Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Config 'trusted_proxies'. Allow networks with CIDR #6550

Closed
marvinwankersteen opened this issue Sep 18, 2017 · 7 comments
Closed

Config 'trusted_proxies'. Allow networks with CIDR #6550

marvinwankersteen opened this issue Sep 18, 2017 · 7 comments
Labels
enhancement
Milestone
Nextcloud 15

Comments

@marvinwankersteen
Copy link

marvinwankersteen commented Sep 18, 2017
edited
Loading

Steps to reproduce

  1. Add config 'trusted_proxies' with IP like '10.42.0.0/16'
  2. Add config 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),

Expected behaviour

The real IP should be logged.

Actual behaviour

The IP of the reverse proxy is logged

Server configuration

Operating system:
Official docker-image

Web server:
Official docker-image

Database:
MySQL

PHP version:

Nextcloud version: (see Nextcloud admin page)
12.0.2

Where did you install Nextcloud from:
Docker

Signing status:

Signing status 
No errors have been found.

We are using Rancher in our environment. In front of nextcloud is an nginx reverse proxy. In rancher, any container get a random IP from the internal rancher-network 10.42.0.0/16. If the reverse proxy will be restarted, the container get a new random IP from 10.42.0.0/16.

Is it possible to allow in the config 'trusted_proxies' whole networks in the format 10.42.0.0/16? Currently I would have to write all IPs from 10.42.0.0/16 in the array and this is too much.
@Ovear Ovear mentioned this issue Nov 19, 2017
Closed
@jowenn
Copy link

jowenn commented Dec 6, 2017

This missing feature is quite annoying with docker swarm mode, since all logins get delayed because the brute force detections only sees the proxy which has a dynamic ip address

@hannut
Copy link

hannut commented Jan 18, 2018

I stumbled to this same problem on docker/traefik/letsencrypt -combination

@svengo
Copy link

svengo commented Mar 29, 2018

I have the same problem (docker-compose/traefik/letsencrypt) - and we're not the only ones: nextcloud/docker#294

@sehucke
Copy link

sehucke commented May 8, 2018

Any news on this?
Only workaround so far is to use a static ip for the reverse proxy.

@nextcloud-bot nextcloud-bot added the stale Ticket or PR with no recent activity label Jun 20, 2018
@nextcloud-bot nextcloud-bot mentioned this issue Sep 5, 2018
Open
8 tasks
@olivermg
Copy link
Member

We're also running into this issue currently.

Any news?

@nextcloud-bot nextcloud-bot removed the stale Ticket or PR with no recent activity label Oct 11, 2018
@sehucke
Copy link

sehucke commented Oct 11, 2018
edited
Loading

Seems this is not the case. I still face this issue, too. I had no time to work around it, though.

My idea: Starting a sidekick container on proxy bootup to alter the NC config entry. Just wondering if this is a secure way to approach the issue...

@sehucke
Copy link

sehucke commented Oct 11, 2018

In addition, If you are using Kubernetes I would think of using ConfigMaps/Secrets to populate your NC config at start time.

@olivermg olivermg mentioned this issue Oct 25, 2018
Merged
@MorrisJobke MorrisJobke added this to the Nextcloud 15 milestone Oct 30, 2018
@olivermg olivermg mentioned this issue Nov 19, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
Nextcloud 15
Development

No branches or pull requests
9 participants
@MorrisJobke @LukasReschke @olivermg @svengo @jowenn @sehucke @hannut @marvinwankersteen @nextcloud-bot