[Solved] Trusted proxies/Cloudflare and Kubernetes

Nextcloud version (eg, 12.0.2): 16.0.0
Operating system and version (eg, Ubuntu 17.04): Ubuntu 18.04
Apache or nginx version (eg, Apache 2.4.25): Latest Docker image
PHP version (eg, 7.1): Latest Docker image

The issue you are facing:

Hi! I have deployed the latest Nextcloud 16 default Docker image to a Kubernetes cluster, and in the Admin/Overview page I see this message:

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.

I’ve read about the trusted proxies setting, but I don’t know what IPs to set in this case since it’s a Kubernetes cluster. I am using Nginx as the ingress controller. I have temporarily set trusted proxies to 127.0.0.1 and the error went away but I am not sure of the implications.

I’m also using Cloudflare. Do I have to do anything in particular so that Nextcloud sees the actual IP of the user considering that I am using Kubernetes?

I can find very little on running Nextcloud on top of Kubernetes unfortunately.

Is this the first time you’ve seen this error? (Y/N):

Yes. Before v16 on Kubernetes I was running v15 on plain Docker and didn’t have this issue - in that case I was using the FPM image behind an instance of Nginx with a custom configuration, so it was a bit easier. However I didn’t even have trusted_proxies set and I didn’t see the error above.

Steps to replicate it:

  1. Deploy the latest v16 Docker image (default one) to Kubernetes with Nginx as ingress controller
  2. Check Admin/Overview

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

https://ybin.me/p/4bbb7bfc2fa0ef17#g0sCSw0qaXVb6K+UOobTw1HQQrQjw2LYalc3yn9sh4I=

In case it can be useful to someone, these are the settings I ended up with, which seem to work and I get my actual IP in the logs, not Cloudflare’s.

  'trusted_proxies' => array('10.42.0.0/16', '103.21.244.0/22', '103.22.200.0/22', '103.31.4.0/22', '104.16.0.0/12', '108.162.192.0/18', '131.0.72.0/22', '141.101.64.0/18', '162.158.0.0/15', '172.64.0.0/13', '173.245.48.0/20', '188.114.96.0/20', '190.93.240.0/20', '197.234.240.0/22', '198.41.128.0/17', '2400:cb00::/32', '2606:4700::/32', '2803:f800::/32', '2405:b500::/32', '2405:8100::/32', '2c0f:f248::/32', '2a06:98c0::/29'),
  'forwarded_for_headers' => array('HTTP_CF_CONNECTING_IP'),

This ensures that requests coming from any of Cloudflare’s IPs use the correct header HTTP_CF_CONNECTING_IP to identify the user’s IP.

3 Likes

Thanks for sharing the knowledge!
Just had the same issue running normal nextcloud behind cloudflare aaand a reverse proxy. The header is preserved.