From 9509cfabee8d9faf7e2db79c5e37ef2108003812 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= <jakub@status.im>
Date: Fri, 25 Mar 2022 11:13:14 +0100
Subject: [PATCH] nextcloud: add X-Forwarded headers to revers proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://github.com/status-im/infra-office/issues/9

Signed-off-by: Jakub Sokołowski <jakub@status.im>
---
 ansible/group_vars/nextcloud.yml                | 7 +++++--
 ansible/roles/nextcloud/defaults/main.yml       | 6 +++++-
 ansible/roles/nextcloud/templates/config.php.j2 | 1 +
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/ansible/group_vars/nextcloud.yml b/ansible/group_vars/nextcloud.yml
index 70c3ec0..23e6769 100644
--- a/ansible/group_vars/nextcloud.yml
+++ b/ansible/group_vars/nextcloud.yml
@@ -89,11 +89,14 @@ nginx_sites:
     - | # config to enable HSTS(HTTP Strict Transport Security)
       add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
 
-      # Increase file upload limits to 20 MB
-    - client_max_body_size 20m
+    - | # Increase file upload limits to 20 MB
+      client_max_body_size 20m
 
     - location / {
         proxy_pass http://localhost:{{ nextcloud_app_cont_port }}/;
+        include /etc/nginx/proxy_params;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_http_version 1.1;
       }
 
   nextcloud_docs_http:
diff --git a/ansible/roles/nextcloud/defaults/main.yml b/ansible/roles/nextcloud/defaults/main.yml
index 6990d3a..9b0ae96 100644
--- a/ansible/roles/nextcloud/defaults/main.yml
+++ b/ansible/roles/nextcloud/defaults/main.yml
@@ -10,9 +10,13 @@ nextcloud_trusted_domains:
   - '{{ nextcloud_domain }}'
   - '{{ nextcloud_docs_domain }}'
 nextcloud_trusted_proxies:
-  - '127.0.0.1'     # localhost
+  - '127.0.0.0/8'   # localhost
   - '10.0.0.0/8'    # VPN
   - '172.17.0.0/16' # Docker
+nextcloud_forwarded_for_headers:
+  - 'HTTP_X_REAL_IP'
+  - 'HTTP_FORWARDED_FOR'
+  - 'HTTP_FORWARDED_PROTO'
 # Admin
 nextcloud_admin_email: 'admin@example.org'
 nextcloud_admin_username: 'admin'
diff --git a/ansible/roles/nextcloud/templates/config.php.j2 b/ansible/roles/nextcloud/templates/config.php.j2
index ffaf059..f2c777c 100644
--- a/ansible/roles/nextcloud/templates/config.php.j2
+++ b/ansible/roles/nextcloud/templates/config.php.j2
@@ -15,6 +15,7 @@ $CONFIG = [
   'overwriteprotocol' => 'https',
   'trusted_domains' => {{ nextcloud_trusted_domains | to_json }},
   'trusted_proxies' => {{ nextcloud_trusted_proxies | to_json }},
+  'forwarded_for_headers' => {{ nextcloud_forwarded_for_headers | to_json }},
   /* LOGS */
   'log_type' => 'file',
   'logfile' => '/data/nextcloud.log',