Hey Folks,
I’m having a lot of trouble removing the warning:
“The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation 
.”
I’ve gone through the docs and maybe i’m not understanding things correctly, cause I can’t make it go away and some of the things i’ve tried resulted in my Apache server on the Nextcloud Instance not really respond or shutdown gracefully (I have to do a kill -9).
Here is the summary of the setup before I give the details.
I’ve got 2 vms.
VM1 = AlmaLinux 8.6 running HTTPD and Nextcloud 24.0.1.1
VM2 = AlmaLinux 8.6 running NGINX as the Reverse Proxy with a Letsencrypt Cert
Public DNS URL for NGINX Reverse Proxy: nextcloud-alma.prod.example.com
(Keep in mind that i’m limited to putting only 4 links in a post, so i’ll have to put spaces in URLS below - Not sure why they have this rule…?)
DETAILS:
VM 1
IP Address: 192.168.1.46
Hostname: nextcloud-alma gardc1 example com
Nextcloud version: 24.0.1.1
Operating system and version : AlmaLinux 8.6
Apache version: Apache 2.4.37
PHP version : 8.0.19
Nextcloud Config file: /var/www/html/nextcloud/config/config.php
<?php
$CONFIG = array (
'instanceid' => 'xxxxxxxxx',
'passwordsalt' => 'xxxxxxxxxxxxxxxx',
'secret' => 'xxxxxxxxxxxxxxxx',
'trusted_domains' =>
array (
0 => 'nextcloud-alma gardc1 example com',
1 => '192.168.1.46',
2 => 'nextcloud-alma prod example com',
),
'trusted_proxies' =>
array (
0 => '192.168.1.48',
),
'forwarded_for_headers' =>
array (
0 => 'X-Forwarded-For',
1 => 'HTTP_X_FORWARDED_FOR',
),
'datadirectory' => '/var/nextcloud-data',
'dbtype' => 'mysql',
'version' => '24.0.1.1',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'xxxxxxxxxxxx',
'htaccess.RewriteBase' => '/',
'mail_from_address' => 'nextcloud-alma',
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'mail_domain' => 'gardc1 example com',
'mail_smtphost' => 'smtp gardc1 example com',
'mail_smtpport' => '25',
'default_phone_region' => 'CA',
'memcache.locking' => '\OC\Memcache\Redis',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\Redis',
'redis' => [
'host' => 'localhost',
'port' => 6379,
'timeout' => 3,
],
'installed' => true,
);
Apache Config file: /etc/httpd/conf.d/nextcloud.conf
<VirtualHost *:80>
ServerName nextcloud-alma gardc1 example com
ServerAdmin admin@gardc1 example com
DocumentRoot /var/www/html/nextcloud
<directory /var/www/html/nextcloud>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
<IfModule mod_dav.c>
Dav off
</IfModule>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</directory>
</VirtualHost>
Apache Config file: /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf
VM 2
IP Address: 192.168.1.48
Hostname: nginx-rp gardc1 example com
Operating system and version : AlmaLinux 8.6
Nginx version : nginx 1.14.1
NGinx Config file: /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
server_name nextcloud-alma prod example com;
root /usr/share/nginx/html;
location / {
proxy_pass http://192.168.1.46;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nextcloud-alma prod example com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nextcloud-alma prod example com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/nextcloud-alma prod example com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = nextcloud-alma prod example com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name nextcloud-alma prod example com;
return 404; # managed by Certbot
}
}
The issues I’m facing i believe is all related because if I don’t use an NGINX Proxy server, I don’t have any of the issues or warnings.
- With the Current Config file as listed above, i get the following warnings:
- Please make sure to set the “overwrite.cli.url” option in your config.php file to the URL that your users mainly use to access this Nextcloud. Suggestion: “http //192.168.1.46”. Otherwise there might be problems with the URL generation via cron. (It is possible though that the suggested URL is not the URL that your users mainly use to access this Nextcloud. Best is to double check this in any case.)
- The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the [documentation ](https //docs nextcloud com/server/24/go.php?to=admin-reverse-proxy).
- You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read [the documentation page about this ](https //docs nextcloud com/server/24/go.php?to=admin-reverse-proxy).
- If I add the following to my /var/www/html/nextcloud/config/config.php file :
‘overwrite.cli.url’ => ‘http //nextcloud-alma prod example com’,
‘overwriteprotocol’ => ‘https’,
The first 2 warnings listed above go away. However, if i then restart the Nextcloud Instance (VM1) then when i visit https //nextcloud-alma prod example com I get redirected to:
https //192.168.1.46/index.php/apps/dashboard/
- If I add the following to my /var/www/html/nextcloud/config/config.php file :
‘overwrite.cli.url’ => ‘http //nextcloud-alma prod example com’,
‘overwriteprotocol’ => ‘https’,
‘overwritehost’ => ‘nginx-rp gardc1 example com’,
‘overwritecondaddr’ => ‘^192.168.1.48$’,
‘overwritewebroot’ => ‘/’,
Then my Apache on the Nextcloud Instance does not respond. I cannot even do a graceful shutdown with systemctl stop httpd.
- When I try to access the default included “Welcome to Nextcloud Hub.doc” from the Nextcloud UI, it attempts to open with the message:
“Loading Welcome to Nextcloud Hub.docx…”
but it never really opens.
The Apache Logs show:
==> /var/log/httpd/access_log <==
192.168.1.48 - - [28/May/2022:12:54:00 -0700] "PROPFIND /remote.php/dav/files/admin/Documents/Welcome%20to%20Nextcloud%20Hub.docx HTTP/1.0" 207 603 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36"
192.168.1.48 - - [28/May/2022:12:54:00 -0700] "POST /index.php/apps/text/session/sync HTTP/1.0" 200 242 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36"
The NGINX Proxy Logs show:
==> access.log <==
174.1.51.163 - - [28/May/2022:12:53:55 -0700] "POST /index.php/apps/text/session/sync HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" "-"
174.1.51.163 - - [28/May/2022:12:53:56 -0700] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0" "-"
174.1.51.163 - - [28/May/2022:12:54:00 -0700] "PROPFIND /remote.php/dav/files/admin/Documents/Welcome%20to%20Nextcloud%20Hub.docx HTTP/1.1" 207 615 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" "-"
174.1.51.163 - - [28/May/2022:12:54:01 -0700] "POST /index.php/apps/text/session/sync HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36" "-"
None of this happened when I did not have a reverse proxy.
Help to resolve this would be appreciated.
Thanks!