[Bug]: HTTP_X_FORWARDED_FOR / HTTP_X_REAL_IP are ignored

[bjo81]

⚠️ Before submitting, please verify the following: ⚠️

• [X] This is a bug, not a question or a configuration issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct

Bug description

I'm running a docker-container based on alpine with nginx and php-fpm. A Traefik in front of the setup forwards the : HTTP_X_FORWARDED_FOR header correctly, e.g. the nginx inside the container logs the correct IP and a phpinfo() also shows the correct one. But nextcloud ignores it and logs the IP of the traefik container which is a trusted proxy IP.

Steps to reproduce

• forward HTTP_X_FORWARDED_FOR
• set trusted proxies

Expected behavior

The correct external IP is recognized.

Installation method

Other

Operating system

Other

PHP engine version

PHP 7.4

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

Are you using an external user-backend?

• [X] Default internal user-backend
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "overwritehost": "xyz.cloud.foo.bar",
        "overwriteprotocol": "https",
        "trusted_proxies": "172.x.y.1,172.x.y.2,172.x.y.3",
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR",
            "X-Forwarded-For"
        ],
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "xyz.cloud.foo.bar"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "22.2.3.0",
        "overwrite.cli.url": "https:\/\/xyz.cloud.foo.bar",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

Enabled:
  - accessibility: 1.8.0
  - activity: 2.15.0
  - admin_audit: 1.12.0
  - circles: 22.1.1
  - cloud_federation_api: 1.5.0
  - comments: 1.12.0
  - contactsinteraction: 1.3.0
  - dashboard: 7.2.0
  - dav: 1.19.0
  - external: 3.9.0
  - federatedfilesharing: 1.12.0
  - federation: 1.12.0
  - files: 1.17.0
  - files_pdfviewer: 2.3.1
  - files_rightclick: 1.1.0
  - files_sharing: 1.14.0
  - files_trashbin: 1.12.0
  - files_versions: 1.15.0
  - files_videoplayer: 1.11.0
  - impersonate: 1.9.0
  - logreader: 2.7.0
  - lookup_server_connector: 1.10.0
  - nextcloud_announcements: 1.11.0
  - notifications: 2.10.1
  - oauth2: 1.10.0
  - password_policy: 1.12.0
  - photos: 1.4.0
  - privacy: 1.6.0
  - provisioning_api: 1.12.0
  - recommendations: 1.1.0
  - serverinfo: 1.12.0
  - settings: 1.4.0
  - sharebymail: 1.12.0
  - sociallogin: 4.9.5
  - support: 1.5.0
  - systemtags: 1.12.0
  - text: 3.3.0
  - theming: 1.13.0
  - twofactor_backupcodes: 1.11.0
  - updatenotification: 1.12.0
  - user_status: 1.2.0
  - viewer: 1.6.0
  - weather_status: 1.2.0
  - workflowengine: 2.4.0
Disabled:
  - encryption
  - files_external
  - firstrunwizard
  - survey_client
  - user_ldap

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

RSE/","message":"Login failed: 'someuser' (Remote IP: '172.x.y.3')","userAgent":"sabre-dav/4.2.1 (http://sabre.io/)","version":"22.2.3.0"}
{"reqId":"eqlPId4Yp9ajCGEeWgTn","level":2,"time":"2022-01-26T09:49:05+00:00","remoteAddr":"172.x.y.3","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/apps/files_sharing/api/v1/shares?format=json&path=%2FKURSE","message":"Login failed: 'someuser' (Remote IP: '172.x.y.3')","userAgent":"Symfony HttpClient/Curl","version":"22.2.3.0"}
{"reqId":"8VcAJRYwFaZlRwJCJc9V","level":2,"time":"2022-01-26T13:00:37+00:00","remoteAddr":"172.x.y.3","user":"--","app":"core","method":"GET","url":"/ocs/v1.php/cloud/groups?format=json","message":"Login failed: 'another user' (Remote IP: '172.x.y.3')","userAgent":"Symfony HttpClient/Curl","version":"22.2.3.0"}

Additional info

nginx log from the container:

172.x.y.3 - - [26/Jan/2022:13:58:46 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 0 "https://xyz.cloud.foo.bar/apps/dashboard/" "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0" "91.a.b.9"
172.x.y.3 - - [26/Jan/2022:13:59:16 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 0 "https://xyz.cloud.foo.bar/apps/dashboard/" "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0" "91.a.b.9"

Headers which should be also seen by Nextcloud:

[solracsf]

trusted_proxies must be an array.

[bjo81]

Maybe it was a c&p error, config:list system redacted it.

In config.php it is:

'trusted_proxies' => 
  array (
    0 => '172.x.0.0/16',
     ),

Additionaly the environment contains ` TRUSTED_PROXIES='[172.x.y.1,172.x.y.2,172.x.y.3]', so due to

$trustedProxies = getenv('TRUSTED_PROXIES');
if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
}

in config/reverse-proxy.config.php the configured array should be correct.

The trusted_proxies part from config:list system --private:

      "trusted_proxies": [
            "[172.x.y.3,172.x.y.2,172.x.y.1]"
        ],

[solracsf]

Ok it was just a hint; in my setup, behind 2 proxies (yeah) the client IP is correctly outputted. But I'm using PROXY Protocol, maybe it helps.

[bjo81]

We have another setup with nginx proxy where everything is fine. That makes it it much more confusing, as also in this case now the logged IP is also the trusted_proxies array and according to the header HTTP_X_FORWARDED_FOR has the external IP. The docs say that the default is HTTP_X_FORWARDED_FOR, so this should work.

[bjo81]

Comparing the setup showed: TRUSTED_PROXIES shouldn't be an array in [], the function from config/reverse-proxy.config.php converts it itself into an array.