All requests originate from 172.19.0.X

[ghost]

Nextcloud version 13: Operating system and version Debian 9: Apache or nginx version Docker / nginx proxy / apache:

The issue you are facing:

All requests originate from 172.19.0.2 instead of the incoming IP. The main undesirable side effect is that failed login attempts are all attributed to the same IP regardless of their actual origin, causing login/uploading one image has an added delay of about ~30 seconds.

Is this the first time you've seen this error? N:

Steps to replicate it:

1. git clone https://github.com/nextcloud/docker
2. cd .examples/docker-compose/with-nginx-proxy/postgres/apache
3. sudo docker-compose up -d

From Admin > Logging:

Warning | core | Login failed: 'Max' (Remote IP: '172.19.0.2') | 2018-03-25T23:47:30+0200

From the server logs:

$ cd docker/.examples/docker-compose/with-nginx-proxy/postgres/apache
$ sudo docker-compose logs proxy
...
proxy_1                  | nginx.1    | a.b.org 86.288.202.127 - - [25/Mar/2018:12:11:25 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/2.0" 200 74 "-""Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"
$ sudo docker-compose logs app
...
app_1                    | 172.19.0.2 - - [26/Mar/2018:06:56:56 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 689 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"

[Chm]

I've got almost the same issue before.

This is due to a security check, NC can't tell if it's true when a same IP says it's a rev-proxy, and keeps login on behalf of someone unlimited.

The solution must match with the rev proxy setup, and I handled it this way:

1. nginx on host, listen on 80/443
2. start container with docker compose, with a separate network 172.32.0.0/24
3. setup compose to build custom image from NC, add a bunch of config php file with one containing

<?php $CONFIG = array ( 'trusted_proxies' => array( '172.32.0.1', ), );

as docker put host as nat gateway on 172.32.0.1

And for your issue, with a container as nginx proxy:

1. use separate network
2. assign static ip for nginx in compose config
3. replace ip in php config

[ghost]

@Chm this is a nice workaround, great short term solution, thank you :+1: I'm concerned that it effectively disable all brute-force login attempts mitigation though, doesn't it?

[ghost]

@tilosp it looks like there should be some configuration option somewhere to take X-Forwarded-For into account. If you point me in the right direction I'd be happy to propose a pull request to fix this.

[pierreozoux]

We solve it at the nginx level:

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
...
        set_real_ip_from  172.0.0.0/8;
        real_ip_header X-Forwarded-For;
...

But this is difficult to fix it for everybody as this address depends on your setup. I hope that by moving to k8s we'll find a nicer workaround.

[tilosp]

we could simply allow any rfc1918 address

set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For

this should fix it for most people

@pierreozoux are you sure that ngx_http_realip_module is part of the nginx image?

[ghost]

we could simply allow any rfc1918 address

So we would add something in the proxy directory to add these nginx configuration lines? If you confirm that's approximately where this should go I'll submit a PR with this change for discussion.

[pierreozoux]

Good idea @tilosp :)

Yes, for the debian and alpine version \o/

$ docker run -it nginx nginx -V                                                                                                                                                          
nginx version: nginx/1.13.10
built by gcc 6.3.0 20170516 (Debian 6.3.0-18) 
built with OpenSSL 1.1.0f  25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.10/debian/debuild-base/nginx-1.13.10=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
$ docker run -it nginx:alpine nginx -V                                                                                                                                                          
nginx version: nginx/1.13.10
built by gcc 6.4.0 (Alpine 6.4.0) 
built with OpenSSL 1.0.2n  7 Dec 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module

[ghost]

I tried the following.

diff --git a/.examples/docker-compose/with-nginx-proxy/postgres/apache/proxy/Dockerfile b/.examples/docker-compose/with-nginx-proxy
/postgres/apache/proxy/Dockerfile
index 242c84e..0756729 100644
--- a/.examples/docker-compose/with-nginx-proxy/postgres/apache/proxy/Dockerfile
+++ b/.examples/docker-compose/with-nginx-proxy/postgres/apache/proxy/Dockerfile
@@ -1,3 +1,4 @@
 FROM jwilder/nginx-proxy:alpine

 COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf
+COPY forwarded.conf /etc/nginx/conf.d/forwarded.conf
diff --git a/.examples/docker-compose/with-nginx-proxy/postgres/apache/proxy/forwarded.conf b/.examples/docker-compose/with-nginx-p
roxy/postgres/apache/proxy/forwarded.conf
new file mode 100644
index 0000000..27505bb
--- /dev/null
+++ b/.examples/docker-compose/with-nginx-proxy/postgres/apache/proxy/forwarded.conf
@@ -0,0 +1,4 @@
+set_real_ip_from 10.0.0.0/8;
+set_real_ip_from 172.16.0.0/12;
+set_real_ip_from 192.168.0.0/16;
+real_ip_header X-Forwarded-For;

And it rebuilds:

$ sudo docker-compose build proxy
Building proxy
Step 1/3 : FROM jwilder/nginx-proxy:alpine
 ---> 90e8421375c4
Step 2/3 : COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf
 ---> Using cache
 ---> 19544f11d3b3
Step 3/3 : COPY forwarded.conf /etc/nginx/conf.d/forwarded.conf
 ---> Using cache
 ---> 420fba21bd7c
Successfully built 420fba21bd7c
Successfully tagged apache_proxy:latest

But then when sudo docker-compose up proxy runs the file is not there:

$ sudo docker-compose exec proxy ls -l /etc/nginx/conf.d
total 12
-rw-rw-r--    1 root     root          3487 Mar 26 08:01 default.conf
-rw-rw-r--    1 root     root          3487 Dec 26 23:14 docker-gen936230747
-rw-r--r--    1 root     root            26 Dec 26 21:42 uploadsize.conf

Why is that?

[ghost]

Ah, @pierreozoux is using docker/.examples/docker-compose/with-nginx-proxy/postgres/fpm which is nginx but I'm using docker/.examples/docker-compose/with-nginx-proxy/postgres/apache which is apache. I incorrectly assumed the suggested change was for the proxy but it is for the server running the PHP code.

[ghost]

I suppose the right place to change this is in each docker directory ?

[ghost]

So, for Apache the following works, in the app container:

• a2enmod remoteip
• cat /etc/apache2/conf-enabled/remoteip.conf

  RemoteIPHeader X-Real-IP
  RemoteIPTrustedProxy 172.19.0.2
  

I will try to turn that into a proper PR

[bfayers]

I'm still running into this issue.

I'm using jwilder/nginx-proxy and jrcs/letsencrypt-nginx-proxy-companion

And the :latest branch on nextcloud image.

I have this in my config.php:

  'trusted_proxies' => ['127.17.0.10'],
  'forwarded_for_headers' => ['HTTP_X_REAL_IP'],
  'auth.bruteforce.protection.enabled' => false,

(bruteforce disabled because, since real IP won't show It throttles everything)

example log here:

172.17.0.10 - - [15/Apr/2018:12:51:55 +0000] "GET /cron.php HTTP/1.1" 200 879 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

I have this in my nginx-proxy container in conf.d

forwarded.conf
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.17.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP;

In my nextcloud container I have this in /etc/apcahe2/conf-enabled/remoteip.conf

RemoteIPHeader X-Real-IP
RemoteIPTrustedProxy 10.0.0.0/8
RemoteIPTrustedProxy 172.16.0.0/12
RemoteIPTrustedProxy 192.168.0.0/16
RemoteIPTrustedProxy 172.17.0.10

And yet, all my logs still come through as above? What obvious thing am I missing here? (FWIW this is outward facing onto a domain)

[ghost]

It appears that you are not running Nextcloud as described in the issue comment, or am I mistaken?

[bfayers]

@dachary Correct, that is not how I am running, misread that. However issue still kind of stands as they're all still coming like that from an nginx proxy into a nextcloud docker like so.

[ghost]

@bfayers please note that this repository is about the docker image setup to deploy Nextcloud. If your problem does not involve using the code published here, it is unlikely that someone will be able to help.

[bfayers]

@dachary Okay, but given that its still going from nginx proxy into apache running inside the nextcloud docker container the same should apply as in this thread, no?

[ghost]

@bfayers you should be able to compare the setup described in this issue (which works) with what you did (which does not work). And you will likely discover there is a tiny difference that breaks things. Just a thought ;-)

[bfayers]

@dachary Still not sure.. Solved with:

apt-get install libapache2-mod-rpaf

/etc/apache2/mods-available/rpaf.conf
<IfModule rpaf_module>
    RPAFenable On
    RPAFsethostname On
    RPAFheader X-Real-IP
    RPAFproxy_ips 172.17.0.10
</IfModule>

(thanks to: https://www.daveperrett.com/articles/2009/08/10/passing-ips-to-apache-with-nginx-proxy/)

a2enmod rpaf

docker restart nextcloud

Now proper ips show up

[pgera]

I had to apply this patch manually to the insecure docker examples. Any reason why those were excluded ? I use the insecure docker image with a host nginx reverse proxy. So it still affects that.

[mossholderm]

Not sure this should be closed. There is more than just using mod_remoteip that needs changing. I am using the 14.0 image, and on that platform, you ALSO need to change the LogFormat directive in apache2.conf to use the %a variable instead of the %h variable to log to proper client IPs.

[nightspotlight]

I have the same setup as @bfayers and also having the same issue. In the past I had used mod_rpaf in Apache to get actual client addresses. It seems there should be more than just mod_remoteip configuration. Can anybody fix this in Nextcloud Docker image?

[bonanza123]

https://github.com/nextcloud/docker/issues/294#issuecomment-381418214 Fixes it for me as well. Would be nice to have it in the official image

[DatAres37]

@bfayers Do you mind sharing your whole config? I'm using the jwilder proxy as well, but nextcloud.log still shows private IPs.

Edit: Nvm, got it working. I had multiple Forwarded-For Headers in my config, which apparently breaks this function.

[TheReal1604]

Is there something additional to do if someone uses an apache2 reverse proxy in front of the nextcloud docker - apache2 image? It just doesnt work for me. :(

For my knowledge mod_proxy / mod_proxy_http should add the needed headers (X-Forwarded-For) automatically. But in the docker logs it shows still the gateway address of the docker network. Any ideas?

[cs33lm]

I am facing the same issue with not seeing the visitors ip in the nextcloud container behind a reverse proxy container. My solution used to be to run the reverseproxy with --net=host and to add the header to the logsettings for the virtual host. Docker bridge networking does not pass the headers through.

[godfuture]

Why is this ticket closed? The nc images still have this bug. Bruteforce detection does not work when using docker in regular way.

[robfuscator]

From the docs: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html

'trusted_proxies' => array('172.xx.0.x'),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),

Solved it for me

[balki]

I did some digging on this issue. The reasons why it appears to be not working.

1. docker logs don't show the correct client ip. This is because the log format needs to be changed. However since there is a proxy already, you can rely on its log instead of docker logs which is recorded by the apache. Note that the nextcloud logs does have the correct client ip.

2. If you are testing it from an internal ip (e.g. 192.168..) , it won't work. For this to work, the conf should use a different directive. https://httpd.apache.org/docs/trunk/mod/mod_remoteip.html#remoteipinternalproxy

Solution: Use the 'trusted_proxies' config option to specify directly in nextcloud. https://gitlab.com/snippets/1884088

On a side note, I recommend configuring overwriteprotocol to https. Without this the file share links generated are http ones and thus can be trapped.

[melyux]

I simply added 172.0.0.0/8 to trusted_proxies, and it worked, since my reverse proxy is on another docker container.

EDIT: Never mind, the IPs in the logs still show the local nginx reverse proxy container's 172.8.x.x. IP. But adding @tilosp's lines worked.

[SuperSandro2000]

You need to disable the Docker Userland proxy to get the real client IP. Otherwise all requests will originate from the gateway.

[maanloper]

2. If you are testing it from an internal ip (e.g. 192.168..) , it won't work. For this to work, the conf should use a different directive. https://httpd.apache.org/docs/trunk/mod/mod_remoteip.html#remoteipinternalproxy

For anyone experiencing the same problem, try to access Nextcloud with your phone over mobile internet; the remote IP showed up correctly. Had been scratching my head for over an hour why I couldn't see my real (internal) IP address, but https://github.com/nextcloud/docker/issues/294#issuecomment-519939466 was right on point.