Real clients IPs behind cloudflare issues

Hi,
I’m experiencing an issue with getting my clients ips back behind cloudflare.
I was able to do everything nedded with the CF_CONNECTING_IP flag.
The apache and nextcloud logs get the right ips and not the cloudfare’s one.
The issue is that external share links don’t work anymore.
I get an access forbidden error when I try to load a share link.
If I undo the changes I made, everything works again.

Here are the details of my install

[/details]

Nextcloud version (eg, 20.0.5): 29.0.0
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): 2.4.52
PHP version (eg, 7.4): 8.2

Is this the first time you’ve seen this error? (Y/N):Y

Steps to replicate it:

  1. Configure your server to get clients ip back with the CF_CONNECTING_IP Remote ip header
  2. Configure nextcloud to accept this header
  3. Make a file or folder and create a public share link
  4. Open the share link you just created in a pivate window

The output of your Nextcloud log in Admin > Logging:

{"reqId":"Zk3hV1GuNQSFpdV3fqo2XgAAAAs","level":3,"time":"2024-05-22T12:13:11+00:00","remoteAddr":"*REDACTED*","user":"--","app":"webdav","method":"PROPFIND","url":"/public.php/dav/files/mAzbZ9gXLMKw8Pf/","message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"29.0.0.19","exception":{"Exception":"OCA\\DAV\\Connector\\Sabre\\Exception\\Forbidden","Message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","Code":0,"Trace":[{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Tree.php","line":218,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":900,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":982,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":1662,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":1647,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/apps/dav/appinfo/v2/publicremote.php","line":155,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/public.php","line":101,"args":["/var/www/next.cloud.com/apps/dav/appinfo/v2/publicremote.php"],"function":"require_once"}],"File":"/var/www/next.cloud.com/apps/dav/lib/Connector/Sabre/Directory.php","Line":256,"message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","exception":[],"CustomMessage":"No read permissions. This might be caused by files_accesscontrol, check your configured rules"},"id":"664de15c8803f"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '*REDACTED*',
  'passwordsalt' => '*REDACTED*',
  'secret' => '*REDACTED*',
  'trusted_domains' =>
  array (
    0 => '*REDACTED*'
  ),
   'trusted_proxies' => array (
    0 => '127.0.0.1',
    1 => '::1',
    2 => '173.245.48.0/20',
    3 => '103.21.244.0/22',
    4 => '103.22.200.0/22',
    5 => '103.31.4.0/22',
    6 => '141.101.64.0/18',
    7 => '108.162.192.0/18',
    8 => '190.93.240.0/20',
    9 => '188.114.96.0/20',
    10 => '197.234.240.0/22',
    11 => '198.41.128.0/17',
    12 => '162.158.0.0/15',
    13 => '104.16.0.0/12',
    14 => '172.64.0.0/13',
    15 => '131.0.72.0/22',
  ),

  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_CF_CONNECTING_IP',
  ),
  'overwriteprotocol' => 'https',
  'datadirectory' => '/var/www/Nekocorp-User-data/*REDACTED*/data',
  'dbtype' => 'mysql',
  'version' => '29.0.0.19',
  'overwrite.cli.url' => 'http://*REDACTED*',
  'dbname' => '*REDACTED*',
  'dbhost' => '*REDACTED*',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '*REDACTED*',
  'dbpassword' => '*REDACTED*',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '127.0.0.1',
    'port' => '6379',
  ),
  'default_phone_region' => 'FR',
  'mail_from_address' => '*REDACTED*',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '*REDACTED*.fr',
  'mail_smtphost' => '*REDACTED*',
  'mail_smtpport' => '*REDACTED*',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '*REDACTED*',
  'mail_smtppassword' => '*REDACTED*',
  'app_install_overwrite' =>
  array (
    0 => 'officeonline',
    1 => 'whiteboard',
    2 => 'files_antivirus',
    3 => 'googledocsredirect',
    4 => 'apporder',
    5 => 'integration_moodle',
    6 => 'group_default_quota',
    7 => 'keeporsweep',
    8 => 'files_mindmap',
    9 => 'printer',
    10 => 'integration_whiteboard',
    11 => 'video_converter',
    12 => 'carnet',
    13 => 'caniupdate',
    14 => 'impersonate',
    15 => 'ocsms',
    16 => 'hancomoffice',
    17 => 'wopi',
    18 => 'admin_notifications',
    19 => 'pdfdraw',
    20 => 'cfg_share_links',
    21 => 'shifts',
    22 => 'richdocumentscode',
    23 => 'files_downloadactivity',
    24 => 'camerarawpreviews',
    25 => 'hibp',
    26 => 'metadata',
    27 => 'externalportal',
    28 => 'extract',
    29 => 'files_downloadlimit',
    30 => 'circles',
    31 => 'integration_ews',
    32 => 'fulltextsearch',
    33 => 'guests',
    34 => 'secrets',
    35 => 'twofactor_email',
    36 => 'user_cas',
    37 => 'workspace',
  ),
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'maintenance_window_start' => '“19”',
  'updater.release.channel' => 'stable',
  'mail_smtpsecure' => 'ssl',
);

My apache2 config file:

<VirtualHost *:80>
    DocumentRoot "/var/www/nextcloud"
    ServerName *REDACTED*
    RemoteIPHeader CF_CONNECTING_IP

    <Directory "/var/www/nextcloud/">
        Options MultiViews FollowSymlinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    ServerSignature Off
    CustomLog /var/log/apache2/*REDACTED*_access.log access_logs
    ErrorLog /var/log/apache2/*REDACTED*_error.log

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =*REDACTED*
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/var/www/nextcloud"
    ServerName *REDACTED*
    RemoteIPHeader CF_CONNECTING_IP
    RemoteIPTrustedProxy 127.0.0.1 ::1
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    <Directory "/var/www/nextcloud/">
        Options MultiViews FollowSymlinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog /var/log/apache2/*REDACTED*_error.log
    CustomLog /var/log/apache2/*REDACTED*_access.log access_logs
    ServerSignature Off

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/*REDACTED*/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/*REDACTED*/privkey.pem
</VirtualHost>

I don’t think “access denied” is related to reverseproxy headers.

If you access the the file share from private browser session you act as anonymous user - did you allow anonymous access the share in question?

You have many apps in place - check if one causes the problem e.g. Files download limit - Apps - App Store - Nextcloud

UPDATE: OP created GH issue: [Bug]: Real clients IPs behind cloudflare issues --> forbidden access to public shares · Issue #45450 · nextcloud/server · GitHub looks there was some confusion with headers rewrite and trusted_proxies config.