Open Hacker1245 opened 6 months ago
lucaslorentz
commented
6 months ago Hey, I didn't understand the issue. Maybe I'm lacking knowledge about next cloud. Can you please explain a bit further the IP problem?
Some questions I have:
Hacker1245
commented
6 months ago Where does it return the public IP?
In both the Nextcloud logs and Caddy's logs.
Is that some IP allowlisting feature from next cloud?
It's a brute force protection feature: https://docs.nextcloud.com/server/28/admin_manual/configuration_server/bruteforce_configuration.html Maybe I misconfigured something here.
Which IP did you expect if not the public IP?
The IP of the client that's accessing it, otherwise I end up brute force throttling my entire public IP.
lucaslorentz
commented
6 months ago Thanks for clarifying. Getting real IP addresses in upstreams is a bit difficult because there are too many things that would affect the IP. I think you will have to diagnose to pinpoint exactly where the IP is being lost.
It could be lost in Docker network, bind CDP container directly to host ports to prevent it: https://github.com/lucaslorentz/caddy-docker-proxy/issues/406#issuecomment-1264607013 That way you remove any hops in between your host and CDP container.
Caddy by default send transparent proxy headers (X-Forwarded...), so if Caddy receives the original IP it will be sent to NextCloud, but you need to configure NextCloud to trust the headers from Caddy. Config name is trusted_proxies: https://docs.nextcloud.com/server/28/admin_manual/configuration_server/reverse_proxy_configuration.html
It could also be some load balancer/NAT in your entire network, thus the IP being the public IP. In that case, I think you would need to enable PROXY_PROTOCOL in it.
Hacker1245
commented
6 months ago It could be lost in Docker network, bind CDP container directly to host ports to prevent it: #406 (comment)
Do I also bind the 443 port to host? Edit: Tried with it, still returns the public IP. docker-compose:
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: hostCaddy by default send transparent proxy headers (X-Forwarded...), so if Caddy receives the original IP it will be sent to NextCloud, but you need to configure NextCloud to trust the headers from Caddy. Config name is trusted_proxies: https://docs.nextcloud.com/server/28/admin_manual/configuration_server/reverse_proxy_configuration.html
Already set that up. Hmm I wonder if that's related? https://docs.linuxserver.io/FAQ/#strict-proxy seeing as nextcloud in the container is set to output to 443 by default. Someone had a different issue but maybe that would work here too: https://discourse.linuxserver.io/t/cant-get-nextcloud-to-work-with-caddy-v2-as-reverse-proxy/1549/8 But I couldn't really figure out how to implement that in the compose file.
Hacker1245
commented
6 months ago Hm so another strange thing, I set up Vaultwarden and it reports the IP of the proxy, yet Caddy returns nothing about failed login attempts in the log.
Hacker1245
commented
1 month ago So update on that issue, went and disabled the Docker userland proxy and now the Nextcloud bruteforce prevention correctly grabs the IPs, but now I need to figure out how to make Vaultwarden report the external IP and not the IP of the proxy.
I am having this problem where all of my login attempts to Nextcloud end up outputting the public IP address. My proxy docker-compose:
Nextcloud docker-compose:
This is all running on a OpenMediaVault 6.9.11-3 server with the openmediavault-compose plugin. I use DuckDNS for the domain.