Warning in console: The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud

4slam · April 20, 2024, 12:52am

Nextcloud version (eg, 20.0.5): 28.0.4
Operating system and version (eg, Ubuntu 20.04): FreeBSD 13.3-RELEASE-p1 GENERIC amd64
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4
PHP version (eg, 7.4): PHP 8.2

The issue you are facing:
The security check in the console produces the following warning:

The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.

The web host where Nextcloud is installed puts the client IP in REMOTE_ADDR and says that no header should be consulted instead. An excerpt from their doc explaining this:

… we overwrite REMOTE_ADDR with the “who is this forwarded for” source IP information provided by the reverse proxy…

Let’s say your client IP address is 1.2.3.4, and you’re going through a proxy with the IP address 5.6.7.8. Normally, your REMOTE_ADDR value would be “5.6.7.8” and the information about your real IP address would be lost. [In our case], your REMOTE_ADDR value would be “1.2.3.4, 5.6.7.8” instead…

They don’t keep a list of proxy IP addresses that I can specify in the trusted_proxies config parameter.

Does this explain the above security alert in the console?

Is there a way to configure Nextcloud so that it gets what it needs in this setup, so as not to report a false security alert?

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

In the admin console, go to Administration Settings > Overview. The warning appears when the security check completes.

The output of your Nextcloud log in Admin > Logging:

NA

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '<redacted>',
  'passwordsalt' => '<redacted>',
  'secret' => '<redacted>',
  'trusted_domains' =>
  array (
    0 => 'www.example.com',
  ),
  'datadirectory' => '<redacted>',
  'tempdirectory' => '<redacted>',
  'log_type' => 'file',
  'logfile' => '<redacted>',
  'logfilemode' => 432,
  'loglevel' => 1,
  'log.condition' =>
  array (
    'apps' =>
    array (
      0 => 'admin_audit',
    ),
  ),
  'log_rotate_size' => 10485760,
  'debug' => false,
  'dbtype' => 'mysql',
  'version' => '28.0.4.1',
  'overwrite.cli.url' => 'https://www.example.com',
  'htaccess.RewriteBase' => '/nextcloud',
  'dbname' => '<redacted>',
  'dbhost' => '<redacted>',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '<redacted>',
  'dbpassword' => '<redacted>',
  'installed' => true,
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpdebug' => false,
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtphost' => '127.0.0.1',
  'mail_smtpport' => '25',
  'mail_smtptimeout' => 10,
  'default_phone_region' => 'US',
  'trashbin_retention_obligation' => 'auto, 30',
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' =>
  array (
    0 => '<redacted>',
    1 => '<redacted>',
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'maintenance' => false,
  'has_rebuilt_cache' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'theme' => '',
  'mail_from_address' => 'admin',
  'mail_domain' => '<redacted>',
);

The output of your Apache/nginx/system log in /var/log/____:

NA

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

NA

wwe · April 20, 2024, 8:32pm

You can consult Apache Docker behind reverse proxy for hints how to adopt Apache to use real IP.

this is a problem as if you don’t limit the header to “known good” trusted proxies everybody could spoof the originating IPs. There is no need to know exact IPs you can use IP ranges like 192.168.0.0/24

If you don’t care about spoofing you can provide the whole IPv4 range (but I’m not going to share the syntax to avoid “copy&paste admins” from adopting this insecure approach).

4slam · April 20, 2024, 11:23pm

If Nextcloud is behind one or more reverse-proxy servers controlled by the web host, wouldn’t all requests to Nextcloud go through only those proxy servers? These proxy servers, in this case, provide the originating client ID. IOW, doesn’t this setup ensure that Nextcloud will only receive the client ID from a trusted proxy, i.e., the web host’s, thus making it unnecessary for Nextcloud to check whether the client ID is from a trusted proxy?

Am I missing something?

wwe · April 21, 2024, 6:48am

Nextcloud should know the client IP. this IP is not visible directly in case the request comes from a reverse proxy. as client IP only exists on some header it could be added to an initial request by an attacker. for this reason you must specify which header your proxy uses and headers from which proxy Nextcloud trusts.