Client IP not provided

[oeiber]

Hi, I'm using Nextcloud with LDAP Authentication in conjunction with openOTP MFA. I would like to bypass OTP authentication for internal subnets. But client's ip address seems not to be transmitted to webadm. Is this behaviour by design or is there's something wrong in my configuration?

Tank you!

[rcdevs]

Hello,

The user's IP address is currently not being forwarded to OpenOTP from our Nextcloud plugin. We will investigate the possibility of adding this feature and include it in a future version.

Regards

[oeiber]

That's really sad :-( I think providing user's ip address should be a core functionality.

[rcdevs]

Indeed. Sorry for the inconvenience, it will be part of the next versions.

Regards

[rcdevs]

Our dev team is working on it.

[oeiber]

Thank you for implementing the feature. Now I can see the reverse proxy's ip address in the websrv log, although the X-Forwarded-For header is provided. Is it possible to transmit client's real ip address to webadm?

[rcdevs]

Hello,

This is because your WebADM server is not correctly configured. The reverse proxy address must be configured in /opt/webadm/conf/webadm.conf file.

e.g:

reverse_proxies "172.16.0.12" where 172.16.0.12 is the IP of your reverse proxy normally included in the x-forwarded-host header.

If you have multiple reverse proxies that you trust, you can configure a depth like: reverse_proxies "172.16.0.12 2" for 2 lines of trusted reverse proxies.

https://docs.rcdevs.com/endpoints_and_publication/

Regards

[oeiber]

I think it's configured correctly:

[rcdevs]

Ok can you enable the trace logs of Apache on WebADM server and provide us the logs containing the HTTP headers for a Nextcloud authentication request?

edit /opt/webadm/lib/httpd.ini

Change:

LogLevel warn

to:

LogLevel trace8

Then restart WebADM:

/opt/webadm/bin/webadm restart

Tail the WebADM logs and perform a Nextcloud authentication request:

tail -f /opt/webadm/logs/webadm.log | grep -i x-for

Provide us the output of the tail command.

Regards

[oeiber]

There's no log output. As I can see, X-Forwarded-For ist transmitted to Nextcloud, but not to webadm

[rcdevs]

What is the 10.0.4.6 IP in your logs ?

[oeiber]

10.0.4.6 is the nextcloud server.

[rcdevs]

Ok so far so good. Can you share your nextcloud configuration file? Remove any sensitive data before sending it

Regards

[oeiber]

<?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'apps_paths' => array ( 0 => array ( 'path' => '/var/www/html/apps', 'url' => '/apps', 'writable' => false, ), 1 => array ( 'path' => '/var/www/html/custom_apps', 'url' => '/custom_apps', 'writable' => true, ), ), 'memcache.distributed' => '\\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => array ( 'host' => 'redis', 'password' => 'xxx', 'port' => 6379, ), 'upgrade.disable-web' => true, 'instanceid' => 'xxx', 'passwordsalt' => 'xxx', 'secret' => 'xxx', 'trusted_domains' => array ( 0 => 'cloud.xxx.de', 1 => '10.0.4.6', ), 'trusted_proxies' => array ( 0 => '10.0.4.10/32', ), 'datadirectory' => '/var/www/html/data', 'dbtype' => 'pgsql', 'version' => '30.0.0.14', 'overwrite.cli.url' => 'https://nextcloud.xxx.de', 'overwritehost' => 'nextcloud.xxx.de', 'overwriteprotocol' => 'https', 'dbname' => 'nextcloud', 'dbhost' => 'db', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'oc_fbadmin', 'dbpassword' => 'xxx', 'installed' => true, 'maintenance_window_start' => 1, 'default_phone_region' => 'de', 'mail_smtpmode' => 'smtp', 'mail_sendmailmode' => 'smtp', 'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory', 'loglevel' => 2, 'maintenance' => false, 'app_install_overwrite' => array ( 0 => 'openotp_auth', 1 => 'forms', ), 'twofactor_enforced' => 'true', 'twofactor_enforced_groups' => array ( 0 => 'User_Nextcloud', ), 'twofactor_enforced_excluded_groups' => array ( 0 => 'admin', ), );

[oeiber]

Our nextcloud instance is using nginx insted of default apache. Setting following parameters to nextcloud's nginx.conf did the trick:

set_real_ip_from 10.0.4.10; real_ip_header X-Forwarded-For;

Thank you for your help!

[rcdevs]

Ok, thanks for your feedback, I was also suspecting something on Nextcloud side... I'm closing that case.

Regards