Real IP address of visitors isn't passed on to app container

[flobeier]

I'm using the insecure php-fpm Docker setup with an nginx proxy in front of it. By default the real IP address of the visitors isn't passed on to the app container. Therefore internal IP addresses show up in the Nextcloud log files and the brute force protection won't work as it should.

I solved this by adding these lines to the nginx.conf:

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
[...]
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
}

Would there be any downside if we make this a default?
It seems like the apache based Docker setup also needs a tweak in that matter. See: #294

[godfuture]

This should be fixed in nc docker images, because --net=host is not meant as default.

[J0WI]

Closing in favor of #1103

[dlabanec]

I'm using the insecure php-fpm Docker setup with an nginx proxy in front of it. By default the real IP address of the visitors isn't passed on to the app container. Therefore internal IP addresses show up in the Nextcloud log files and the brute force protection won't work as it should.

I solved this by adding these lines to the nginx.conf:

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
[...]
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
}

Would there be any downside if we make this a default? It seems like the apache based Docker setup also needs a tweak in that matter. See: #294

Hello, I've been struggling for two days now to get nextcloud to detect real client addresses and without success... I'm using truenas scale and the official nextcloud application. the configuration is as follows:

NGINX (main proxy on server) -> teue nas server and oficial nextcloud app (docker nfp)

nextcloud config:

'trusted_proxies' =>
array (
0 => '192.168.100.6',
1 => '192.168.100.4',
2 => '172.0.0.0/8',
3 => '10.0.0.0/8',
4 => '127.0.0.1',
5 => '::1',
),
'trusted_domains' =>
array (
0 => 'cloud.xyz.cz',
),
'forwarded_for_headers' =>
array (
0 => 'HTTP_X_FORWARDED_FOR',
1 => 'HTTP_X_FORWARDED',
2 => 'HTTP_X_REAL_IP',
),
'overwritehost' => 'cloud.xyz.cz',
'overwrite.cli.url' => 'https://cloud.xyz.cz',
'overwriteprotocol' => 'https',

i already tried many combinations and no success... i looked at your comment but i don't know how to put it into practice. or is noww other solution exist...

[joshtrichards]

@dlabanec You're commenting on a long ago closed Issue. You're not using the fpm image (what this issue was specific to).

You appear to be using TrueCharts so you may have some front end networking configuration matters to address (ingress/LB).

I suggest taking your query to the support forums.

That said here are some likely relevant resources:

https://truecharts.org/manual/SCALE/options/networking/
https://truecharts.org/manual/SCALE/guides/scale-intro/
https://github.com/nextcloud/helm/blob/main/charts/nextcloud/README.md#preserving-source-ip

https://www.truenas.com/community/
https://help.nextcloud.com