Hi,
I’m experiencing an issue with getting my clients ips back behind cloudflare.
I was able to do everything nedded with the CF_CONNECTING_IP flag.
The apache and nextcloud logs get the right ips and not the cloudfare’s one.
The issue is that external share links don’t work anymore.
I get an access forbidden error when I try to load a share link.
If I undo the changes I made, everything works again.
Here are the details of my install
[/details]
Nextcloud version (eg, 20.0.5): 29.0.0
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): 2.4.52
PHP version (eg, 7.4): 8.2
Is this the first time you’ve seen this error? (Y/N):Y
Steps to replicate it:
- Configure your server to get clients ip back with the CF_CONNECTING_IP Remote ip header
- Configure nextcloud to accept this header
- Make a file or folder and create a public share link
- Open the share link you just created in a pivate window
The output of your Nextcloud log in Admin > Logging:
{"reqId":"Zk3hV1GuNQSFpdV3fqo2XgAAAAs","level":3,"time":"2024-05-22T12:13:11+00:00","remoteAddr":"*REDACTED*","user":"--","app":"webdav","method":"PROPFIND","url":"/public.php/dav/files/mAzbZ9gXLMKw8Pf/","message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"29.0.0.19","exception":{"Exception":"OCA\\DAV\\Connector\\Sabre\\Exception\\Forbidden","Message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","Code":0,"Trace":[{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Tree.php","line":218,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":900,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":982,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":1662,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":1647,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/apps/dav/appinfo/v2/publicremote.php","line":155,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/public.php","line":101,"args":["/var/www/next.cloud.com/apps/dav/appinfo/v2/publicremote.php"],"function":"require_once"}],"File":"/var/www/next.cloud.com/apps/dav/lib/Connector/Sabre/Directory.php","Line":256,"message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","exception":[],"CustomMessage":"No read permissions. This might be caused by files_accesscontrol, check your configured rules"},"id":"664de15c8803f"}
The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => '*REDACTED*',
'passwordsalt' => '*REDACTED*',
'secret' => '*REDACTED*',
'trusted_domains' =>
array (
0 => '*REDACTED*'
),
'trusted_proxies' => array (
0 => '127.0.0.1',
1 => '::1',
2 => '173.245.48.0/20',
3 => '103.21.244.0/22',
4 => '103.22.200.0/22',
5 => '103.31.4.0/22',
6 => '141.101.64.0/18',
7 => '108.162.192.0/18',
8 => '190.93.240.0/20',
9 => '188.114.96.0/20',
10 => '197.234.240.0/22',
11 => '198.41.128.0/17',
12 => '162.158.0.0/15',
13 => '104.16.0.0/12',
14 => '172.64.0.0/13',
15 => '131.0.72.0/22',
),
'forwarded_for_headers' =>
array (
0 => 'HTTP_CF_CONNECTING_IP',
),
'overwriteprotocol' => 'https',
'datadirectory' => '/var/www/Nekocorp-User-data/*REDACTED*/data',
'dbtype' => 'mysql',
'version' => '29.0.0.19',
'overwrite.cli.url' => 'http://*REDACTED*',
'dbname' => '*REDACTED*',
'dbhost' => '*REDACTED*',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => '*REDACTED*',
'dbpassword' => '*REDACTED*',
'installed' => true,
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '127.0.0.1',
'port' => '6379',
),
'default_phone_region' => 'FR',
'mail_from_address' => '*REDACTED*',
'mail_smtpmode' => 'smtp',
'mail_smtpauthtype' => 'LOGIN',
'mail_sendmailmode' => 'smtp',
'mail_domain' => '*REDACTED*.fr',
'mail_smtphost' => '*REDACTED*',
'mail_smtpport' => '*REDACTED*',
'mail_smtpauth' => 1,
'mail_smtpname' => '*REDACTED*',
'mail_smtppassword' => '*REDACTED*',
'app_install_overwrite' =>
array (
0 => 'officeonline',
1 => 'whiteboard',
2 => 'files_antivirus',
3 => 'googledocsredirect',
4 => 'apporder',
5 => 'integration_moodle',
6 => 'group_default_quota',
7 => 'keeporsweep',
8 => 'files_mindmap',
9 => 'printer',
10 => 'integration_whiteboard',
11 => 'video_converter',
12 => 'carnet',
13 => 'caniupdate',
14 => 'impersonate',
15 => 'ocsms',
16 => 'hancomoffice',
17 => 'wopi',
18 => 'admin_notifications',
19 => 'pdfdraw',
20 => 'cfg_share_links',
21 => 'shifts',
22 => 'richdocumentscode',
23 => 'files_downloadactivity',
24 => 'camerarawpreviews',
25 => 'hibp',
26 => 'metadata',
27 => 'externalportal',
28 => 'extract',
29 => 'files_downloadlimit',
30 => 'circles',
31 => 'integration_ews',
32 => 'fulltextsearch',
33 => 'guests',
34 => 'secrets',
35 => 'twofactor_email',
36 => 'user_cas',
37 => 'workspace',
),
'maintenance' => false,
'theme' => '',
'loglevel' => 2,
'maintenance_window_start' => '“19”',
'updater.release.channel' => 'stable',
'mail_smtpsecure' => 'ssl',
);
My apache2 config file:
<VirtualHost *:80>
DocumentRoot "/var/www/nextcloud"
ServerName *REDACTED*
RemoteIPHeader CF_CONNECTING_IP
<Directory "/var/www/nextcloud/">
Options MultiViews FollowSymlinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ServerSignature Off
CustomLog /var/log/apache2/*REDACTED*_access.log access_logs
ErrorLog /var/log/apache2/*REDACTED*_error.log
RewriteEngine on
RewriteCond %{SERVER_NAME} =*REDACTED*
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/var/www/nextcloud"
ServerName *REDACTED*
RemoteIPHeader CF_CONNECTING_IP
RemoteIPTrustedProxy 127.0.0.1 ::1
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
<Directory "/var/www/nextcloud/">
Options MultiViews FollowSymlinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/*REDACTED*_error.log
CustomLog /var/log/apache2/*REDACTED*_access.log access_logs
ServerSignature Off
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/*REDACTED*/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/*REDACTED*/privkey.pem
</VirtualHost>