Double reverse proxy Nextcloud instance on NS 8

bjarnet · July 9, 2024, 10:57am

NethServer Version: 8
Module: Nextcloud

Hello NethServer experts!

As I understand it, NS8 is using a reverse proxy (Traefik) to allow multiple instances of a module, for example Nextcloud. This is a very nice feature.

However, in my case, I already have a reverse proxy on the same side of the firewall as my NS8 node. It serves as my single entry point for 80 and 443 connections.

My question therefore is, how do I “double” reverse proxy a Nextcloud instance running on NS8?

I tried to open the firewall to my “nextcloud1” URL http://127.0.0.1:20011, but I believe that it is also necessary to make certain configurations to Nextcloud itself (trusted_proxies), and I am unsure about how such “tweaking” is best done on NS8 (so that it will, e.g., survive a future upgrade or backup of the module).

Thank you for your advice!

mrmarkuz · July 9, 2024, 6:07pm

I don’t think that you need a special configuration on the reverse proxy.
It should be enough to reverse proxy to the NS8 IP like http(s)://192.168.0.1.

Anyway, for tweaking Nextcloud including persistence you could use occ:

runagent -m nextcloud1 occ

Example to output the trusted_proxies:

runagent -m nextcloud1 occ config:system:get trusted_proxies

I got 2 entries so array 0 and 1 are already used so to add a trusted proxy to array 2:

runagent -m nextcloud1 occ config:system:set trusted_proxies 2 --value=192.168.0.1

Delete a trusted proxy from array 2:

runagent -m nextcloud1 occ config:system:delete trusted_proxies 2

See also Using the occ command — Nextcloud latest Administration Manual latest documentation and GitHub - NethServer/ns8-nextcloud: Nextcloud module for NS8

bjarnet · July 11, 2024, 1:07am

Thank you so much for your quick response! It sure looks as if I was trying to over-complicate things… A simple reverse proxy to the NS8 IP worked indeed without a problem.

Thank you also for pointing me to the occ command. I should be in good shape now!

bjarnet · August 1, 2024, 12:18pm

Hello Markus -

It seems that the method outlined above for setting trusted_proxies does not work, or is not sufficient.

With my additional proxy (Traefik) pointing to the NS8 server, Nextcloud fundamentally operates, but its security check complains as follows:

Your remote address was identified as “192.168.20.35” and is brute-force throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly. […].

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. […]

When I query the list of trusted proxies I get no result.

runagent -m nextcloud1 occ config:system:get trusted_proxies

So I went ahead and added my Traefik proxy as follows:

runagent -m nextcloud1 occ config:system:set trusted_proxies 0 --value=192.168.20.35

And verified the updated setting with

runagent -m nextcloud1 occ config:system:get trusted_proxies

But, even after a reboot, the Nexcloud security check still reports the same error and warning.

Would you have any other suggestions for things to try? Thank you in advance!

jgelauff · August 4, 2024, 7:23am

i think this Ns8 traefik forwardedHeaders is related.
Traefik on ns8 core is not forwarding headers so nextcloud and all others apps only sees your proxy ip.

rolf · December 30, 2024, 11:03am

Hi, Beat Arnet,
Can you please share your (relevant part of) the reverse proxy config you use?
In this topic I’ve posted mine, but it doesn’t work for me.
My preferred solution is to proxy mydomain.com/nextcloud to NS8 nextcloud (so not the standard nextcloud.mydomain.com, but I guess that is a next step)