mmccarn
commented
3 months ago This is an old issue, but...
Lessons learned using nextcloud behind a cloudflare proxy:
trusted_domains- Include any IPs or DNS names that might be used to access NextCloud
trusted_proxies- include proxy IPs as seen by the nextcloud server
- when I ran my own proxy I got this IP from the nextcloud log
- for cloudflare I used cloudflare's list of IPs
forwarded_for_headers- specify the headers added by the proxy to indicate the user's actual IP address
- I got this, too, from the nextcloud log when using my own proxy, and from cloudflare header documentation for cloudflare
Comments specific to this issue:
- If the nginx proxy is really on the same host as nextcloud ("192.168.xx.yy" as indicated in the supplied config.php), then the value under
trusted_proxiesmight need to be "127.0.0.1" instead of 192.168.xx.yy - nginx may need configuration modifications to correctly report the user's IP address.
- I don't use nginx, but these instructions from slingacademy.com may be useful.
- "remoteAddr" in the nextcloud log will be the user's IP when the configuration is correct (and will be the proxy IP if not)
Working Config For reference, here is the config that works for me with TOTP behind a cloudflare proxy
- 192.168.1.1 is listed under
trusted_proxiesbecause it still serves as a WAF/Proxy if cloudflare is disabled or bypassed. - The
forwarded-for-headerssection may not be required if the proxy uses onlyX-Forwarded-For
'trusted_domains' =>
array (
0 => '192.168.1.7',
1 => 'nextcloud.redacted.tld',
2 => 'redacted.dyndns.org',
3 => '192.168.1.89',
),
'trusted_proxies' =>
array (
0 => '192.168.1.1',
1 => '173.245.48.0/20',
2 => '103.21.244.0/22',
3 => '103.22.200.0/22',
4 => '103.31.4.0/22',
5 => '141.101.64.0/18',
6 => '108.162.192.0/18',
7 => '190.93.240.0/20',
8 => '188.114.96.0/20',
9 => '197.234.240.0/22',
10 => '198.41.128.0/17',
11 => '162.158.0.0/15',
12 => '104.16.0.0/13',
13 => '104.24.0.0/14',
14 => '172.64.0.0/13',
15 => '131.0.72.0/22',
16 => '2400:cb00::/32',
17 => '2606:4700::/32',
18 => '2803:f800::/32',
19 => '2405:b500::/32',
20 => '2405:8100::/32',
21 => '2a06:98c0::/29',
),
'forwarded-for-headers' =>
array (
0 => 'HTTP_X_FORWARDED_FOR',
1 => 'HTTP_CF-Connecting-IP',
),
Hi, don't know whether this is the exact best spot to report this issue, because the same issue happens when using the backup-codes.
Steps to reproduce
Expected behaviour
Successful sign in to my account
Actual behaviour
I get the following error:
The operation couldn't be completed. (actual domain replaced with my.domain and parameters after login/flow/grant? removed) (NSURLErrorDomain error -999.)_WKRecoveryAttempterErrorKey <WKReloadFrameErrorRecoveryAttemp ter: 0x28348f300> NSErrorFailingURLStringKey https:// cloud.my.domain/login/challenge/ totp?redirect_url=/login/flow/grant?[...] NSErrorFailingURLKey https:// cloud.my.domain/login/challenge/ totp?redirect_url=/login/flow/grant?[...]
The weird thing is, that after I click on "ok", it displays nextcloud as a logged in website, it just doesn't actually link it to the app.
Sign in for non 2FA accounts works fine
Security Setups and Warnings says "all checks passed"
Server configuration
Unraid with nextcloud docker and Nginx Proxy manager
https://cloud.my.domain --> Nginx Proxy Manager (with letsencrypt certificate, force https, http/2, HSTS, netfinger etc. specified according to nextcloud documentation) --> http://192.168.xx.yy:httpport
Version: (see admin page) 25.0.3
Updated from an older version or fresh install: fresh install, restored from previous server running on Ubuntu, also version 25.0.3 though
The content of config/config.php: