Nextcloud version (eg, 20.0.5): 28.0.4
Operating system and version (eg, Ubuntu 20.04): FreeBSD 13.3-RELEASE-p1 GENERIC amd64
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4
PHP version (eg, 7.4): PHP 8.2
The issue you are facing:
The security check in the console produces the following warning:
The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.
The web host where Nextcloud is installed puts the client IP in REMOTE_ADDR and says that no header should be consulted instead. An excerpt from their doc explaining this:
… we overwrite REMOTE_ADDR with the “who is this forwarded for” source IP information provided by the reverse proxy…
Let’s say your client IP address is 1.2.3.4, and you’re going through a proxy with the IP address 5.6.7.8. Normally, your REMOTE_ADDR value would be “5.6.7.8” and the information about your real IP address would be lost. [In our case], your REMOTE_ADDR value would be “1.2.3.4, 5.6.7.8” instead…
They don’t keep a list of proxy IP addresses that I can specify in the trusted_proxies
config parameter.
Does this explain the above security alert in the console?
Is there a way to configure Nextcloud so that it gets what it needs in this setup, so as not to report a false security alert?
Is this the first time you’ve seen this error? (Y/N): N
Steps to replicate it:
In the admin console, go to Administration Settings > Overview. The warning appears when the security check completes.
The output of your Nextcloud log in Admin > Logging:
NA
The output of your config.php file in /path/to/nextcloud
(make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => '<redacted>',
'passwordsalt' => '<redacted>',
'secret' => '<redacted>',
'trusted_domains' =>
array (
0 => 'www.example.com',
),
'datadirectory' => '<redacted>',
'tempdirectory' => '<redacted>',
'log_type' => 'file',
'logfile' => '<redacted>',
'logfilemode' => 432,
'loglevel' => 1,
'log.condition' =>
array (
'apps' =>
array (
0 => 'admin_audit',
),
),
'log_rotate_size' => 10485760,
'debug' => false,
'dbtype' => 'mysql',
'version' => '28.0.4.1',
'overwrite.cli.url' => 'https://www.example.com',
'htaccess.RewriteBase' => '/nextcloud',
'dbname' => '<redacted>',
'dbhost' => '<redacted>',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => '<redacted>',
'dbpassword' => '<redacted>',
'installed' => true,
'mail_smtpmode' => 'sendmail',
'mail_sendmailmode' => 'smtp',
'mail_smtpdebug' => false,
'mail_smtpauthtype' => 'LOGIN',
'mail_smtphost' => '127.0.0.1',
'mail_smtpport' => '25',
'mail_smtptimeout' => 10,
'default_phone_region' => 'US',
'trashbin_retention_obligation' => 'auto, 30',
'twofactor_enforced' => 'true',
'twofactor_enforced_groups' =>
array (
0 => '<redacted>',
1 => '<redacted>',
),
'twofactor_enforced_excluded_groups' =>
array (
),
'maintenance' => false,
'has_rebuilt_cache' => true,
'memcache.local' => '\\OC\\Memcache\\APCu',
'theme' => '',
'mail_from_address' => 'admin',
'mail_domain' => '<redacted>',
);
The output of your Apache/nginx/system log in /var/log/____
:
NA
Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.
NA