Hello,
I just installed NextCloud on a new server.
It runs Ubuntu 22.04.3 LTS and I simply followed the setup manual found in the NextCloud documentation.
If did previously an attempt with the snap package directly provided during Ubuntu installation, but I got the same problem (and much more).
My server IP is 192.168.0.35 and it isn’t directly exposed to the internet.
I have a router ( public ip <=> 192.168.0.254 ) that hosts a small VM with another Ubuntu 22.04.3.
This second VM’s ip is 192.168.0.5
All the incomming trafic from the router is forwarded to this second VM that acts as a DMZ.
This VM runs apache2 as a reverse proxy.
Here is my ssl configuration of the reverse proxy (all HTTP trafic is redirected to HTTPS so no ssl config is pointless).
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cloud.*****.com
ServerAlias cloud.*****.com
ServerAdmin administrator@*****.com
ProxyPreserveHost On
ProxyPass "/" "http://192.168.0.35/"
ProxyPassReverse "/" "http://192.168.0.35/"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/cloud.*****.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.*****.com/privkey.pem
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
</IfModule>
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-SSL on
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>
</VirtualHost>
</IfModule>
Now at the Nextcloud VM site, here are my config files :
<VirtualHost *:80>
DocumentRoot /var/www/nextcloud/
ServerName cloud.*****.com
<Directory /var/www/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>
And the config.php
<?php
$CONFIG = array (
'instanceid' => '*****',
'overwrite.cli.url' => 'https://cloud.*****.com/',
'htaccess.RewriteBase' => '/',
'passwordsalt' => '*****',
'secret' => '*****',
'trusted_domains' =>
array (
0 => 'cloud.*****.com',
),
'trusted_proxies' =>
array (
0 => '192.168.0.5', // ip of my reverse proxy
1 => '192.168.0.254', // ?? (local ip of my router)
2 => 'cloud.*****.com', // ?? (public DNS record that point to my public router's ip)
),
'datadirectory' => '/var/www/nextcloud/data',
'dbtype' => 'mysql',
'version' => '27.1.4.1',
'dbname' => '*****',
'dbhost' => 'localhost',
'dbport' => '*****',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => '*****',
'dbpassword' => '*****',
'installed' => true,
'mail_from_address' => '*****',
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'mail_domain' => '*****',
'mail_smtpauth' => 1,
'mail_smtphost' => '*****',
'mail_smtpport' => '*****',
'mail_smtpname' => '*****',
'mail_smtppassword' => '*****',
'default_phone_region' => 'FR',
'redis' => [
'host' => 'localhost',
'port' => 6379,
'password' => '*****',
],
'filelocking.enabled' => true,
'memcache.locking' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\APCu',
);
Now the problem.
When I connect to my public address https://cloud.*****.com from internet, then of to the overview page, I see no warning (fine).
But when I connect to the same address from a computer that is in the local network (let’s say 192.168.0.14), I see this warning :
- Votre adresse réseau a été identifiée comme « 192.168.0.5 » et elle est bridée par le mécanisme anti-intrusion ce qui ralentit la performance de certaines requêtes. Si cette adresse réseau n’est pas la vôtre, cela peut signifier qu’il y a une erreur de configuration d’un proxy. Vous trouverez plus d’informations dans la documentation
.
- La configuration des entêtes du reverse proxy est incorrecte, ou vous accédez à Nextcloud depuis un proxy de confiance. Si ce n’est pas le cas, c’est un problème de sécurité, qui peut permettre à un attaquant d’usurper l’adresse IP affichée à Nextcloud. Plus d’information peuvent être trouvées dans la documentation
I already set up the trusted_proxies entry, and I can’t figure what I miss.
Any suggestion?