Error on reverse proxy header configuration after update to 28 about docker HOT 9 CLOSED

thanks @joshtrichards it looks it's a default application, setup by nextcloud at install since v25 as explained in https://github.com/nextcloud/suspicious_login
I deactivated it.

from docker.

What proxy do you use ?

from docker.

I'm using an apache2 proxy and its setup is:

Define NCInternalURI http://<my internal IP>:8081

<VirtualHost *:443>
  SSLProxyEngine on
  ServerName nextcloud.<my domain>
  DocumentRoot /var/none
  ServerAdmin <my email>

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/<my domain>/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

  # enable HTTP/2, if available
  Protocols h2 http/1.1

  # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
  Header always set Strict-Transport-Security "max-age=63072000"

  CustomLog  ${APACHE_LOG_DIR}/nextcloud-access.log combined
  ErrorLog  ${APACHE_LOG_DIR}/nextcloud-error.log

  LogLevel error ssl:warn
  ProxyPreserveHost On
# no proxy for letsencrypt challenges
  ProxyPass "/.well-known/acme-challenge" !
# special proxy for carddav/caldav
  ProxyPass "/.well-known/carddav" "${NCInternalURI}/remote.php/dav"
  ProxyPass "/.well-known/caldav" "${NCInternalURI}/remote.php/dav"
  ProxyPass "/.well-known/webfinger" "${NCInternalURI}/index.php/.well-known/webfinger"
  ProxyPass "/.well-known/nodeinfo" "${NCInternalURI}/index.php/.well-known/nodeinfo"

  ProxyPass "/" "${NCInternalURI}/"
  ProxyPassReverse "/"  "${NCInternalURI}/"

  RequestHeader set X-Forwarded-Proto "https"
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off

</VirtualHost>

from docker.

 'trusted_proxies' =>
   array (
     0 => '192.168.1.254',
     1 => '192.168.1.8',
   ),

What is 192.168.1.254? Is it, by chance, your nearest NAT router and not really your proxy (i.e. it doesn't belong there)?

from docker.

This is my IP set top box address (so my gateway) but it also serves as a NAT router. If you are speaking of the reverse proxy address, it's on the 192.158.1.2 (actually, the same raspberrypi as the one running nextcloud).
I had to add 192.168.1.254 several years ago but I don't remember exactly why (and it used to work with previous versions).
I will try to remove the gateway from the list and see if it works...

from docker.

I tested removing the gateway from the list, leaving only:

   'trusted_proxies' =>
   array (
     0 => '192.168.1.8',
   ),

and the error disappeared, and it looks that I can login from both my internal network and from my smartphone on 5G.

But, I still don't get why it used to work and it doesn't anymore.
Is it a breaking change in nextcloud server 28 or in the image, I don't know...
Anyway, thanks a lot @joshtrichards

from docker.

But, I still don't get why it used to work and it doesn't anymore.
Is it a breaking change in nextcloud server 28 or in the image, I don't know...

The checks may have gotten better. They were migrated to a newer API recently and I haven't reviewed the latest iteration in-depth. The configuration situation you just described technically would have always been an issue, but maybe just wasn't detected previously. Glad it's working cleanly for you!

from docker.

Here is the reason why I added the gateway in the list of trusted proxies:

How can I get rid of this issue w/o doing this way?

from docker.

@leolivier It looks like you have the optional suspicious_login app enabled. Maybe you simply disable it if not using it? Otherwise it's theoretically just doing what it's supposed to: https://github.com/nextcloud/suspicious_login I suggest following up there or the Nextcloud Help Forum - https://help.nextcloud.com

from docker.