Why is my remote IP `127.0.0.1`?

asavageiv · June 17, 2025, 11:40am

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 31.0.5
Operating system and version (e.g., Ubuntu 24.04):
- Debian 12
Web server and version (e.g, Apache 2.4.25):
- Apache/2.4.63
Reverse proxy and version _(e.g. nginx 1.27.2)
- replace me
PHP version (e.g, 8.3):
- 8.3.21
Is this the first time you’ve seen this error? (Yes / No):
- Yes
When did this problem seem to first start?
- After configuring trusted_proxies with my reverse proxy’s IP
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- Nextcloud AIO 11.0
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue you are facing:

/settings/admin/security and that logs are showing my remote IP as 127.0.0.1 leading to some throttling.

Before it showed the Tailnet IP of my reverse proxy, so I configured trusted_proxies 2 to include that IP per ip.address.that.is.shown in the all-in-one issue#2045:

asavage@ifrit:~/docker/nextcloud$ sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:get trusted_proxies 
127.0.0.1
::1
172.19.0.0/16
100.125.169.125

I have a Caddy reverse proxy on a separate server:

https://nc.redacteddomain.me:443 {
	reverse_proxy 100.113.236.81:11000
}

IPV6 is disabled everywhere.

I don’t think Caddy is misconfigured because my Jellyfin server uses the same reverse proxy and detects the client IP correctly.

Is there something to configure in Apache to debug this further? I can’t edit the config file there because it’s on a read-only filesystem in Nextcloud AIO

Steps to replicate it (hint: details matter!):

Log entries

Nextcloud

Example log entry showing the wrong remote IP

gist.github.com

https://gist.github.com/asavageiv/fa098449285ebb07cf99ebc5f13458ff

gistfile1.txt

{"reqId":"EUAiHI4lmyoLVq23XHFv","level":1,"time":"2025-06-17T11:12:20+00:00","remoteAddr":"127.0.0.1","user":"--","app":"core","method":"POST","url":"/login","message":"Bruteforce attempt from \"127.0.0.1\" detected for action \"login\".","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0","version":"31.0.5.1","data":{"app":"core"},"id":"68514d9ccc031"}

Web server / Reverse Proxy

Reverse proxy detects the remote_ip correctly:

gist.github.com

https://gist.github.com/asavageiv/7e5de98676fd19ebd82bfd371b909dc1

gistfile1.txt

{
  "level": "info",
  "ts": 1750120325.1630583,
  "logger": "http.log.access.log0",
  "msg": "handled request",
  "request": {
    "remote_ip": "98.97.24.206",
    "remote_port": "33634",
    "proto": "HTTP/2.0",
    "method": "GET",

This file has been truncated. show original

The output of your Apache/nginx/system log in /var/log/____:
docker log nextcloud-aio-apache:

gist.github.com

https://gist.github.com/asavageiv/016009c81335ed256b24d64d7577f8e2

gistfile1.txt

sudo docker logs nextcloud-aio-apache
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Connection to nextcloud-aio-nextcloud (172.19.0.7) 9000 port [tcp/*] succeeded!
{"level":"info","ts":1750154703.4365058,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}

This file has been truncated. show original

I’m not sure how to get the access logs of the AIO Apache with headers. If anyone knows that would help debug things.

Configuration

Nextcloud

gist.github.com

https://gist.github.com/asavageiv/00fb67bd215ec3a4d9bc40a653da31f2

gistfile1.txt

sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:list system
{
    "system": {
        "one-click-instance": true,
        "one-click-instance.user-limit": 100,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",

This file has been truncated. show original

Apps

The output of occ app:list (if possible).

gist.github.com

https://gist.github.com/asavageiv/b5d47a3a5fc1aebf3f6eeb69fad5e9b9

gistfile1.txt

Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - bruteforcesettings: 4.0.0
  - calendar: 5.3.2
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.1.3
  - contactsinteraction: 1.12.0

This file has been truncated. show original

asavageiv · June 17, 2025, 11:45am

Caddy 2.6.2

Sorry I can’t edit the post. I get an error saying new users can’t post more than 4 links.

asavageiv · June 17, 2025, 1:12pm

I used tcpdump to inspect the traffic on the nextcloud-aio network.

I see requests going from my reverse proxy to the http server with this:

X-Forwarded-For: 98.97.25.71
X-Forwarded-Host: nc.redacteddomain.me
X-Forwarded-Proto: https

So it looks like the headers are correctly being set because 98.97.25.71 was my correct IP at the time.

asavageiv · June 17, 2025, 1:52pm

Just tried a fully clean install and I get the same behavior.

wwe · June 17, 2025, 8:07pm

Hello @asavageiv,

welcome to the Nextcloud community!

please review 101: reverse proxy
aio has some specialties as well - see AiO reverse proxy

jtr · June 17, 2025, 9:51pm

Before spending more time on this, consider upgrading Caddy. This is a very old release with known bugs (See Releases).

Can you post your Compose file?

Also see On the same server in a Docker container (you’ll have to expand it to see the different scenarios).

At least I’m not misunderstanding your topology.

What is the below IP address? Are you not using the Docker IP for some reason?

asavageiv · June 17, 2025, 11:41pm

Thanks @wwe and @jtr.

I think I figured out the problem. Nextcloud AIO has its own Caddy in the nextcloud-aio-apache container that acts as a reverse proxy to all the Nextcloud servers within the docker network. That Caddy has its trusted_proxies configured independently from the Nextcloud configuration in all-in-one/Containers/apache/start.sh

I was able to use the shell in nextcloud-aio-apache to modify the Caddyfile to include my reverse proxy’s internal IP, reload that config, and see that the problem goes away.

I think that when the reverse proxy is running on a different server, we need a way to configure trusted_proxies for both Nextcloud server and the nextcloud-aio-apache Caddy instance. Alternatively, I can insert another reverse proxy into the same docker network that trusts my reverse proxy’s IP into the chain, but I don’t like that solution much.

I also posted about it in a question on the all-in-one github

@jtr thanks for the pointer about the old Caddy. It is the default in the Debian 12 bookworm repository and isn’t even going to be upgraded much in Debian 13! I will look into upgrading it.

To reiterate a bit. My topology is on a different server from the reverse-proxy documentation.