Inconsistent reverse proxy header configuration warning

[lars-sh]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Define the config property trusted_proxies using e.g. array('127.0.0.1', '::1', '<your public IP>')
2. Go to Nextcloud > Settings > Overview
3. You might see the warning The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation ↗.

Expected behaviour

The warning either appears or or does not appear, but has a consistent behaviour, independent from where I access Nextcloud.

Actual behaviour

The above mentioned warning either appears or does not appear based on my remote IP. When accessing the settings from somewhere in the network in which the Nextcloud is installed in, I see the warning. When accessing from outside (e.g. using phone network), I don't see it.

This seems to be related to the code line https://github.com/nextcloud/server/blob/0e6e80aaec387ccb91f142f61944098b05ddc817/apps/settings/lib/Controller/CheckSetupController.php#L323 and might be related to nextcloud/server#26256.

Server configuration

Operating system: Ubuntu 20.04

Web server: Apache 2

Database: MySQL

PHP version: 7.4.3

Nextcloud version: 21.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated each major version

Where did you install Nextcloud from: Manual installation

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:

• accessibility: 1.7.0
• activity: 2.14.3
• apporder: 0.12.0
• bookmarks: 4.1.0
• calendar: 2.2.1
• cloud_federation_api: 1.4.0
• comments: 1.11.0
• contacts: 3.5.1
• contactsinteraction: 1.2.0
• dav: 1.17.1
• deck: 1.4.1
• extract: 1.3.1
• federatedfilesharing: 1.11.0
• federation: 1.11.0
• files: 1.16.0
• files_antivirus: 3.2.0
• files_linkeditor: 1.1.5
• files_markdown: 2.3.3
• files_pdfviewer: 2.1.0
• files_rightclick: 1.0.0
• files_sharing: 1.13.1
• files_trashbin: 1.11.0
• files_versions: 1.14.0
• files_videoplayer: 1.10.0
• firstrunwizard: 2.10.0
• forms: 2.2.4
• impersonate: 1.8.0
• logreader: 2.6.0
• lookup_server_connector: 1.9.0
• mail: 1.9.5
• maps: 0.1.8
• metadata: 0.13.0
• nextcloud_announcements: 1.10.0
• notifications: 2.9.0
• notify_push: 0.1.7
• oauth2: 1.9.0
• password_policy: 1.11.0
• photos: 1.3.0
• polls: 1.8.3
• previewgenerator: 3.1.1
• privacy: 1.5.0
• provisioning_api: 1.11.0
• ransomware_protection: 1.10.0
• recommendations: 1.0.0
• richdocuments: 4.0.4
• serverinfo: 1.11.0
• settings: 1.3.0
• sharebymail: 1.11.0
• spreed: 11.1.2
• support: 1.4.0
• survey_client: 1.9.0
• systemtags: 1.11.0
• text: 3.2.0
• theming: 1.12.0
• twofactor_backupcodes: 1.10.0
• twofactor_email: 2.0.0
• twofactor_nextcloud_notification: 3.1.2
• twofactor_totp: 6.0.0
• updatenotification: 1.11.0
• viewer: 1.5.0
• workflowengine: 2.3.0
  Disabled:
• admin_audit
• bruteforcesettings
• dashboard
• encryption
• files_external
• issuetemplate
• notes
• ransomware_detection
• sharerenamer
• tasks
• user_ldap
• user_status
• weather_status

Nextcloud configuration:

Config report

{
"system": {
"secret": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"enable_certificate_management": true,
"instanceid": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"cloud.knickrehm.net"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"version": "21.0.1.1",
"dbtype": "mysql",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbname": "REMOVED SENSITIVE VALUE",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"dbtableprefix": "oc_",
"installed": true,
"default_language": "de",
"default_locale": "de",
"default_phone_region": "DE",
"overwritehost": "cloud.knickrehm.net",
"overwriteprotocol": "https",
"overwritewebroot": "/",
"overwrite.cli.url": "https://cloud.knickrehm.net",
"htaccess.RewriteBase": "/",
"enable_previews": true,
"maintenance": false,
"singleuser": false,
"memcache.distributed": "\OC\Memcache\Redis",
"memcache.local": "\OC\Memcache\APCu",
"filelocking.enabled": true,
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"port": 0
},
"trashbin_retention_obligation": "disabled",
"versions_retention_obligation": "disabled",
"filesystem_check_changes": 1,
"loglevel": 2,
"logfile": "/mnt/data/logs/cloud/today.log",
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtpsecure": "tls",
"mail_smtpport": "25",
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpname": "REMOVED SENSITIVE VALUE",
"mail_smtppassword": "REMOVED SENSITIVE VALUE",
"mysql.utf8mb4": true,
"apps_paths": [
{
"path": "/knickrehm/www/cloud/apps",
"url": "/apps",
"writable": false
},
{
"path": "/knickrehm/www/cloud/apps2",
"url": "/apps2",
"writable": true
}
],
"theme": "",
"trusted_proxies": "REMOVED SENSITIVE VALUE"
}
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

[kesselb]

Do you resolve cloud.knickrehm.net different in your internal network? We don't support mixing external connections via reverse proxy and direct connections (without reverse proxy).

[lars-sh]

In both cases cloud.knickrehm.net is resolved in the same way.

I just wondered, why I set up a reverse proxy as this installation should be set up without. Indeed, it's not using a reverse proxy and removing the trusted_proxies config entry works just fine: Nextcloud can be accessed as usual and no more warnign appears.

But finally the notify_push app fails when executing sudo -u www-data php occ notify_push:self-test.

✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
🗴 push server is not a trusted proxy, please add '91.106.181.164' to the list of trusted proxies or configure any existing reverse proxy to forward the 'x-forwarded-for' send by the push server.
  See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies for how to set trusted proxies.
  The following trusted proxies are currently configured:
  The following x-forwarded-for header was received by Nextcloud: 1.2.3.4
    from the following remote: 91.106.181.164

  If you're having issues getting the trusted proxy setup working, you can try bypassing any existing reverse proxy
  in your setup by setting the `NEXTCLOUD_URL` environment variable to point directly to the internal Nextcloud webserver url
  (You will still need the ip address of the push server added as trusted proxy)

It seems, the notify_push app requires the trusted_proxies array to be present (probably as it's behind a reverse proxy), while Nextcloud itself is not using a reverse proxy and does not like the config entry.
OK, that's one problem and should probably be clarified by the notify_push team.

Though I still wonder, why Nextcloud sometimes raises that warning (when working from within the Nextcloud network) and sometimes it's not raising that warning (when working from "outside").

[kesselb]

cc @icewind1991

[sinichi19]

My I know if this is critical because if yes will not use for now the notify push,

Because its only saw that warning after you install the sa notify push (HPB)

Thank you

[palto42]

I have the same issue on latest NC 22.2.0 if I connect to the public IP from local network (behind NAT router). My Nginx uses the reverse proxy config for notify_push as per latest documentation and I tried the trusted proxy settings, but no success.
If I access my server from external network, the warning is not shown.
Also saw issue #101 which is supposed to solve this issue if I correctly understand, but it doesn't seem to fully work.