The notify_push application fails its setup self-test with a trusted proxy error in a Docker Swarm environment that is behind Traefik and an external Cloudflare Tunnel

The Basics

• Nextcloud Server version:

• 31.0.7

• Operating system and version:

• The Nextcloud container is based on Debian, running on Ubuntu 22.04 Docker Swarm nodes.

• Web server and version:

• Apache/2.4.62 (Debian)

• Reverse proxy and version

• Traefik 2.x

• PHP version:

• 8.3.23

• Is this the first time you’ve seen this error? (Yes / No):

• Yes

• When did this problem seem to first start?

• During the initial setup of the notify_push application.

• Installation method

• Docker Swarm deployment using the official nextcloud:31.0.7 image.

• Are you using Cloudflare, mod_security, or similar? (Yes / No)

• Yes, Cloudflare Tunnel (cloudflared).

Summary of the issue you are facing:

The notify_push application fails its setup self-test with a trusted proxy error in a Docker Swarm environment that is behind Traefik and an external Cloudflare Tunnel. The notify_push:setup command consistently fails, the desktop client reports the app is not enabled, notify_push:metrics shows 0 connections, and the notify_push:log command exits immediately without output, suggesting a crash.

Steps to replicate it:

1. Deploy Nextcloud 31.0.7 in a Docker Swarm environment.

2. Place the swarm behind a Traefik reverse proxy.

3. Place the entire setup behind a Cloudflare Tunnel (cloudflared).

4. Install the notify_push app and its binary within the Nextcloud container.

5. Attempt to run php /var/www/html/occ notify_push:setup https://

Log entries

Nextcloud

The occ notify_push:setup command produces the following error. The main Nextcloud log does not show any additional errors related to this, only the standard status.php checks.

text

✓ redis is configured

✓ push server is receiving redis messages

✓ push server can load mount info from database

✓ push server can connect to the Nextcloud server

🗴 push server is not a trusted proxy by Nextcloud or another proxy in the chain.

Nextcloud resolved the following client address for the test request: “172.16.200.89” instead of the expected “1.2.3.4” test value.

The following trusted proxies are currently configured: “10.1.10.61”, “172.16.200.0/24”

The following x-forwarded-for header was received by Nextcloud: “10.1.10.61”

from the following remote: 172.16.200.89

✓ All proxies in the chain appear to be trusted by Nextcloud

One of the proxies is the chain (probably 10.1.10.61) seems to have stripped the x-forwarded-for header

Please configure the reverse proxy at 10.1.10.61 to not strip the x-forwarded-for header

Web Browser

Not applicable. The issue is on the server-side and with the occ command.

Web server / Reverse Proxy

Traefik logs show successful routing of /push requests to the notify_push container. The errors appear to be internal to the Nextcloud/notify_push application’s self-test.

Configuration

Nextcloud

The output of occ config:list system:

json

{

“system”: {

“overwritehost”: “hub.fqdn.com”,

“overwriteprotocol”: “https”,

“trusted_proxies”: [

“10.1.10.61”,

“172.16.200.0/24”

],

“forwarded_for_headers”: [

“HTTP_CF_CONNECTING_IP”,

“HTTP_X_FORWARDED_FOR”

],

“redis”: {

“host”: “redis”,

“port”: 6379,

“dbindex”: 0

},

“memcache.local”: “\OC\Memcache\APCu”,

“memcache.locking”: “\OC\Memcache\Redis”,

“filelocking.enabled”: true,

“trusted_domains”: [

“hub.fqdn.com”

],

“notify_push_base_endpoint”: “https://hub.fqdn.com/push”

}

}

Apps

The notify_push app is installed and enabled via occ app:enable notify_push.

I added the NEXTCLOUD_URL: http://nextcloud (my service name) and it freakin worked!

root@namwrk1004:~# docker exec --user www-data $(docker ps -q -f name=namhub_nextcloud | head -n1) php /var/www/html/occ notify_push:setup https://hub.fqdn.com/push
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
configuration saved

12hrs gone, this passes now but still no external connection from clients… forging ahead… :-/

finally got it - updated the traefik routes, here is my working config snippet:

notify_push:
image: nextcloud:31.0.7
user: www-data
entrypoint: /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push /var/www/html/config/config.php
environment:
- NEXTCLOUD_URL=http://nextcloud
networks:
- hub
- cloud-public
depends_on:
- nextcloud
- redis
volumes:
- /var/data/hub/custom_apps:/var/www/html/custom_apps:ro
- /var/data/hub/config:/var/www/html/config:ro
deploy:
replicas: 1
restart_policy:
condition: any
delay: 10s
mode: replicated
placement:
constraints:
- “node.role == worker”
labels:
- “traefik.enable=true”
- “traefik.docker.network=cloud-public”
- “traefik.constraint-label=cloud-public”

    # Middleware to rewrite /push and /push/ws to the backend /ws endpoint
    - "traefik.http.middlewares.hub-push-rewrite.replacepathregex.regex=^/push(/ws)?$$"
    - "traefik.http.middlewares.hub-push-rewrite.replacepathregex.replacement=/ws"
    # Router
    - "traefik.http.routers.hub-push-secure.rule=Host(`hub.fqdn.com`) && PathPrefix(`/push`)"
    - "traefik.http.routers.hub-push-secure.priority=15"
    - "traefik.http.routers.hub-push-secure.entrypoints=https"
    - "traefik.http.routers.hub-push-secure.tls=true"
    - "traefik.http.routers.hub-push-secure.tls.certresolver=main"
    - "traefik.http.routers.hub-push-secure.service=namhub-push-svc"
    # Apply the new middleware
    - "traefik.http.routers.hub-push-secure.middlewares=hub-push-rewrite"
    # Service
    - "traefik.http.services.hub-push-svc.loadbalancer.server.port=7867"

problem solved, onto hpb

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.