The reverse proxy header configuration is incorrect

NasKar · September 8, 2022, 1:51am

Nextcloud version (eg, 20.0.5): 20.0.4.1
Operating system and version (eg, Ubuntu 20.04): TrueNas 13U2
Apache or nginx version (eg, Apache 2.4.25): Caddy v2.4.6
PHP version (eg, 7.4): PHP 8.0.20

The issue you are facing:
The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. From the Security & setup warnings page. Prior to reinstall I had the green check mark.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

I have a caddy reverse proxy in a truenas jail which is unchanged.
Deleted the nextcloud jail that uses the reverse proxy and reinstalled it.
Restored the previous data with a backup
Reset the admin password.
Everything is work but I’m getting the Reverse Proxy error

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '1gYQWugZz+k5Fi***********',
  'secret' => 'jzoxSWV9rGEdg3/y26m*************',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'cloud.mydomain.com',
    2 => '192.168.5.81',
  ),
  'datadirectory' => '/mnt/files',
  'dbtype' => 'mysql',
  'version' => '24.0.4.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'XOZz**************',
  'installed' => true,
  'instanceid' => 'oc**********',
  'logtimezone' => 'America/New_York',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'loglevel' => '2',
  'logrotate_size' => '104847600',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'redis' => 
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'htaccess.RewriteBase' => '/',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpsecure' => 'ssl',
  'mail_from_address' => 'email',
  'mail_domain' => 'gmail.com',
  'mail_smtpauth' => '1',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'email',
  'mail_smtppassword' => 'email pw',
  'mail_smtphost' => 'smtp.gmail.com',
  'maintenance' => false,
  'overwriteprotocol' => 'https',
  'overwritehost' => 'cloud.mydomain.com',
  'default_phone_region' => 'US',
  'overwrite.cli.url' => 'https://cloud.mydomain.com',
  'theme' => '',
  'data-fingerprint' => '2616c*******************',
);

chrissi55 · September 8, 2022, 9:14am

I can’t find any entry for your reverse proxy

like this

‘trusted_proxies’ =>
array (
0 => ‘LOCAL_IP-OF-YOUR-PROXY’,
1 => ‘localhost’,
2 => ‘DOMAIN(optional)’,
3 => ‘::1’,
),

in my config.php of the nextcloud root this is an option behind trusted_domains array

and have a look at this working example

https://www.c-rieger.de/nginx-reverse-proxy-nextcloud-≥-24/

NasKar · September 9, 2022, 12:24am

When I add those lines to the config.php I get an internal server error

  ‘trusted_proxies’ =>
  array (
    0 => ‘192.168.5.83’,
    1 => ‘localhost’,
    2 => ‘cloud.mydomain.com’,
    3 => ‘::1’,
  ),

wwe · September 9, 2022, 10:57am

most likely there is a syntax error in your change (maybe the tick’s are wrong from copy paste). please review the corresponding docs and try again:

https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html

NasKar · September 9, 2022, 12:42pm

I manually typed it into the config.php and now the server works but I still get the same warning “The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy.”

wwe · September 9, 2022, 3:04pm

This means still something wrong with your request headers.
Please review reverse proxy docs and compare with others who reported this issue earlier.

j-ed · September 9, 2022, 6:57pm

@wwe Does a way exist to display the reverse proxy header which Nextcloud receives and complains about? It is like fishing in the dark without seeing the entry in question.

wwe · September 10, 2022, 6:49pm

definitely there is a way, the problem is you need to know your installation to know the right way. Nextcloud`s webserver (Apache or Nginx are common) has it’s logs - maybe you need to adopt verbosity, if you run Docker it might be stdout etc… the other side of the connection is reverse proxy if any (or browser if there is no reverse proxy) - it it can log the traffic and headers as as well - depending on your skills and config this might be easier to access and analyze…

bobpaul · February 23, 2024, 1:48pm

hol up. I understand what you’re saying (that whatever is being the reverse proxy could log the headers that it’s sending to nextcloud. But am I fundamentally misunderstanding how this works?

Request from IP → nextcloud.mydomain.tld (handled by reverse proxy) → proxy adds X-Forward-For header → mynextcloud instance sees the X-Forward-For header and is unhappy with the specific value that’s set.

You’re telling me nextcloud KNOWS the header value, it’s MAD ABOUT the header value it saw, but it’s UNABLE to tell me the header value? Seems like nextcloud should put a warning in its own request logs, like “WARN: X-Forward-For: 127.0.0.1,10.0.0.27,10.3.4.1 contains no trusted proxies”

wwe · February 23, 2024, 3:56pm

please familiarize yourself with the technology you are using.

the request comes from reverseproxy which in turn doesn’t access Nextcloud via its hostname nextcloud.mydomain.tld but maybe on an IP address… Nextcloud requires headers like overwrite* to know the destination of the initial request… but it only trust the this headers if the request comes from the “trusted proxy” (security->header poisoning). X-Forward-For contains original client IP address look for real-ip