Using other headers instead of X-Forwarded-For

Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 30.0.2.2
  • Operating system and version (e.g., Ubuntu 24.04):
    • Ubuntu 20.04.6 LTS
  • Web server and version (e.g, Apache 2.4.25):
    • Apache/2.4.41
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • N/A
  • PHP version (e.g, 8.3):
    • PHP 8.1.28
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • initially
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • AIO
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

Hi,
We have Web Application Firewall in front of NextCloud server.
It adds X-Forwarded-For header to reqests with wrong value NextCloud can’t parse it. This is bug with will be fix in next releases of WAF.
There is option to add custom headers on the WAF (e.g. HTTP_X_FORWARDED_FOR, X-Real-IP).
Accoding the manual I added folowwing strings to config.php:

  'trusted_proxies' => array (
    0 => '10.10.0.10',
    1 => '10.10.10.20',
 ),
  'forwarded_for_headers' => array (
    0 => 'HTTP_X_FORWARDED_FOR',
    1 => 'X-Real-IP',
 ),

WAF adds these headers with correct value but in log of NextCloud client IP is IP of WAF not real client IP

Please review the format for the option values as described in the Admin Manual. I think you’ll see what’s wrong:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#forwarded-for-headers

Hi, @jtr,
Hi,
Now I reduced those options to:

  'trusted_proxies' => ['10.10.10.20'],
  'forwarded_for_headers' => ['HTTP_X_FORWARDED_FOR'],

where 10.10.10.20 WAF IP address.
But still see only WAF address in the logs insted client IP.
Also I tried to use following options:

  'trusted_proxies' => '10.10.10.20',
  'forwarded_for_headers' => 'HTTP_X_FORWARDED_FOR',

But nothing changed.

You stated X-Forwarded-For is wrong with your WAF, but you said HTTP_X_FORWARDED_FOR is not? Are you sure?

The request header X-Forwarded-For: is contained in the HTTP_X_FORWARDED_FOR variable. That is how you reference that header in the config (and it is the default in Nextcloud already).

Which header do you actually want to use?

If you wanted to use, for example, the X-Real-IP: header, you’d reference it in the config as HTTP_X_REAL_IP.

1 Like

Yeah sure.
It comes like

X-Forwarded-For: , 10.10.10.20

with comma

X-Real-IP for exmaple

Now I set following option in the config file:

'forwarded_for_headers' => 'HTTP_X_REAL_IP',

This header comes with correct client IP on Nextcolud, but in the logs I see only WAF IP

The forwarded_for_headers parameter expects an array for it’s value. You likely want the following:

'forwarded_for_headers' => ['HTTP_X_REAL_IP'],

Hi,
I made the changes like you wrote:

  'trusted_proxies' => ['10.10.10.20'],
  'forwarded_for_headers' => ['HTTP_X_REAL_IP'],

But real client IPs stell not appear

Please post the full parsed config (output of occ config:list system).

Also, what precisely do your setup checks and warnings say (Administration settings->Overview)?

Hi,
The config is bellow:

PHP Warning:  PHP Startup: smbclient: Unable to initialize module
Module compiled with module API=20190902
PHP    compiled with module API=20210902
These options need to match
 in Unknown on line 0
{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloudclone.site.name",
            "10.10.10.30",
            "cloud.site.name"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "forwarded_for_headers": [
            "HTTP_X_REAL_IP"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "30.0.2.2",
        "overwrite.cli.url": "https:\/\/cloudclone.site.name\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "upgrade.disable-web": true,
        "mail_smtpmode": "smtp",
        "remember_login_cookie_lifetime": "43200",
        "log_rotate_size": "0",
        "trashbin_retention_obligation": "auto, 60",
        "versions_retention_obligation": "auto, 180",
        "activity_expire_days": "120",
        "simpleSignUpLink.shown": false,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0.5,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "default_phone_region": "us",
        "logtimezone": "Europe\/Moscow",
        "htaccess.RewriteBase": "\/",
        "session_lifetime": "43200",
        "auto_logout": true,
        "share_folder": "\/Shared",
        "maintenance": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "PLAIN",
        "allow_local_remote_servers": true,
        "loglevel": "2",
        "log_type": "file",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "csrf.disabled": true,
        "maintenance_window_start": 1,
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [
            "nextCloud"
        ],
        "twofactor_enforced_excluded_groups": []
    }
}

In the Security and Setup checks section is only one notification that php version 8.1 is no longer supported by Nextcloud 30. May it be the reason of issue?

php was updated to 8.3 but nothing changed