NS8 nextcloud invalid proxy configuration

Support
,
1

Hello everyone, I use nextcloud and in the summary information the following inscription appears:

The reverse proxy header configuration is incorrect

I think this is an error regarding HTTP “X-Forwarded-For” . I’ve tried different configurations by reading a little on the forums, but nothing to do.

Has anyone solved it?

2

Yes, check this post:

3

Thanks mark , but the problem is that the reverse proxy is on the pfsense with the valid certificate of the nextcloud server ( ns8) , so I should probably intervene on the config.php with the strings that are read around about this topic . As you can see from the image I had to activate haproxy u pfsense as ns8 in addition to not having the possibility of internal aliases related to hostnames e.g. sn8.internal.lan = myweb.fqdn , myhost2.fqdn , etc. In fact, in the ns8 line I have to define the aliases of ns8 and manage them from there. However, beyond this the nexcloud certificate is on the pfsense but also active in lan for nextcloud.

Screenshot 2024-04-11 alle 11.39.58
Screenshot 2024-04-11 alle 11.39.582338×558 61.8 KB

4

I don’t use haproxy but isn’t it just adding the pfsense IP to the environment variable TRUSTED_PROXIES on the NS8 Nextcloud node? I don’t understand the issue regarding the aliases…

5

I imagined, because it is difficult to explain, but I try … For example, my neth7 server, has a private address 192.168.3.83/24 . The current hostname sound is that of neth7.internal.lan . So far everything is normal. In order to make it public with an LE certificate I proceeded as follows :sneezing_face:

    • Activate in the hostname section add alias , then mynethserver.fqdn

  2. Enabling dnat from the pfsense 443 and 80 firewall from wan > pfsense and redirect to neth7.internal.lan .

3 . The name or rather the alias is fundamental for the LE request as LE goes the verification of the hostnam and the external ip .

4 . Enabling dnsoveride on pfsense of the hostname neth7.internal.lan in mynethserver.fqn .

5 . In doing so in lan I access mynethserver.fqdn with a valid certificate and both from the wan the access is always on the same machine.

In Ns8 the aliases are therefore not there to activate on ns8 the 4 servers glpi , roundcube , nextcloud , wordpress , I had to install haproxy on pfsense , activate the 4 names duckdns and request for each dynamic address a certificate that obtained , remained in the belly in the pfsense . So it happens that from the wan if I call wordpress.duckdns (it’s an example) , haproxy responds with the frontend and its acl , hijacked on the ns8 server which responds responds with its declared virtualhost for each app server.

I know that what I wrote may be confusing, but that’s how it is!

This configuration was mandatory because I have a dynamic ip with nat and the servers are only in lan

1 Like
6

Screenshot 2024-04-11 alle 12.33.50
Screenshot 2024-04-11 alle 12.33.501568×1308 176 KB

This is what I mean alias and thanks to this and the ability to add more as you see , I can manage the server as I want .

7

I don’t really see why this is necessary…

My clients access internally and externally with the same FQDN - and get a correct LE cert.
→ It works !!!

No matter if using a dynamic IP or a static IP for the clients acces to the server, always on premise.

PM me if you need help with this.

My 2 cents
Andy

8

Hi Andy, does your WAN configuration have an ip pool or just one of the nat type and behind a router?

9

Hi @france

All with more than one IP (a pool) have static Ips.
But I can also handle those easily… :slight_smile:

Otherwise, NAT behind Firewall (OPNsense), for both static and dynamic IP(s).

My 2 cents
Andy

10

I meant from the wan header of the wan network.

11

Internally, I always use my own internal IP network.
NAT is a must, yes.

But if I ever have to change provider, it’s only a few rules on the firewall, no need to touch any server… :slight_smile:

12

The internal aliases in NS7 and NS8 are configured in /etc/hosts.
Isn’t it just adding the alias names like:

192.168.0.1 ns8.domain.tld ns8.alias1 ns8.alias2

13

were actually done from Cockpit, no real manual file editing needed… :slight_smile:
(But yes, only for NS7 iteslf, not for other hosts…)

14

Yes, in NS7 it’s done from cockpit, but @france needs aliases in NS8!

2 Likes
15

I know, just a small reminder of what’s still needed in NS8… :slight_smile:

1 Like
16

Yes mark , but I believe that … in host this is declared. :sneezing_face:

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#

In addition, in the hosts file at least in my ns7 I also find the definition of the hosts booked in DHCP

w11 PRO

192.168.3.178 w11pro.internal2.lan

Epever Pc

192.168.3.156 w7pro-PC.internal2.lan

W10 minis

192.168.3.183 win10minis.internal2.lan

Screenshot 2024-04-11 alle 15.46.18
Screenshot 2024-04-11 alle 15.46.182380×342 52.8 KB

17

Sorry, I think you misunderstood me. I just wanted to tell you that you can edit the /etc/hosts in NS8 and add aliases as you like.

18

Ok, I had already seen and tried some time ago. I don’t remember why, after modifying the host file, I didn’t get what I wanted.

1 Like
19

I fixed the problem of the nexrcloud error for ns8 related to the wrong configuration of the reverse proxy ( in my case haproxy ) . The change I made is to add the fqdn name of the reverse proxy .

'trusted_proxies' => 
  array (
    0 => '192.168.3.0/24',
    1 => '192.168.1.2',
    2 => '127.0.0.1',
    3 => 'localhost',
    4 => '::1',
    5 => 'myproxyha.domain.fqdn',
  ),

This configuration worked in my NS8 computing context.

1 Like