Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with nextcloud behind proxy #1327

Open
Tigerium opened this issue Feb 18, 2023 · 1 comment
Open

Issue with nextcloud behind proxy #1327

Tigerium opened this issue Feb 18, 2023 · 1 comment

Comments

@Tigerium
Copy link

Hi, don't know whether this is the exact best spot to report this issue, because the same issue happens when using the backup-codes.

Steps to reproduce

  1. open nextcloud app on ios
  2. sign in to https://cloud.my.domain
  3. enter 2FA code

Expected behaviour

Successful sign in to my account

Actual behaviour

I get the following error:

The operation couldn't be completed. (actual domain replaced with my.domain and parameters after login/flow/grant? removed)
(NSURLErrorDomain error
-999.)_WKRecoveryAttempterErrorKey
<WKReloadFrameErrorRecoveryAttemp
ter: 0x28348f300>
NSErrorFailingURLStringKey https://
cloud.my.domain/login/challenge/
totp?redirect_url=/login/flow/grant?[...]
NSErrorFailingURLKey https://
cloud.my.domain/login/challenge/
totp?redirect_url=/login/flow/grant?[...]

The weird thing is, that after I click on "ok", it displays nextcloud as a logged in website, it just doesn't actually link it to the app.

Sign in for non 2FA accounts works fine

Security Setups and Warnings says "all checks passed"

Server configuration

Unraid with nextcloud docker and Nginx Proxy manager

https://cloud.my.domain --> Nginx Proxy Manager (with letsencrypt certificate, force https, http/2, HSTS, netfinger etc. specified according to nextcloud documentation) --> http://192.168.xx.yy:httpport

Version: (see admin page)
25.0.3

Updated from an older version or fresh install:
fresh install, restored from previous server running on Ubuntu, also version 25.0.3 though

The content of config/config.php:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'id',
  'passwordsalt' => 'salt',
  'secret' => 'secret,
  'trusted_domains' => 
  array (
    0 => '192.168.xx.yy:port,
    1 => 'cloud.my.domain',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.xx.yy',
  ),
  'overwrite.cli.url' => 'https://cloud.my.domain',
  'dbtype' => 'mysql',
  'version' => '25.0.3.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'ip',
  'dbport' => 'port',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'dbuser',
  'dbpassword' => 'dbpasswd',
  'installed' => true,
  'overwriteprotocol' => 'https',
  'default_phone_region' => 'DE',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' => 
  array (
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
);
@mmccarn
Copy link

mmccarn commented May 21, 2024

This is an old issue, but...

Lessons learned using nextcloud behind a cloudflare proxy:

  • trusted_domains
    • Include any IPs or DNS names that might be used to access NextCloud
  • trusted_proxies
    • include proxy IPs as seen by the nextcloud server
  • forwarded_for_headers
    • specify the headers added by the proxy to indicate the user's actual IP address

Comments specific to this issue:

  • If the nginx proxy is really on the same host as nextcloud ("192.168.xx.yy" as indicated in the supplied config.php), then the value under trusted_proxies might need to be "127.0.0.1" instead of 192.168.xx.yy
  • nginx may need configuration modifications to correctly report the user's IP address.
  • "remoteAddr" in the nextcloud log will be the user's IP when the configuration is correct (and will be the proxy IP if not)

Working Config
For reference, here is the config that works for me with TOTP behind a cloudflare proxy

  • 192.168.1.1 is listed under trusted_proxies because it still serves as a WAF/Proxy if cloudflare is disabled or bypassed.
  • The forwarded-for-headers section may not be required if the proxy uses only X-Forwarded-For
  'trusted_domains' => 
  array (
    0 => '192.168.1.7',
    1 => 'nextcloud.redacted.tld',
    2 => 'redacted.dyndns.org',
    3 => '192.168.1.89',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.1.1',
    1 => '173.245.48.0/20',
    2 => '103.21.244.0/22',
    3 => '103.22.200.0/22',
    4 => '103.31.4.0/22',
    5 => '141.101.64.0/18',
    6 => '108.162.192.0/18',
    7 => '190.93.240.0/20',
    8 => '188.114.96.0/20',
    9 => '197.234.240.0/22',
    10 => '198.41.128.0/17',
    11 => '162.158.0.0/15',
    12 => '104.16.0.0/13',
    13 => '104.24.0.0/14',
    14 => '172.64.0.0/13',
    15 => '131.0.72.0/22',
    16 => '2400:cb00::/32',
    17 => '2606:4700::/32',
    18 => '2803:f800::/32',
    19 => '2405:b500::/32',
    20 => '2405:8100::/32',
    21 => '2a06:98c0::/29',
  ),
  'forwarded-for-headers' => 
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
    1 => 'HTTP_CF-Connecting-IP',
  ),

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmccarn @Tigerium