NS8 nextcloud invalid proxy configuration

Hello everyone, I use nextcloud and in the summary information the following inscription appears:

The reverse proxy header configuration is incorrect

I think this is an error regarding HTTP “X-Forwarded-For” . I’ve tried different configurations by reading a little on the forums, but nothing to do.

Has anyone solved it?

Yes, check this post:

Thanks mark , but the problem is that the reverse proxy is on the pfsense with the valid certificate of the nextcloud server ( ns8) , so I should probably intervene on the config.php with the strings that are read around about this topic . As you can see from the image I had to activate haproxy u pfsense as ns8 in addition to not having the possibility of internal aliases related to hostnames e.g. sn8.internal.lan = myweb.fqdn , myhost2.fqdn , etc. In fact, in the ns8 line I have to define the aliases of ns8 and manage them from there. However, beyond this the nexcloud certificate is on the pfsense but also active in lan for nextcloud.

I don’t use haproxy but isn’t it just adding the pfsense IP to the environment variable TRUSTED_PROXIES on the NS8 Nextcloud node? I don’t understand the issue regarding the aliases…

I imagined, because it is difficult to explain, but I try … For example, my neth7 server, has a private address . The current hostname sound is that of neth7.internal.lan . So far everything is normal. In order to make it public with an LE certificate I proceeded as follows :sneezing_face:

    • Activate in the hostname section add alias , then mynethserver.fqdn
  1. Enabling dnat from the pfsense 443 and 80 firewall from wan > pfsense and redirect to neth7.internal.lan .

3 . The name or rather the alias is fundamental for the LE request as LE goes the verification of the hostnam and the external ip .

4 . Enabling dnsoveride on pfsense of the hostname neth7.internal.lan in mynethserver.fqn .

5 . In doing so in lan I access mynethserver.fqdn with a valid certificate and both from the wan the access is always on the same machine.

In Ns8 the aliases are therefore not there to activate on ns8 the 4 servers glpi , roundcube , nextcloud , wordpress , I had to install haproxy on pfsense , activate the 4 names duckdns and request for each dynamic address a certificate that obtained , remained in the belly in the pfsense . So it happens that from the wan if I call wordpress.duckdns (it’s an example) , haproxy responds with the frontend and its acl , hijacked on the ns8 server which responds responds with its declared virtualhost for each app server.

I know that what I wrote may be confusing, but that’s how it is!

This configuration was mandatory because I have a dynamic ip with nat and the servers are only in lan

1 Like

This is what I mean alias and thanks to this and the ability to add more as you see , I can manage the server as I want .

I don’t really see why this is necessary…

My clients access internally and externally with the same FQDN - and get a correct LE cert.
→ It works !!!

No matter if using a dynamic IP or a static IP for the clients acces to the server, always on premise.

PM me if you need help with this.

My 2 cents

Hi Andy, does your WAN configuration have an ip pool or just one of the nat type and behind a router?

Hi @france

All with more than one IP (a pool) have static Ips.
But I can also handle those easily… :slight_smile:

Otherwise, NAT behind Firewall (OPNsense), for both static and dynamic IP(s).

My 2 cents

I meant from the wan header of the wan network.

Internally, I always use my own internal IP network.
NAT is a must, yes.

But if I ever have to change provider, it’s only a few rules on the firewall, no need to touch any server… :slight_smile:

The internal aliases in NS7 and NS8 are configured in /etc/hosts.
Isn’t it just adding the alias names like: ns8.domain.tld ns8.alias1 ns8.alias2

were actually done from Cockpit, no real manual file editing needed… :slight_smile:
(But yes, only for NS7 iteslf, not for other hosts…)

Yes, in NS7 it’s done from cockpit, but @france needs aliases in NS8!


I know, just a small reminder of what’s still needed in NS8… :slight_smile:

1 Like

Yes mark , but I believe that … in host this is declared. :sneezing_face:

# ================= DO NOT MODIFY THIS FILE =================
# Manual changes will be lost when this file is regenerated.
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org

In addition, in the hosts file at least in my ns7 I also find the definition of the hosts booked in DHCP

w11 PRO w11pro.internal2.lan

Epever Pc w7pro-PC.internal2.lan

W10 minis win10minis.internal2.lan

Sorry, I think you misunderstood me. I just wanted to tell you that you can edit the /etc/hosts in NS8 and add aliases as you like.

Ok, I had already seen and tried some time ago. I don’t remember why, after modifying the host file, I didn’t get what I wanted.

1 Like

I fixed the problem of the nexrcloud error for ns8 related to the wrong configuration of the reverse proxy ( in my case haproxy ) . The change I made is to add the fqdn name of the reverse proxy .

'trusted_proxies' => 
  array (
    0 => '',
    1 => '',
    2 => '',
    3 => 'localhost',
    4 => '::1',
    5 => 'myproxyha.domain.fqdn',

This configuration worked in my NS8 computing context.

1 Like