lines. The first is the IP address of my Sophos UTM serving as my proxy through WAF. The second is what tells Nextcloud to grab the original IP address instead of the UTM address

‘trusted_proxies’ => array(‘192.168.1.1’),
‘forwarded_for_headers’ => array(‘HTTP_X_FORWARDED’, ‘HTTP_X_FORWARDED_FOR’),

Save the config file and reboot the server (for good measure).

Once the server rebooted, I was able to confirm that the correct IP address is now tracked within the log files.

BTW I was following this tutorial for setting up Fail2ban on Nextcloud.

Thanks you! This really helped me.

Although, there is still an issue.

Once Fail2Ban blocks an address, it doesn’t actually block that endpoint because the client is not connecting to the Nextcloud server directly as it’s still behind a proxy. I’m working around this issue by using Fail2Ban to back feed the IP addresses to my perimeter firewall.

One other problem is that the “X_Forwarded_For” header can be modified on the client side, feeding Fail2Ban false information.

Verified this using HAProxy and Nextcloud 19.

But, for a majority of the population using unmodified “X_Forwarded_For” headers, this will work.

I’m going to keep this configuration for now, but I’m still looking for a more accurate solution.

Found a working config:

HAProxy (backend):
option forwardfor header X-Real-IP

Apache2:
Enable “mod_remoteip” (Ubuntu: a2enmod remoteip)
/etc/apache2/conf-enabled/proxy_remoteip.conf
RemoteIPHeader X-Real-IP
RemoteIPTrustedProxy 10.0.0.0/8
RemoteIPTrustedProxy 172.16.0.0/12
RemoteIPTrustedProxy 192.168.0.0/16

Nextcloud:
…/nextcloud/config/config.php
‘trusted_proxies’ => array(‘INSERT_YOUR_PROXY_IP_HERE’),
‘forwarded_for_headers’ => [‘HTTP_X_REAL_IP’],

I now get the actual client IP in the logs and Fail2Ban can react properly. If anyone can find an issue with this configuration, I’m all ears.