Trusted proxy setting not seeming to apply in docker

John2 · April 7, 2023, 11:52pm

On my administration overview page it says “You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read the documentation page about this”

That is correct. I am using a docker nextcloud container and a nginx container as a proxy. If I go to the page it links to it basically says to set up a trusted_proxies. I have done that all ready. If I check trusted proxies I see it listed.

$ docker exec --user www-data nextcloud-app-1 php occ config:system:get trusted_proxies 
nextcloud-proxy-1

I double checked and that the name of my proxy container.

Thank you.

config.php encase that is helpful.

<?php 
$CONFIG = array ( 
 'htaccess.RewriteBase' => '/', 
 'memcache.local' => '\\OC\\Memcache\\APCu', 
 'apps_paths' =>  
 array ( 
   0 =>  
   array ( 
     'path' => '/var/www/html/apps', 
     'url' => '/apps', 
     'writable' => false, 
   ), 
   1 =>  
   array ( 
     'path' => '/var/www/html/custom_apps', 
     'url' => '/custom_apps', 
     'writable' => true, 
   ), 
 ), 
 'memcache.distributed' => '\\OC\\Memcache\\Redis', 
 'memcache.locking' => '\\OC\\Memcache\\Redis', 
 'redis' =>  
 array ( 
   'host' => 'redis', 
   'password' => '', 
   'port' => 6379, 
 ), 
 'trusted_proxies' =>  
 array ( 
   0 => 'nextcloud-proxy-1', 
 ), 
 'instanceid' => '[some random letters]', 
 'passwordsalt' => '[some more random letters]', 
 'secret' => '[lots of random letters]', 
 'trusted_domains' =>  
 array ( 
   0 => '[my domain name in the format aaaa.bbbbbb.com]', 
 ), 
 'datadirectory' => '/srv/nextcloud/data', 
 'dbtype' => 'mysql', 
 'version' => '26.0.0.11', 
 'overwrite.cli.url' => 'http://[my domain name in the format aaaa.bbbbbb.com]', 
 'dbname' => 'nextcloud', 
 'dbhost' => 'db', 
 'dbport' => '', 
 'dbtableprefix' => 'oc_', 
 'mysql.utf8mb4' => true, 
 'dbuser' => 'nextcloud', 
 'dbpassword' => '[some random letters]', 
 'installed' => true, 
 'maintenance' => false, 
 'loglevel' => 2, 
 'mail_smtpmode' => 'smtp', 
 'mail_smtpauth' => 1, 
 'mail_sendmailmode' => 'smtp', 
 'mail_from_address' => '[some not so random letters]', 
 'mail_domain' => '[some popular mail domain].com', 
 'mail_smtphost' => 'smtp.[some popular mail domain].com', 
 'mail_smtpport' => '587', 
 'mail_smtpname' => '[my email]', 
 'mail_smtppassword' => '[some random letters]', 
);

KarlF12 · April 8, 2023, 12:19am

Hrm… That seems like it should work. I don’t have a good reference because I don’t run a dockerized proxy.

Could you get the docker network IP of the proxy container and add it as a trusted proxy just to see if that does it?

KarlF12 · April 8, 2023, 12:26am

Actually I just checked the docs and it says this is supposed to be IPs. It may not work with hostnames.

I think you can set a static docker network address for the reverse proxy so it won’t move on you.

John2 · April 8, 2023, 1:35am

I used occ to add the ip address as a proxy and it shows up in the config file but not when I use “occ config:system:get trusted_proxies”. Is there something I need to do to apply changes?

Config now has:

  array (
    0 => 'nextcloud-proxy-1',
    1 => '172.28.0.4',
  ),

This does not seem to have helped.

wwe · April 8, 2023, 9:38am

I would recommend you you to add overwriteprotocoland overwritehost parameters as well - only overwrite.cli.url is not sufficient…

You might find this guide useful: Apache Docker behind reverse proxy

John2 · April 8, 2023, 5:37pm

Thanks @wwe, I used occ to add overwriteprotocol, overwritehost, and overwritecondaddr. Like so:

  'overwriteprotocol' => 'https',
  'overwritehost' => 'my.domain.com',
  'overwritecondaddr' => '^172\.28\.0\.4$',

That fixed the error on the administration overview page. I was also looking at anther issue where the NextCloud log is showing the proxy address. It did not fix that. I then went and changed overwritecondaddr to my host name ( nextcloud-proxy-1). Still worked. I deleted it and it still worked. overwritecondaddr was not needed for my set up! So now my config looks something like this:

...
  'overwriteprotocol' => 'https',
  'overwritehost' => 'my.domain.com',
);

I also updated my docker-compose.yml with:

      - OVERWRITEPROTOCOL=https
      - OVERWRITEHOST=my.domain.com

Hopefully that will make it work next time I have to restart it.

Thanks for your help.

P.S. I am also looking for ideas on how to fix the ip address in the log file.