Trying to use the LinuxServer Nextcloud Docker returns public IPs.

Question

Trying to use the LinuxServer Nextcloud Docker returns public IPs.

Hacker1245 opened this issue a year ago · 6 comments

I am having this problem where all of my login attempts to Nextcloud end up outputting the public IP address.
My proxy docker-compose:

version: "3.7"
services:
  caddy:
    # see here for guidance on which image / tag to choose:
    # https://github.com/lucaslorentz/caddy-docker-proxy#docker-images
    image: lucaslorentz/caddy-docker-proxy:2.8.10
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=caddy
    networks:
      caddy:
        ipv4_address: 172.16.0.6
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data
    restart: unless-stopped

networks:
  caddy:
    external: true

Nextcloud docker-compose:

  nextcloud:
     image: lscr.io/linuxserver/nextcloud:latest
     container_name: nextcloud
     networks:
      caddy:
        ipv4_address: 172.16.0.7
     environment:
      - PUID=1000
      - PGID=100
      - TZ=Europe/Warsaw
     volumes:
      - ./nextcloud:/config
      - /srv/dev-disk-by-uuid-bef15755-0d31-4edf-8d6c-c2d4786b312a/data:/data
     labels:
      caddy: example.com
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.header.Strict-Transport-Security: '"max-age=15552000;"'
      caddy.rewrite_0: /.well-known/carddav /remote.php/dav
      caddy.rewrite_1: /.well-known/caldav /remote.php/dav
     links:
      - db

networks:
  caddy:
    external: true

This is all running on a OpenMediaVault 6.9.11-3 server with the openmediavault-compose plugin. I use DuckDNS for the domain.

Answer 1 · 2023-12-30T00:18:09.000Z

Hey, I didn't understand the issue. Maybe I'm lacking knowledge about next cloud. Can you please explain a bit further the IP problem?

Some questions I have:

Where does it return the public IP?
Is that some IP allowlisting feature from next cloud?
Which IP did you expect if not the public IP?

Answer 2 · 2023-12-30T08:55:26.000Z

Where does it return the public IP?

In both the Nextcloud logs and Caddy's logs.

Is that some IP allowlisting feature from next cloud?

It's a brute force protection feature: https://docs.nextcloud.com/server/28/admin_manual/configuration_server/bruteforce_configuration.html
Maybe I misconfigured something here.

Which IP did you expect if not the public IP?

The IP of the client that's accessing it, otherwise I end up brute force throttling my entire public IP.

Answer 3 · 2023-12-30T09:24:39.000Z

Thanks for clarifying.
Getting real IP addresses in upstreams is a bit difficult because there are too many things that would affect the IP.
I think you will have to diagnose to pinpoint exactly where the IP is being lost.

It could be lost in Docker network, bind CDP container directly to host ports to prevent it: #406 (comment)
That way you remove any hops in between your host and CDP container.

Caddy by default send transparent proxy headers (X-Forwarded...), so if Caddy receives the original IP it will be sent to NextCloud, but you need to configure NextCloud to trust the headers from Caddy. Config name is trusted_proxies: https://docs.nextcloud.com/server/28/admin_manual/configuration_server/reverse_proxy_configuration.html

It could also be some load balancer/NAT in your entire network, thus the IP being the public IP. In that case, I think you would need to enable PROXY_PROTOCOL in it.

Answer 4 · 2023-12-30T11:19:25.000Z

It could be lost in Docker network, bind CDP container directly to host ports to prevent it: #406 (comment)

Do I also bind the 443 port to host?
Edit: Tried with it, still returns the public IP.
docker-compose:

    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host

Caddy by default send transparent proxy headers (X-Forwarded...), so if Caddy receives the original IP it will be sent to NextCloud, but you need to configure NextCloud to trust the headers from Caddy. Config name is trusted_proxies: https://docs.nextcloud.com/server/28/admin_manual/configuration_server/reverse_proxy_configuration.html

Already set that up.
Hmm I wonder if that's related? https://docs.linuxserver.io/FAQ/#strict-proxy seeing as nextcloud in the container is set to output to 443 by default.
Someone had a different issue but maybe that would work here too: https://discourse.linuxserver.io/t/cant-get-nextcloud-to-work-with-caddy-v2-as-reverse-proxy/1549/8
But I couldn't really figure out how to implement that in the compose file.

Answer 5 · 2024-01-01T21:49:03.000Z

Hm so another strange thing, I set up Vaultwarden and it reports the IP of the proxy, yet Caddy returns nothing about failed login attempts in the log.

Answer 6 · 2024-05-31T14:37:09.000Z

So update on that issue, went and disabled the Docker userland proxy and now the Nextcloud bruteforce prevention correctly grabs the IPs, but now I need to figure out how to make Vaultwarden report the external IP and not the IP of the proxy.