nextcloud
"unix:" remote_addr is being parsed as an IP
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
OC\AppFramework\Http\Request::isTrustedProxy does not check if the $remoteAddress parameter is the unix: string, which happens when the nginx reverse proxy is passing the request to the server hosting NC via proxy_pass "http://unix:/path/to.sock:$request_uri".
My nginx setup is something like this:
nginx.conf
http {
server {
listen 80;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass "http://unix:/srv/sockets/home.sock:$request_uri";
}
}
server {
listen unix:/srv/sockets/home.sock;
# Nextcloud stuff
}
}
Steps to reproduce
- Have a setup similar to the above
nginx.conf - Visit the Nextcloud URL
Expected behavior
The server to work as if it wasn't hosted on a server via a Unix socket.
Installation method
Other Community project
Nextcloud Server version
28
Operating system
Other
PHP engine version
PHP 8.2
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- [X] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
No response
List of activated Apps
No response
Nextcloud Signing status
No response
Nextcloud Logs
{"reqId":"jEoN9LI082xii8Xw5cP4","level":3,"time":"2024-04-12T14:14:39+00:00","remoteAddr":"unix:","user":"--","app":"index","method":"GET","url":"/nextcloud/login","message":"Unsupported operand types: bool & string in file '/usr/share/webapps/nextcloud/lib/private/Security/Normalizer/IpAddress.php' line 63","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0","version":"28.0.4.1","exception":{"Exception":"Exception","Message":"Unsupported operand types: bool & string in file '/usr/share/webapps/nextcloud/lib/private/Security/Normalizer/IpAddress.php' line 63","Code":0,"Trace":[{"file":"/usr/share/webapps/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/usr/share/webapps/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/usr/share/webapps/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/usr/share/webapps/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","Line":169,"Previous":{"Exception":"TypeError","Message":"Unsupported operand types: bool & string","Code":0,"Trace":[{"file":"/usr/share/webapps/nextcloud/lib/private/Security/Normalizer/IpAddress.php","line":100,"function":"getIPv6Subnet","class":"OC\\Security\\Normalizer\\IpAddress","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/Security/Bruteforce/Throttler.php","line":207,"function":"getSubnet","class":"OC\\Security\\Normalizer\\IpAddress","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/Security/Bruteforce/Throttler.php","line":217,"function":"getAttempts","class":"OC\\Security\\Bruteforce\\Throttler","type":"->"},{"file":"/usr/share/webapps/nextcloud/core/Controller/LoginController.php","line":174,"function":"getDelay","class":"OC\\Security\\Bruteforce\\Throttler","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"showLoginForm","class":"OC\\Core\\Controller\\LoginController","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/usr/share/webapps/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/usr/share/webapps/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/usr/share/webapps/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/usr/share/webapps/nextcloud/lib/private/Security/Normalizer/IpAddress.php","Line":63},"message":"Unsupported operand types: bool & string in file '/usr/share/webapps/nextcloud/lib/private/Security/Normalizer/IpAddress.php' line 63","exception":{},"CustomMessage":"Unsupported operand types: bool & string in file '/usr/share/webapps/nextcloud/lib/private/Security/Normalizer/IpAddress.php' line 63"}}
Additional info
The operating system is Arch Linux and Nextcloud has been installed and setup as instructed by the wiki (https://wiki.archlinux.org/title/Nextcloud).
I have edited OC\AppFramework\Http\Request::isTrustedProxy to include this before the try-catch:
if ($remoteAddress === 'unix:') {
return \in_array($remoteAddress, (array)$trustedProxies, \true);
}
I'm not sure if this is how you would like to solve this issue, but this will make OC\AppFramework\Http\Request::getRemoteAddress properly return the forwarded-for address.
https://help.nextcloud.com/t/trusted-proxy-on-unix-domain-socket/162670/5?
Well damn, I only searched GitHub Issues. set_real_ip_from unix:; does indeed fix the problem with my patch removed.
Maybe worth documenting in some form in https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html? Wasn't immediately obvious to me that the problem was outside of NC.