Nextcloud takes the remote ip of the proxy as remote address

[Crocmagnon]

I'm facing the same issue as many here apparently. I'm getting throttled on the login page because Nextcloud sees the proxy as the remote address and doesn't seem to use X-Forwarded-For or X-Real-IP set by my reverse proxy.

I'm running nextcloud:apache behind nginx-proxy-manager. I confirmed that nginx-proxy-manager sets valid values for both X-Forwarded-For and X-Real-IP:

proxy_set_header X-Forwarded-For    $remote_addr;
proxy_set_header X-Real-IP          $remote_addr;

However, apache or nextcloud seem to ignore that.

Here's my nextcloud env:

NEXTCLOUD_TRUSTED_DOMAINS=cloud.example.com (my real domain)

OVERWRITEHOST=cloud.example.com (my real domain)
OVERWRITEPROTOCOL=https
TRUSTED_PROXIES=nginx-proxy-manager_app_1

I tinkered with APACHE_DISABLE_REWRITE_IP but setting it to 1 didn't help.

Here's also my config.php, edited to remove the noise and with my domain replaced by cloud.example.com:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'trusted_domains' =>
  array (
    0 => 'cloud.example.com',
    1 => 'nextcloud_nextcloud_1',
  ),
  'datadirectory' => '/var/www/html/data',
  'version' => '21.0.0.18',
  'overwrite.cli.url' => 'https://cloud.example.com',
  'installed' => true,
  'overwritehost' => 'cloud.example.com',
  'overwriteprotocol' => 'https',
  'trusted_proxies' =>
  array (
	  0 => 'nginx-proxy-manager_app_1',
	  1 => '172.16.0.0/12',
  ),
  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
    1 => 'HTTP_X_REAL_IP',
  ),
);

I don't fully understand the request flow inside the nextcloud container, the only thing I'm sure of is that the request comes in with both X-Forwarded-For and X-Real-IP set to sensible values and that somehow it gets lost somewhere.

I've spent really too much time tracking this issue already and I'm out of ideas. Could someone please help me debug this setup?

Thanks a lot! 🙏🏻

[schklom]

I have traefik instead of nginx, but assuming the request is similar, this could be something to check for your configuration.

When looking at my request going through traefik, the only place the wrong IP can come from is ForwardURL. It's not a header.

Can you define this variable and assign it the ip ? See how it goes, maybe it will work :)

Good luck

[schklom]

Update:

I have reinstalled Nextcloud on Docker, am using Traefik as reverse-proxy, and did NOT pass any of these environment arguments: TRUSTED_PROXIES OVERWRITEPROTOCOL OVERWRITEHOST.
The IP is reported correctly now in the log.
I have specified a private IP range for all my subnets in the Docker /etc/docker/daemon.json because some other image didn't work well with default random IP addresses

{
  "default-address-pools": [
    {
      "base": "192.168.0.0/16",
      "size": 24
    }
  ],
}

https://github.com/nextcloud/docker/ says

The apache image will replace the remote addr (ip address visible to Nextcloud) with the ip address from X-Real-IP if the request is coming from a proxy in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 by default.

Edit:
Specifying TRUSTED_PROXIES will get rid of a warning in Nextcloud, I don't think it changes anything else.

[fuomag9]

I have the same config as @Crocmagnon and tried the same things (but I'm using caddy) and nothing worked. In various posts on the nextcloud forum/github issues a lot of people are editing apache config files directly, so there's indeed something wrong with apache and not the reverse proxies themselves.

[joshtrichards]

Duplicate of #1103 and fixed by #2004.