Nextcloud version (eg, 20.0.5): 28.0.4
Operating system and version (eg, Ubuntu 20.04): Debian 12
Apache or nginx version (eg, Apache 2.4.25): nginx 1.22.1
PHP version (eg, 7.4): 8.2
I just want to know what the server config option allow_local_remote_servers actually does. I had to set it to true to not encounter the error LocalServerException Host violates local access rules while adding my OpenID Connect provider.
I have a containerized setup using systemd-nspawn but it should be similar to an LXC setup, maybe even a VM setup. My Nextcloud runs behind a reverse proxy (nginx). The reverse proxy and Nextcloud each run in separate containers. Nextcloud is served by an nginx / php-fpm setup.
My OpenID Connect provider is Keycloak, which also runs in its own container on the same physical machine.
Because of how routing does and dows not work I edited the /etc/hosts of the Nextcloud container to resolve the OIDC providers DNS name to its local address which IMHO should be sufficient to make it work. But Nextcloud seems to think different.
The description of the config option allow_local_remote_servers mentions “remote servers with local addresses” which I first understood as “other servers with addresses like keycloak.local” but it seems more like a check if the resolved IP address falls into a range defined as a private network. If so, could you just add the two letters “IP” into the config option’s description to clarify?
I am following this guide and it only mentions the config option in the context of unsecure http connections which in conjunction with the debug option might be totally correct in the scope of that guide. But from reading the description of both option’s I wouldn’t have guessed a private network range check.
I agree that some further context would be helpful in the docs for this one. The dev docs are here for apps that use it outside of the Nextcloud HTTP client.
Note: Don’t get confused and assume the IP ranges are the LOCAL_ADDRESS_RANGES defined there; those ones are in addition to the ones handled by the filter flags in PHP’s validator for the traditional private IP ranges
As an aside, there are some scenarios where local connections are permitted even without enabling allow_local_remote_servers globally. These are done within the specific code paths or apps where this is deemed acceptable. I can think of a couple off-hand:
Previews (for Imaginary)
some of the setup checks
And I think some apps have their own settings too (CalDAV?).
I’m not familiar enough with the user_oidc app internals to know whether any scenario like those might be relevant here (to avoid having to enable allow_local_remote_servers globally).