"The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy"

ℹ️ Support
,
1
Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 24.0.1 and 23.0.4
Operating system and version (eg, Ubuntu 20.04): FreeBSD 13.1, in a jail under TrueNAS CORE 13.0
Apache or nginx version (eg, Apache 2.4.25): Caddy 2.5.1
PHP version (eg, 7.4): 8.0.18

The issue you are facing:
After installing Nextcloud using my script (GitHub - danb35/freenas-iocage-nextcloud: Script to create an iocage jail on FreeNAS for the latest Nextcloud 23 release, including Caddy, MariaDB or PostgreSQL, and Let's Encrypt), I get this warning on the Admin overview page: " The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation :arrow_upper_right:." But I’m not using a reverse proxy. I get the same warning under NC 24.0.1 and 23.0.4.

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

  1. Install Nextcloud using the script linked above
  2. Log in as Admin
  3. Browse to Settings → Administration → Overview

The output of your Nextcloud log in Admin > Logging:

[index] Error: OCP\Files\NotPermittedException: Could not create folder at <<closure>>

 0. /usr/local/www/nextcloud/lib/private/Files/AppData/AppData.php line 156
    OC\Files\Node\Folder->newFolder("core")
 1. /usr/local/www/nextcloud/lib/private/Template/SCSSCacher.php line 151
    OC\Files\AppData\AppData->newFolder("core")
 2. /usr/local/www/nextcloud/lib/private/Template/CSSResourceLocator.php line 109
    OC\Template\SCSSCacher->process("/usr/local/www/nextcloud", "core/css/server.scss", "core")
 3. /usr/local/www/nextcloud/lib/private/Template/CSSResourceLocator.php line 61
    OC\Template\CSSResourceLocator->cacheAndAppendScssIfExist("/usr/local/www/nextcloud", "core/css/server.scss")
 4. /usr/local/www/nextcloud/lib/private/Template/ResourceLocator.php line 78
    OC\Template\CSSResourceLocator->doFind("css/server")
 5. /usr/local/www/nextcloud/lib/private/TemplateLayout.php line 342
    OC\Template\ResourceLocator->find(["css/server","c ... "])
 6. /usr/local/www/nextcloud/lib/private/TemplateLayout.php line 250
    OC\TemplateLayout::findStylesheetFiles(["css/server","c ... "])
 7. /usr/local/www/nextcloud/lib/private/legacy/OC_Template.php line 185
    OC\TemplateLayout->__construct("guest", "core")
 8. /usr/local/www/nextcloud/lib/public/AppFramework/Http/TemplateResponse.php line 204
    OC_Template->fetchPage([])
 9. /usr/local/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 178
    OCP\AppFramework\Http\TemplateResponse->render()
10. /usr/local/www/nextcloud/lib/private/AppFramework/App.php line 172
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Theming\Controller\IconController {}, "getFavicon")
11. /usr/local/www/nextcloud/lib/private/Route/Router.php line 298
    OC\AppFramework\App::main("OCA\\Theming\\C ... r", "getFavicon", OC\AppFramework\ ... {}, {app: "core",_ro ... "})
12. /usr/local/www/nextcloud/lib/base.php line 1023
    OC\Route\Router->match("/apps/theming/favicon")
13. /usr/local/www/nextcloud/index.php line 36
    OC::handleRequest()

GET /apps/theming/favicon?v=0
from 192.168.1.197 at 2022-05-19T09:07:58-04:00

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '(redacted)',
  'secret' => '(redacted)',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'cloud2.familybrown.org',
    2 => '192.168.1.24',
  ),
  'datadirectory' => '/mnt/files',
  'dbtype' => 'mysql',
  'version' => '24.0.1.1',
  'overwrite.cli.url' => 'https://cloud2.familybrown.org/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '(redacted)',
  'installed' => true,
  'instanceid' => '(redacted)',
  'logtimezone' => 'America/New_York',
  'default_phone_region' => 'US',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'logrotate_size' => '104847600',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'overwritehost' => 'cloud2.familybrown.org',
  'overwriteprotocol' => 'https',
  'htaccess.RewriteBase' => '/',
);

The output of your Apache/nginx/system log in /var/log/____:

root@nextcloud:/var/log/caddy # cat caddy.log
{"level":"info","ts":1652965334.8106313,"msg":"using provided configuration","config_file":"/usr/local/www/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1652965334.8176813,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1652965334.8182654,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004b4ee0"}
{"level":"info","ts":1652965334.818409,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1652965334.8184984,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1652965334.8204741,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud2.familybrown.org"]}
{"level":"info","ts":1652965334.820527,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/db/caddy/data/caddy"}
{"level":"info","ts":1652965334.8207524,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1652965334.821148,"msg":"autosaved config (load with --resume flag)","file":"/var/db/caddy/config/caddy/autosave.json"}
{"level":"info","ts":1652965334.8211808,"msg":"serving initial configuration"}
{"level":"info","ts":1652965334.8220444,"logger":"tls.obtain","msg":"acquiring lock","identifier":"cloud2.familybrown.org"}
Successfully started Caddy (pid=35348) - Caddy is running in the background
{"level":"info","ts":1652965334.8241687,"logger":"tls.obtain","msg":"lock acquired","identifier":"cloud2.familybrown.org"}
{"level":"info","ts":1652965335.4741251,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["cloud2.familybrown.org"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"admin@familybrown.org"}
{"level":"info","ts":1652965335.4741943,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["cloud2.familybrown.org"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"admin@familybrown.org"}
{"level":"info","ts":1652965335.6600635,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cloud2.familybrown.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1652965353.6858287,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/54619094/2618927764"}
{"level":"info","ts":1652965353.9976594,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa53db01748684ab4e3085fa6118b078d908"}
{"level":"info","ts":1652965353.9991157,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"cloud2.familybrown.org"}
{"level":"info","ts":1652965353.999216,"logger":"tls.obtain","msg":"releasing lock","identifier":"cloud2.familybrown.org"}

grep error cloud2.familybrown.org.log
{"level":"error","ts":1652965803.6621284,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.1.197","remote_port":"62395","proto":"HTTP/2.0","method":"GET","host":"cloud2.familybrown.org","uri":"/index.php/.well-known/webfinger","headers":{"Requesttoken":["ADnvutDEXq6gCdQF9rfIYT5rixsXuujXX1SktNTBsvw=:Qw6u+KS0H52ZfbhcrPGAL2ddw2tz4Jn4Fi7H7r6W06U="],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0"],"X-Requested-With":["XMLHttpRequest"],"Cookie":[],"Accept-Language":["en-US,en;q=0.5"],"Dnt":["1"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Site":["same-origin"],"Sec-Gpc":["1"],"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br"],"Ocs-Apirequest":["true"],"Sec-Fetch-Mode":["cors"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud2.familybrown.org"}},"user_id":"","duration":0.090698167,"size":37,"status":404,"resp_headers":{"Content-Length":["37"],"Content-Type":["application/json; charset=utf-8"],"Content-Security-Policy":["default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'"],"Cache-Control":["no-cache, no-store, must-revalidate"],"X-Request-Id":["OLNdEHVOwc52TOrmoDC0"],"Server":["Caddy"],"X-Xss-Protection":["1; mode=block"],"Status":["404 Not Found"],"X-Content-Type-Options":["nosniff"],"X-Nextcloud-Well-Known":["1"],"X-Frame-Options":["SAMEORIGIN"],"Feature-Policy":["autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"X-Robots-Tag":["none"],"Referrer-Policy":["no-referrer"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Powered-By":["PHP/8.0.18"],"Pragma":["no-cache"]}}
{"level":"error","ts":1652965803.710651,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.1.197","remote_port":"62395","proto":"HTTP/2.0","method":"GET","host":"cloud2.familybrown.org","uri":"/index.php/.well-known/nodeinfo","headers":{"Accept-Encoding":["gzip, deflate, br"],"Requesttoken":["ADnvutDEXq6gCdQF9rfIYT5rixsXuujXX1SktNTBsvw=:Qw6u+KS0H52ZfbhcrPGAL2ddw2tz4Jn4Fi7H7r6W06U="],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0"],"Sec-Fetch-Dest":["empty"],"Accept":["*/*"],"Te":["trailers"],"Ocs-Apirequest":["true"],"X-Requested-With":["XMLHttpRequest"],"Dnt":["1"],"Cookie":[],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.5"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud2.familybrown.org"}},"user_id":"","duration":0.13907126,"size":36,"status":404,"resp_headers":{"X-Nextcloud-Well-Known":["1"],"Status":["404 Not Found"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Xss-Protection":["1; mode=block"],"Pragma":["no-cache"],"Referrer-Policy":["no-referrer"],"X-Powered-By":["PHP/8.0.18"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["36"],"Feature-Policy":["autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'"],"X-Frame-Options":["SAMEORIGIN"],"Content-Security-Policy":["default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'"],"X-Content-Type-Options":["nosniff"],"X-Request-Id":["wHgfcIGHGlGtxlWjhB8G"],"Server":["Caddy"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"X-Robots-Tag":["none"],"Cache-Control":["no-cache, no-store, must-revalidate"]}}

…and in case it’s relevant, the Caddyfile:

{
	# debug
	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	email (redacted)
	# default_sni cloud2.familybrown.org
}

cloud2.familybrown.org {
	root * /usr/local/www/nextcloud
	file_server
	log {
		output file /var/log/cloud2.familybrown.org.log
	}

	php_fastcgi 127.0.0.1:9000 {
		env front_controller_active true
	}

	tls {
		dns cloudflare (redacted)
	}

	header {
		# enable HSTS
		# Strict-Transport-Security max-age=31536000;
	}

	# client support (e.g. os x calendar / contacts)
	redir /.well-known/carddav /remote.php/dav 301
	redir /.well-known/caldav /remote.php/dav 301
	redir /.well-known/webfinger /index.php/.well-known/webfinger 301
	redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

	# .htaccess / data / config / ... shouldn't be accessible from outside
	@forbidden {
		path /.htaccess
		path /data/*
		path /config/*
		path /db_structure
		path /.xml
		path /README
		path /3rdparty/*
		path /lib/*
		path /templates/*
		path /occ
		path /console.php
	}

	respond @forbidden 404
}
2

You need to add 172.64.0.0/13 to the ‘trusted_proxies’ in the config. This is a cloudflare IP range with the range of 172.64.0.0 - 172.71.255.255.

<?php
$CONFIG = array (
   'trusted_proxies' => ['172.64.0.0/13'],
);
1 Like
3

I’m not using Cloudflare or any other proxy (I only use Cloudflare for DNS); I’m accessing this installation directly on my LAN.

4

I used your script to set up an instance of nextcloud with cloudflare DNS. In my server logs I see access requests from cloudflare IPs. After adding the range to the whitelist the error cleared. It is most likely a cloudflare setting that is triggering this.

IP Ranges | Cloudflare

{"level":"error","ts":1659104065.2679772,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"172.70.130.122","remote_port":"22434"
5

Hello,
Adding the full list of IP addresses from https://www.cloudflare.com/ips-v4 in the config.php should fix it

<?php
$CONFIG = array (
  'trusted_proxies' => 
  array (
    '172.64.0.0/13',
    '173.245.48.0/20',
    '103.21.244.0/22', 
    '103.22.200.0/22',
    '103.31.4.0/22',
    '141.101.64.0/18',
    '108.162.192.0/18',
    '190.93.240.0/20',
    '188.114.96.0/20',
    '197.234.240.0/22',
    '198.41.128.0/17',
    '162.158.0.0/15',
    '104.16.0.0/13',
    '104.24.0.0/14',
    '131.0.72.0/22',
    ),
);
1 Like
6

Hey there, sorry for the necro. @zimans’s solution (see here) resolved this issue for me; just add 'trusted_proxies' => array('localhost'), to your config.php. I’m almost positive this will work for you @danb35 because I used your script to setup my Nextcloud jail.

Maybe this has something to do with TrueNAS using vnet to emulate the jail’s network interface? Mine was configured to use this by default.

7

That did indeed fix it; thanks for the pointer. I’ve updated the script to add this setting.

1 Like
8

thanks, this fix worked for me. i recently changed my reverse proxy from cloudflare tunnel to traefik. i still use CL but only for DNS entries. i appended the full list of IPs to my config.php and restarted my docker container. the following error has disappeared from my security & setup warnings page.

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy.