Ns8 traefik forwardedHeaders

i,m running my first ns8 cluster with wordpress behind a external reverse proxy.
i have noticed that al traffic comes from the proxy server and wordfence is complaining about the fact not resolving the right ip’s.
In the config of traefik i cannot find the configuration for forwarding headers.
More people experiencing the same?

Hello @jgelauff welcome back to Nethserver community.

What external proxy are you using?

How did you install your WordPress, though the App on software center, or through the web server app?

the issue seems to be known:

1 Like

Thanks both for raising the issue (and for adding the card reference here)!

Any progress here, or does someone know how to manually configure the trusted IP for forwarding headers in traefik?
I would like to use NS8 behind another reverse proxy and this issue seems to basically block it.

Thank you!

1 Like

It would be nice if this could be fixed, I have the same issue with an Nextcloud instance.

Not sure who is going to play nice. It seems more and more you have to pay to get ‘nice’, YMMV’

i have modified /home/traefik*/.config/state/traefik.yaml and added the bold lines. for now it’ s working for me.

entryPoints:
http:
address: “:80”
forwardedHeaders:
trustedIPs: ip of proxy
https:
address: “:443”
forwardedHeaders:
trustedIPs: ip of proxy

2 Likes

Thanks.
This is working for me, but I will do some testing

Hopely this can me added to the UI as a setting

entryPoints:
  http:
   address: ":80"
   forwardedHeaders:
      trustedIPs: 
        - "192.168.1.1"
        - "127.0.0.1/24"
  https:
   address: ":443"
   forwardedHeaders:
      trustedIPs: 
        - "192.168.1.1"
        - "127.0.0.1/24"

With Nextcloud the forwarded IP is not visible in the logs
I still see 127.0.0.1 as IP when a user connects

I’m not running nextcloud yet on ns8 but do you have also configured trusted proxies in the nextcloud config?
https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html

1 Like

The traefik log is showing the correct forwarded IP, but the Nextcloud not.
I think is because it is a dockered ssytem ?

2024-11-10T10:57:45+01:00 [1:nextcloud1:nextcloud-app] 127.0.0.1 -  10/Nov/2024:09:57:45 +0000 "GET /index.php" 303
2024-11-10T10:57:45+01:00 [1:traefik1:traefik] 192.168.1.228 - - [10/Nov/2024:09:57:45 +0000] "GET /core/preview?fileId=704&x=32&y=32&mimeFallback=true&a=0 HTTP/1.1" 303 0 "-" "-" 1241 "nextcloud1-https@file" "http://127.0.0.1:20017" 173ms
2024-11-10T10:57:45+01:00 [1:traefik1:traefik] 192.168.1.228 - - [10/Nov/2024:09:57:45 +0000] "GET /core/preview?fileId=705&x=32&y=32&mimeFallback=true&a=0 HTTP/1.1" 303 0 "-" "-" 1240 "nextcloud1-https@file" "http://127.0.0.1:20017" 174ms
2024-11-10T10:57:45+01:00 [1:traefik1:traefik] 192.168.1.228 - - [10/Nov/2024:09:57:45 +0000] "GET /core/img/filetypes/application-pdf.svg HTTP/1.1" 200 564 "-" "-" 1247 "nextcloud1-https@file" "http://127.0.0.1:20017" 1ms
2024-11-10T10:57:45+01:00 [1:nextcloud1:nextcloud-app] 127.0.0.1 -  10/Nov/2024:09:57:45 +0000 "GET /index.php" 303
2024-11-10T10:57:45+01:00 [1:nextcloud1:nextcloud-app] 127.0.0.1 -  10/Nov/2024:09:57:45 +0000 "GET /index.php" 303

crowdsec is working and banning since i changed traefik.yaml

i installed a new cluster with nextcloud as app. I noticed that nextcloud is logging the right ip if there is a wrong login attempt. I wil look into it further (next week) because i want to migrate from ns7

2024-11-10T17:37:55+01:00 [1:nextcloud2:nextcloud-app] NOTICE: PHP message: [nextcloud][no app in context][2] {"reqId":"Ng974RyRbd2jsRX9NUS4","level":2,"time":"2024-11-10T16:37:55+00:00","remoteAddr":"92.60.40.204","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: admin (Remote IP: 92.60.40.204)","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0","version":"28.0.9.1","data":[]}
2024-11-10T17:37:58+01:00 [1:nextcloud2:nextcloud-app] 127.0.0.1 -  10/Nov/2024:16:37:53 +0000 "POST /index.php" 303
2024-11-10T17:37:59+01:00 [1:nextcloud2:nextcloud-app] 127.0.0.1 -  10/Nov/2024:16:37:59 +0000 "GET /index.php" 200

Nobody with nethsecurity as proxy experiencing the same?

I’m using Nethsecurity as proxy.

I see the login attempts in nextcloud log

2024-11-10T18:20:26+01:00 [1:nextcloud1:nextcloud-app] NOTICE: PHP message: [nextcloud][user_ldap][2] {"reqId":"CQri2pD5dOrLXEswBX9r","level":2,"time":"2024-11-10T17:20:26+00:00","remoteAddr":"77.63.5.25","user":"--","app":"user_ldap","method":"POST","url":"/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1","version":"28.0.9.1","data":{"app":"user_ldap"}}
2024-11-10T18:20:26+01:00 [1:nextcloud1:nextcloud-app] NOTICE: PHP message: [nextcloud][user_ldap][2] {"reqId":"CQri2pD5dOrLXEswBX9r","level":2,"time":"2024-11-10T17:20:26+00:00","remoteAddr":"77.63.5.25","user":"--","app":"user_ldap","method":"POST","url":"/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1","version":"28.0.9.1","data":{"app":"user_ldap"}}
2024-11-10T18:20:26+01:00 [1:nextcloud1:nextcloud-app] NOTICE: PHP message: [nextcloud][no app in context][2] {"reqId":"CQri2pD5dOrLXEswBX9r","level":2,"time":"2024-11-10T17:20:26+00:00","remoteAddr":"77.63.5.25","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: patrick (Remote IP: 77.63.5.25)","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1","version":"28.0.9.1","data":[]}

Tried a few time to login with wrong password, but Crowdsec is not blocking the IP

i have no luck so far, tried different settings in nginx and nextcloud but nextcloud logs only 127.0.0.1 except failed login. Alsof changed trusted proxies settings in ns config to an array. But we investigate further.

1 Like

Any luck with Nextcloud to get the correct IP in the logs?