Issue with nextcloud behind proxy

[Tigerium]

Hi, don't know whether this is the exact best spot to report this issue, because the same issue happens when using the backup-codes.

Steps to reproduce

1. open nextcloud app on ios
2. sign in to https://cloud.my.domain
3. enter 2FA code

Expected behaviour

Successful sign in to my account

Actual behaviour

I get the following error:

The operation couldn't be completed. (actual domain replaced with my.domain and parameters after login/flow/grant? removed) (NSURLErrorDomain error -999.)_WKRecoveryAttempterErrorKey <WKReloadFrameErrorRecoveryAttemp ter: 0x28348f300> NSErrorFailingURLStringKey https:// cloud.my.domain/login/challenge/ totp?redirect_url=/login/flow/grant?[...] NSErrorFailingURLKey https:// cloud.my.domain/login/challenge/ totp?redirect_url=/login/flow/grant?[...]

The weird thing is, that after I click on "ok", it displays nextcloud as a logged in website, it just doesn't actually link it to the app.

Sign in for non 2FA accounts works fine

Security Setups and Warnings says "all checks passed"

Server configuration

Unraid with nextcloud docker and Nginx Proxy manager

https://cloud.my.domain --> Nginx Proxy Manager (with letsencrypt certificate, force https, http/2, HSTS, netfinger etc. specified according to nextcloud documentation) --> http://192.168.xx.yy:httpport

Version: (see admin page) 25.0.3

Updated from an older version or fresh install: fresh install, restored from previous server running on Ubuntu, also version 25.0.3 though

The content of config/config.php:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'id',
  'passwordsalt' => 'salt',
  'secret' => 'secret,
  'trusted_domains' => 
  array (
    0 => '192.168.xx.yy:port,
    1 => 'cloud.my.domain',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.xx.yy',
  ),
  'overwrite.cli.url' => 'https://cloud.my.domain',
  'dbtype' => 'mysql',
  'version' => '25.0.3.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'ip',
  'dbport' => 'port',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'dbuser',
  'dbpassword' => 'dbpasswd',
  'installed' => true,
  'overwriteprotocol' => 'https',
  'default_phone_region' => 'DE',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' => 
  array (
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
);

[mmccarn]

This is an old issue, but...

Lessons learned using nextcloud behind a cloudflare proxy:

• trusted_domains
  • Include any IPs or DNS names that might be used to access NextCloud
• trusted_proxies
  • include proxy IPs as seen by the nextcloud server
    • when I ran my own proxy I got this IP from the nextcloud log
    • for cloudflare I used cloudflare's list of IPs
• forwarded_for_headers
  • specify the headers added by the proxy to indicate the user's actual IP address
    • I got this, too, from the nextcloud log when using my own proxy, and from cloudflare header documentation for cloudflare

Comments specific to this issue:

• If the nginx proxy is really on the same host as nextcloud ("192.168.xx.yy" as indicated in the supplied config.php), then the value under trusted_proxies might need to be "127.0.0.1" instead of 192.168.xx.yy
• nginx may need configuration modifications to correctly report the user's IP address.
  • I don't use nginx, but these instructions from slingacademy.com may be useful.
• "remoteAddr" in the nextcloud log will be the user's IP when the configuration is correct (and will be the proxy IP if not)

Working Config For reference, here is the config that works for me with TOTP behind a cloudflare proxy

• 192.168.1.1 is listed under trusted_proxies because it still serves as a WAF/Proxy if cloudflare is disabled or bypassed.
• The forwarded-for-headers section may not be required if the proxy uses only X-Forwarded-For

  'trusted_domains' => 
  array (
    0 => '192.168.1.7',
    1 => 'nextcloud.redacted.tld',
    2 => 'redacted.dyndns.org',
    3 => '192.168.1.89',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.1.1',
    1 => '173.245.48.0/20',
    2 => '103.21.244.0/22',
    3 => '103.22.200.0/22',
    4 => '103.31.4.0/22',
    5 => '141.101.64.0/18',
    6 => '108.162.192.0/18',
    7 => '190.93.240.0/20',
    8 => '188.114.96.0/20',
    9 => '197.234.240.0/22',
    10 => '198.41.128.0/17',
    11 => '162.158.0.0/15',
    12 => '104.16.0.0/13',
    13 => '104.24.0.0/14',
    14 => '172.64.0.0/13',
    15 => '131.0.72.0/22',
    16 => '2400:cb00::/32',
    17 => '2606:4700::/32',
    18 => '2803:f800::/32',
    19 => '2405:b500::/32',
    20 => '2405:8100::/32',
    21 => '2a06:98c0::/29',
  ),
  'forwarded-for-headers' => 
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
    1 => 'HTTP_CF-Connecting-IP',
  ),