trusted_proxies setting fails because of reverse-proxy.config.php

[FelixBuehler]

Hello together,

since the update to Nextcloud Hub 8/v29.0.0 my Security Warnings show me an incorrect trusted_proxy settings. I found out, that it has to do with the reverse-proxy.config.php file and in there the last part, where the entries from the normal config.php get exploded:

$trustedProxies = getenv('TRUSTED_PROXIES');
if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));

My normal config.php just looks like this:

  'trusted_proxies' => 
  array (
    0 => '192.168.1.11',
  ),

I don't understand PHP that good, but i think it has something to do with the functions not giving back a clean list. Since 29, there is an additional check, see here:
nextcloud/server@14addf3

Also this: https://help.nextcloud.com/t/after-upgrade-to-29-getting-trusted-proxies-error/189016

Can anyone help me, how to fix the reverse-proxy.config.php?

[Andreas02-dev]

While this is not the exact same issue, I've noticed that the TRUSTED_PROXIES environment variable doesn't work the same way as config.php does.

When setting the trusted_proxies in config.php as shown in nextcloud/server#44495 (comment) and the TRUSTED_PROXIES environment variable containing the same (TRUSTED_PROXIES=gethostbyname('proxy'), I get the warning Your "trusted_proxies" setting is not correctly set, it should be an array of IP addresses - optionally with range in CIDR notation. and when executing php occ config:system:get trusted_proxies, the result is gethostbyname('proxy').

If I don't use the TRUSTED_PROXIES environment variable but only modify the config.php as shown in nextcloud/server#44495 (comment), executing php occ config:system:get trusted_proxies will yield the correct result, 172.22.0.2 in this case.

While it's possible to manually edit config.php after setup, I'd much prefer to be able to configure this in my docker-compose.yml correctly so the process of setting up a new instance can be fully automated.

I.m.o. this could be considered a bug as the Nextcloud Docker TRUSTED_PROXIES environment variable should be able to have the same capabilities as the setting in config.php; especially since the gethostbyname is useful for docker-compose instances where you generally don't want to assign your proxy a static ip.

[xeluior]

I'm having the same problem. Some quick playing around in the REPL shows that gethostbyname(ip) == gethostbyname(hostname) when used on the corresponding host/ip pair. What this means is we could probably naively apply gethostbyname to all elements of the results of the first array_map call. Something like array_map('gethostbyname', array_map('trim', explode(' ', $trustedProxies))). If I understand Nextcloud's config parsing correctly, this would get the IP for the container with the given hostname when Nextcloud starts. It's a decent first pass at a solution, but it won't be robust against your reverse proxy restarting during the Nextcloud container's lifecycle.

[joshtrichards]

Security Warnings show me an incorrect trusted_proxy settings. I found out, that it has to do with the reverse-proxy.config.php file and in there the last part, where the entries from the normal config.php get exploded:

@FelixBuehler You didn't share the precise error you're getting from the setup checks in Nextcloud so it's hard to say for sure. I will say that if you're specifying proxies via the environment variables (i.e. what reverse-proxy.php handles), you cannot just look at your config.php since it's overridden by what flows through reverse-proxy.config.php. To see your real running (merged) config you must use occ config:list system from inside the container. That should get you closer to deciphering what is going on.

[joshtrichards]

@Andreas02-dev & @xeluior Valid points, but since the reporter in this issue didn't mention gethostbyname() at all can you create a dedicated issue to track your matter?

[FelixBuehler]

@joshtrichards Exact error in nextcloud setup checks:
Your "trusted_proxies" setting is not correctly set, it should be an array of IP addresses - optionally with range in CIDR notation. Weitere Informationen findest du in der [Dokumentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-reverse-proxy).

Content of reverse-proxy.config.php:

<?php
$overwriteHost = getenv('OVERWRITEHOST');
if ($overwriteHost) {
  $CONFIG['overwritehost'] = $overwriteHost;
}

$overwriteProtocol = getenv('OVERWRITEPROTOCOL');
if ($overwriteProtocol) {
  $CONFIG['overwriteprotocol'] = $overwriteProtocol;
}

$overwriteCliUrl = getenv('OVERWRITECLIURL');
if ($overwriteCliUrl) {
  $CONFIG['overwrite.cli.url'] = $overwriteCliUrl;
}

$overwriteWebRoot = getenv('OVERWRITEWEBROOT');
if ($overwriteWebRoot) {
  $CONFIG['overwritewebroot'] = $overwriteWebRoot;
}

$overwriteCondAddr = getenv('OVERWRITECONDADDR');
if ($overwriteCondAddr) {
  $CONFIG['overwritecondaddr'] = $overwriteCondAddr;
}

$trustedProxies = getenv('TRUSTED_PROXIES');
if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
}

Response from occ config:list system --private:

        "trusted_proxies": [
            "sub.domain.tld",
            "192.168.1.11"
        ],

I don't know, where the domain is coming from in this list.

[joshtrichards]

I don't know, where the domain is coming from in this list.

The reverse-proxy.config.php file in the Docker image places the contents of the TRUSTED_PROXIES environment variable that you're specifying either at in your Docker Compose or docker run command into the running config. That is likely where the domain is coming from.

[FelixBuehler]

Thanks, that's it. Was only searching in the config.php file, but never did a look again in the docker-compose.yaml.

Fixed i guess?