[Bug]: Real clients IPs behind cloudflare issues --> forbidden access to public shares

l3ochan commented 5 months ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Hi, I'm experiencing an issue with getting my clients ips back behind cloudflare. I was able to do everything nedded with the CF_CONNECTING_IP flag. The apache and nextcloud logs get the right ips and not the cloudfare's one. The issue is that external share links don't work anymore. I get an access forbidden error when I try to load a share link. If I undo the changes I made, everything works again.

Here are the details of my install

Steps to reproduce

Configure your server to get clients ip back with the CF_CONNECTING_IP Remote ip header
Configure nextcloud to accept this header
Make a file or folder and create a public share link
Open the share link you just created in a pivate window

Expected behavior

Share should open displlaying all files or the file if its a shared document

Installation method

Community Manual installation with Archive

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

<?php
$CONFIG = array (
  'instanceid' => '*REDACTED*',
  'passwordsalt' => '*REDACTED*',
  'secret' => '*REDACTED*',
  'trusted_domains' =>
  array (
    0 => '*REDACTED*'
  ),
   'trusted_proxies' => array (
    0 => '127.0.0.1',
    1 => '::1',
    2 => '173.245.48.0/20',
    3 => '103.21.244.0/22',
    4 => '103.22.200.0/22',
    5 => '103.31.4.0/22',
    6 => '141.101.64.0/18',
    7 => '108.162.192.0/18',
    8 => '190.93.240.0/20',
    9 => '188.114.96.0/20',
    10 => '197.234.240.0/22',
    11 => '198.41.128.0/17',
    12 => '162.158.0.0/15',
    13 => '104.16.0.0/12',
    14 => '172.64.0.0/13',
    15 => '131.0.72.0/22',
  ),

  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_CF_CONNECTING_IP',
  ),
  'overwriteprotocol' => 'https',
  'datadirectory' => '/var/www/Nekocorp-User-data/*REDACTED*/data',
  'dbtype' => 'mysql',
  'version' => '29.0.0.19',
  'overwrite.cli.url' => 'http://*REDACTED*',
  'dbname' => '*REDACTED*',
  'dbhost' => '*REDACTED*',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '*REDACTED*',
  'dbpassword' => '*REDACTED*',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '127.0.0.1',
    'port' => '6379',
  ),
  'default_phone_region' => 'FR',
  'mail_from_address' => '*REDACTED*',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '*REDACTED*.fr',
  'mail_smtphost' => '*REDACTED*',
  'mail_smtpport' => '*REDACTED*',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '*REDACTED*',
  'mail_smtppassword' => '*REDACTED*',
  'app_install_overwrite' =>
  array (
    0 => 'officeonline',
    1 => 'whiteboard',
    2 => 'files_antivirus',
    3 => 'googledocsredirect',
    4 => 'apporder',
    5 => 'integration_moodle',
    6 => 'group_default_quota',
    7 => 'keeporsweep',
    8 => 'files_mindmap',
    9 => 'printer',
    10 => 'integration_whiteboard',
    11 => 'video_converter',
    12 => 'carnet',
    13 => 'caniupdate',
    14 => 'impersonate',
    15 => 'ocsms',
    16 => 'hancomoffice',
    17 => 'wopi',
    18 => 'admin_notifications',
    19 => 'pdfdraw',
    20 => 'cfg_share_links',
    21 => 'shifts',
    22 => 'richdocumentscode',
    23 => 'files_downloadactivity',
    24 => 'camerarawpreviews',
    25 => 'hibp',
    26 => 'metadata',
    27 => 'externalportal',
    28 => 'extract',
    29 => 'files_downloadlimit',
    30 => 'circles',
    31 => 'integration_ews',
    32 => 'fulltextsearch',
    33 => 'guests',
    34 => 'secrets',
    35 => 'twofactor_email',
    36 => 'user_cas',
    37 => 'workspace',
  ),
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'maintenance_window_start' => '“19”',
  'updater.release.channel' => 'stable',
  'mail_smtpsecure' => 'ssl',
);

List of activated Apps

Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - announcementcenter: 6.8.1
  - audioplayer: 3.4.1
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.4
  - certificate24: 0.3.1
  - cfg_share_links: 5.1.0
  - checksum: 1.2.4
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - collectives: 2.11.0
  - comments: 1.19.0
  - contacts: 6.0.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - deck: 1.13.0
  - drawio: 3.0.2
  - end_to_end_encryption: 1.15.2
  - event_update_notification: 2.4.0
  - external: 5.4.0
  - externalportal: 1.3.0
  - extract: 1.3.6
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_accesscontrol: 1.19.1
  - files_downloadlimit: 2.0.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - forms: 4.2.3
  - guests: 3.1.0
  - impersonate: 1.16.0
  - integration_ews: 1.0.37
  - integration_openai: 2.0.1
  - integration_reddit: 2.0.3
  - integration_youtube: 0.2.1
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.6.1
  - notes: 4.10.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - onlyoffice: 9.2.0
  - password_policy: 1.19.0
  - photos: 2.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - quota_warning: 1.19.0
  - related_resources: 1.4.0
  - secrets: 1.5.2
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - side_menu: 3.12.0
  - sociallogin: 5.6.4
  - socialsharing_email: 3.1.0
  - spreed: 19.0.0
  - suspicious_login: 7.0.0
  - tables: 0.7.2
  - tasks: 0.16.0
  - terms_of_service: 2.4.0
  - text: 3.10.0
  - theming: 2.4.0
  - twofactor_admin: 4.5.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_email: 2.7.4
  - twofactor_nextcloud_notification: 3.9.0
  - twofactor_totp: 11.0.0-dev
  - twofactor_webauthn: 1.4.0
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - welcome: 1.1.0
  - workflowengine: 2.11.0
Disabled:
  - encryption: 2.17.0 (installed 2.16.0)
  - files_antivirus: 5.5.1 (installed 5.5.1)
  - files_external: 1.21.0 (installed 1.20.0)
  - fulltextsearch: 29.0.0 (installed 29.0.0)
  - integration_github: 2.0.7 (installed 2.0.7)
  - nextcloud_announcements: 1.18.0 (installed 1.17.0)
  - oidc: 0.8.1 (installed 0.8.1)
  - recommendations: 2.1.0 (installed 2.0.0)
  - support: 1.12.0 (installed 1.8.0)
  - survey_client: 1.17.0 (installed 1.16.0)
  - systemtags: 1.19.0 (installed 1.15.0)
  - user_ldap: 1.20.0
  - user_saml: 6.1.3 (installed 6.1.3)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"Zk3hV1GuNQSFpdV3fqo2XgAAAAs","level":3,"time":"2024-05-22T12:13:11+00:00","remoteAddr":"*REDACTED*","user":"--","app":"webdav","method":"PROPFIND","url":"/public.php/dav/files/mAzbZ9gXLMKw8Pf/","message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"29.0.0.19","exception":{"Exception":"OCA\\DAV\\Connector\\Sabre\\Exception\\Forbidden","Message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","Code":0,"Trace":[{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Tree.php","line":218,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":900,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":982,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":1662,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":1647,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/apps/dav/appinfo/v2/publicremote.php","line":155,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/next.cloud.com/public.php","line":101,"args":["/var/www/next.cloud.com/apps/dav/appinfo/v2/publicremote.php"],"function":"require_once"}],"File":"/var/www/next.cloud.com/apps/dav/lib/Connector/Sabre/Directory.php","Line":256,"message":"No read permissions. This might be caused by files_accesscontrol, check your configured rules","exception":[],"CustomMessage":"No read permissions. This might be caused by files_accesscontrol, check your configured rules"},"id":"664de15c8803f"}

Additional info

In case its useful to find out if its a problem with my configuration or a real bug my apache2 config

<VirtualHost *:80>
    DocumentRoot "/var/www/nextcloud"
    ServerName *REDACTED*
    RemoteIPHeader CF_CONNECTING_IP

    <Directory "/var/www/nextcloud/">
        Options MultiViews FollowSymlinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    ServerSignature Off
    CustomLog /var/log/apache2/*REDACTED*_access.log access_logs
    ErrorLog /var/log/apache2/*REDACTED*_error.log

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =*REDACTED*
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/var/www/nextcloud"
    ServerName *REDACTED*
    RemoteIPHeader CF_CONNECTING_IP
    RemoteIPTrustedProxy 127.0.0.1 ::1
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    <Directory "/var/www/nextcloud/">
        Options MultiViews FollowSymlinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog /var/log/apache2/*REDACTED*_error.log
    CustomLog /var/log/apache2/*REDACTED*_access.log access_logs
    ServerSignature Off

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/*REDACTED*/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/*REDACTED*/privkey.pem
</VirtualHost>

kesselb commented 5 months ago

I see several apps in app_install_overwrite. That means those apps are enabled even if they are not declared as compatible with Nextcloud 29. You may want to go over the list and see if the apps are really compatible. There is a log message about files_accesscontrol. Is there maybe a rule configured to block access for a given file?

l3ochan commented 5 months ago

I know the log line is about file access controls but with the same link and without making any modifications to access controls of the file when I remove the config to get the read clients IPs, it starts to show the files and there's no error in the logs. This is caused by the server getting IPs moved around in the header. I don't understand why it's doing this.

joshtrichards commented 5 months ago

    RemoteIPHeader CF_CONNECTING_IP
    RemoteIPTrustedProxy 127.0.0.1 ::1

  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_CF_CONNECTING_IP',
  ),

So you're trying to use Apache's header overrides and Nextcloud's trusted_proxies support simultaneously? Is that really what you want? Those would seem to be in conflict (or at least redundant).

kesselb commented 5 months ago

I know the log line is about file access controls but with the same link and without making any modifications to access controls of the file when I remove the config to get the read clients IPs, it starts to show the files and there's no error in the logs.

Did you configure a file_accesscontrol rule using remote address? ^1

If Nextcloud was seeing the internal IP address before and now the right one, then you may have to update existing rules.

Those would seem to be in conflict (or at least redundant).

I think that depends. If mod_remoteip rewrites the REMOTE_ADDR header, then it's not possible anymore to use the trusted proxies feature because it's already handled before.

l3ochan commented 5 months ago

Did you configure a file_accesscontrol rule using remote address?

I did not, I don't use workflows

So you're trying to use Apache's header overrides and Nextcloud's trusted_proxies support simultaneously? Is that really what you want? Those would seem to be in conflict (or at least redundant).

I think that depends. If mod_remoteip rewrites the REMOTE_ADDR header, then it's not possible anymore to use the trusted proxies feature because it's already handled before.

So before doing anything in nextcloud's config file I tried with apache only and had the same issue but regardless of if you have both, only apache or nextcloud's config, the result is exactly the same.

UPDATE, I just tried it out and its partially working but I'm still getting errors in the logs, here is one

{"reqId":"Zk5R9mejtkTAmSoG5zq0jAAAAAA","level":3,"time":"2024-05-22T20:13:42+00:00","remoteAddr":"*RECACTED*","user":"Leo","app":"PHP","method":"PROPFIND","url":"/remote.php/dav/files/Leo/Cours","message":"Optional parameter $userId declared before required parameter $path is implicitly treated as a required parameter at /var/www/next.cloud.com/apps/deck/lib/Service/ConfigService.php#234","userAgent":"Mozilla/5.0 (Windows) mirall/3.13.0stable-Win64 (build 20240423) (Nextcloud, windows-10.0.22631 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"29.0.0.19","data":{"app":"PHP"},"id":"664e51fb7db20"}

so I only have the CF headers thingy in my nextcloud's config and its showing the right ips as expected and shares started working again ! But I'm still having logs entries like the one above and to my knowledge it doesn't make any sense...

kesselb commented 5 months ago

The last message will be fixed by an upcoming deck ap p update.

l3ochan commented 1 month ago

I can confirm this got fixed.

nextcloud / server