[SOLVED] Nextcloud 15 redirect to local IP

Albirew · January 16, 2019, 8:55pm

After update to NC15, NC server redirrect access attempts to local IPv6
Access is made this way:

client connect to subdomain
ports 80 and 443 are forwarded from box/modem-router to front apache server
apache serve client by internally proxypass requests to NC server using it’s local IP

Nextcloud version : 15.0.2
Operating system and version : Debian 10
Apache or nginx version : Apache 2.4.25
PHP version : 7.0

The issue you are facing:

Is this the first time you’ve seen this error? : Yes

Steps to replicate it:

Having a front server working as web server with proxypass and proxypass reverse (same config as NC) and another web server with NC 14.0.6 on it
using apache to proxify sub.domain.tld to NC server using local IP (eg: 192.168.1.12)
adding sub.domain.tld as trusted domains and working with it
updating NC to 15.0.2

The output of your Nextcloud log in Admin > Logging:

nothing (last entry is prior update and is about storage temporary unavailable)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'REDACTED',
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED',
  'trusted_domains' => 
  array (
    0 => 'nuage.REDACTED.fr',
    1 => '192.168.1.12',
    2 => '[fe80::12]',
  ),
  'datadirectory' => '/srv/REDACTED/subdomains/cloud-data',
  'overwrite.cli.url' => 'https://nuage.REDACTED.fr/',
  'dbtype' => 'mysql',
  'version' => '15.0.2.0',
  'dbname' => 'cloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'cloud',
  'dbpassword' => 'REDACTED',
  'logtimezone' => 'Europe/Paris',
  'log_type' => 'owncloud',
  'logfile' => '/srv/REDACTED/logs/nextcloud.log',
  'loglevel' => 2,
  'log_rotate_size' => '104857600',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'mail_domain' => 'REDACTED.fr',
  'mail_smtpmode' => 'php',
  'mail_from_address' => 'nuage',
  'appstore.experimental.enabled' => true,
  'maintenance' => false,
  'theme' => '',
  'overwriteprotocol' => 'https',
  'mail_smtpauthtype' => 'LOGIN',
  'updater.secret' => 'REDACTED',
);

The output of your Apache/nginx/system log in /var/log/____:

[Wed Jan 16 08:51:04.432674 2019] [proxy_fcgi:error] [pid 18926:tid 139746458121984] (70007)The timeout specified has expired: [client fe80::11:34798] AH01075: Error dispatching request to : (polling)
[Wed Jan 16 20:50:59.378974 2019] [proxy_fcgi:error] [pid 18926:tid 139746609190656] (70007)The timeout specified has expired: [client fe80::11:36924] AH01075: Error dispatching request to : (polling)

I’d like to add that this configuration worked well up until the update from NC14 to NC15.
And since someone’s may ask for it, here’s the front server’s apache config:

<VirtualHost *:80>
  ServerName nuage.REDACTED.fr
  ServerAdmin REDACTED

  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
#####################################################################
<VirtualHost *:443>
  SSLEngine on
#LetsEncrypt
  SSLOpenSSLConfCmd DHParameters /REDACTED/dhparams_4096.pem
  SSLCertificateFile /REDACTED/fullchain.pem
  SSLCertificateKeyFile /REDACTED/privkey.pem
  Protocols h2 http/1.1

  ServerName nuage.REDACTED.fr
  ServerAdmin REDACTED

#  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    Header always set Referrer-Policy "strict-origin"
#  </IfModule>

  ProxyPass / http://[fe80::12]:80/
  ProxyPassReverse / http://[fe80::12]:80/
  ProxyPassReverseCookiePath / /

</VirtualHost>

egeu5 · January 20, 2019, 7:31pm

I have the same issue in a really similar situation. The biggest difference is that my problem is with Ipv4. The serversituation is almost the same Apache with proxypass. It was working for a long time until the update.

Probably a bug? Or some redirect stuff in a .htaccess file or something else…

jzapp · January 21, 2019, 10:56am

Same problem for me, happening in NGINX too.

This sounds like a bug where PHP is using the server provided hostname and port for redirection rather than the one requested by the client. It’s a pretty classic slip-up that I’ve made a few times myself.

This is new in 15.0.2, it didn’t happen in 15.0.0

Bug reported: https://github.com/nextcloud/server/issues/13713

Albirew · January 22, 2019, 7:24pm

So, according to this comment:

trust HTTP_FORWARDED_HOST only if proxy is trusted proxy

I needed to add a new trusted_proxies array in config.php file in order to work again
Here’s what I put according to what I posted in OP:

  'trusted_domains' => 
  array (
    0 => 'nuage.REDACTED.fr',
    1 => '192.168.1.12',
    2 => '[fe80::12]',
  ),
  'trusted_proxies' =>
  array (
    0 => '127.0.0.1',
    1 => '::1',
    2 => '192.168.1.11',
    3 => 'fe80::11',
  ),
  'datadirectory' => '/srv/REDACTED/subdomains/cloud-data',

fe80::11 being the front server tunneling (proxyfying?) data to NC server / the internet.
Result is that is working for now (1st connection attempt was a little long but the after that, it was OK)

egeu5 · January 24, 2019, 4:00pm

Thank you! This is working for me.
Greetings

antoniogamiz · May 29, 2020, 9:55pm

I have the same problem, my domain gets resolved to localhost:8000 in the desktop client login flow. I have added localhost to the trusted_proxies array and it’s not working.
The domain gets redirected (by nginx) to localhost:8000, where is the nextcloud server. I mean, nginx and the nextcloud server are in the same host.
Any idea what’s wrong in my case?

devnull · May 30, 2020, 5:48am

Do you need nginx and apache2. Please open an own thread.

Albirew · May 30, 2020, 11:31am

I believe it’s on a docker container seeing the port number…
I believe you should add 127.0.0.1 instead of localhost in trusted_proxies and anything you want to use to access NxC from outside in trusted_domains
Also, see how is it accessed from nginx and if it is present in trusted_domains just in case