[stable28] fix(settings): Also verify that trusted_proxies only contains IP addresses (with range)

[backportbot]

Backport of PR #44483

[whisperdancer]

Just updated and got the error:
There are some errors regarding your setup.
Your "trusted_proxies" setting is not correctly set, it should be an array of IP addresses - optionally with range in CIDR notation.

I'm using docker and my proxy (container name swag) and nextcloud (container name nextcloud) containers are in the same docker compose file on same docker network so setting the trusted proxy in config.php to 'swag' has always worked perfectly without requiring the trusted proxy to be an IP address.

  'trusted_domains' =>
  array (
    0 => 'mydomain.com',
  ),
  'trusted_proxies' =>
  array (
    0 => 'swag',
  ),

Can you please confirm if the check does not actually perform a function check, but only looks at the values in config.php and then complains if it finds anything other than IP addresses? If this is the case then I assume I can leave my trusted proxy as 'swag' and safely ignore the new error?

Much appreciate a timely response. Thank you.

[susnux]

@whisperdancer The code worked because the trusted_proxies were never evaluated correctly there.
It is not possible to have domains in the trusted proxies, as this is an IP only value (the value of the header field is also only a list of IPs there are never host names involved).

Meaning your proxy was considered the end user IP, so brute-force protection etc would block your proxy instead of bad user.

[szaimen]

However you could do this:

'trusted_proxies' =>
array (
0 => gethostbyname('swag'),
),

[whisperdancer]

Thanks so much for clearing this up. I've been running this incorrectly for a long time. Your new check along with your suggestion has my nextcloud running as it should now. The use of gethostbyname function when setting trusted_proxies eliminated the error and nextcloud is working great..

However, unsure what you mean by this statement? ..."(the value of the header field is also only a list of IPs there are never host names involved)...
Are you referring to the trusted domains? Should I be using gethostbyname function for both trusted_domains and trusted_proxies like this?

  'trusted_domains' =>
  array (
    0 => gethostbyname('mydomain.com'),
  ),
  'trusted_proxies' =>
  array (
    0 => gethostbyname('swag'),
  ),

[susnux]

No, it is just about the trusted_proxies. The proxy field does not accept hostnames but IPs.

For trusted_domains you of course need to set hostnames.

[whisperdancer]

Wonderful, much appreciate the clarification! :)

[akolodk]

hi, I just pulled the latest version of the 29.0.0.19 and noticed that my trusted_proxies stopped working.
I tried using the gethostbyname('proxy') directive in my docker compose file but it seems that config.php is not generated using the new directive...

so I used to have

- TRUSTED_PROXIES=proxy

in my docker compose file which translated to

  'trusted_proxies' =>
  array (
    0 => 'proxy',
  ),

now I wanted to have
- TRUSTED_PROXIES=gethostbyname('proxy')
but config.php doesnt change and I can still see the old proxy entry....

any thoughts?
A

edit:
it seems that within the container I can see updated value:

www-data@244256b6c22e:~/html$ php occ config:system:get trusted_proxies
gethostbyname('proxy')

but it still reports an error "Your "trusted_proxies" setting is not correctly set, it should be an array of IP addresses"

edit 2:
there must be some sort of periodic update because the config.php got updated eventually (is there? I have no idea what triggers an update to this file, it doesn't seem to be restarts).
however the generated text is:

  'trusted_proxies' =>
  array (
    0 => 'gethostbyname(\'proxy\')',
  ),

and still getting the same error...

[susnux]

still getting the same error.

Yes because it is a string, you need:

  'trusted_proxies' =>
  array (
    0 => gethostbyname('proxy'),
  ),

Do this change manually or report this issue at the docker repo: https://github.com/nextcloud/docker

[S0ulf3re]

I'm also having issues with this error message as well. I'm assuming that the swag name is meant to be the hostname of your reverse proxy (traefik in my case). I also noticed with this though with notify_push that trying to do this resulted in:

Error: php_literal_parser::unexpected_token

  × Error while parsing nextcloud config.php
  ╰─▶ Error while parsing '/config.php':
      No valid token found, expected one of boolean literal, integer literal,
      float literal, string literal, 'null', 'array' or '['
    ╭─[65:1]
 65 │   array (
 66 │     0 => gethostbyname('traefik'),
    ·          ┬
    ·          ╰── Expected boolean literal, integer literal, float literal, string literal, 'null', 'array' or '['
 67 │   ),
    ╰────

[techgeeksvk]

What if we are using Cloudflare tunnel? Do i need to add all Cloudflare IP's? Solution to add 0 => 'gethostbyname('proxy')', fails. THX

[susnux]

@techgeeksvk it was never working, as the header only uses IPs not host names.
Meaning if you added host names in the past it did also not work (meaning e.g. if someone run DDOS then not that user will by blocked by bruteforce protection but your proxy because the proxy IP was not listed and thus considered the enduser IP).

Solution to add 0 => 'gethostbyname('proxy')', fails

Do not use quotation marks there, gethostbyname is a function. Also ONLY do this if you are sure that your DNS will correctly resolve the IP of that host. If not do it manually and add the correct IP.

So it should look like:

// config.php
// ...
  'trusted_proxies' => array(
    0 => gethostbyname('my-proxy'),
  ),
// ...

[techgeeksvk]

Thanks but what proxy do I use when I am connected via tunnel u see. Do I need to use Cloudflare ip's? Docker with Nextcloud is directly connected via tunnel. Maybe I am forgetting something.

[TheMrCV]

My proxy server has a static IP and I have the following line in my config.php:

'trusted_proxies' => ['10.0.3.6'],

However I still get the trusted_proxies error. When I run:

php occ config:system:get trusted_proxies

It returns the hostname, and not the IP address that I specified in the config.php file. Could that configuration directive have been specified somewhere else? Is it reverse DNS messing me up? I do have a PTR record for that IP on my DNS server.

I was able to resolve my problem with the following command:

php occ config:system:set trusted_proxies 0 --value=10.0.3.6

It appears to persist through container reboots, but I do not see where that value was set.

[techgeeksvk]

Ok but what dns provider are you using?

[susnux]

It returns the hostname, and not the IP address that I specified in the config.php file.

The IP should never be resolved to a hostname, are you sure you have no other config that injects trusted_proxies?

[TheMrCV]

Ok but what dns provider are you using?

Builtin router DNS resolver, I believe it's unbound.

[TheMrCV]

It returns the hostname, and not the IP address that I specified in the config.php file.

The IP should never be resolved to a hostname, are you sure you have no other config that injects trusted_proxies?

I do not think so, I grepped all the files in the config directory and that yields no results for the hostname of the proxy server. Interestingly neither does grepping for the ip address that I set via the php occ config:system:set command. It looks like the setting is saved, it is persisting somehow, but it's not in the config directory.

[wetterbrienz]

Hello everyone,
So the tips above don't work for me.
I still get the same error.
My Nextcloud runs in Docker on a Synology and NPM is installed on a PI 5 with the IP 192.168.1.80.
Am I doing something wrong?
Greeting
Daniel

[susnux]

Please use the forums for help: https://help.nextcloud.com/

[jwilleke]

No Idea where this error is emerging from and obviously the #44495 did not fix the issue as I installed App Version: 29.0.0
Here I only see workarounds and no fixes.

[come-nc]

No Idea where this error is emerging from and obviously the #44495 did not fix the issue as I installed App Version: 29.0.0 Here I only see workarounds and no fixes.

What error are you talking about? You are commenting on #44495 which you are referring, did you post in the wrong tab?

[jwilleke]

Sorry, came from another thread.

Constant repeating of:

[php:notice] [pid 162] [client 172.16.1.81:33092] Nextcloud trustedProxies has malformed entries

None of the tips above work for me.

[Nini150]

Hello,

I checked in my config.php and I have this:
trusted_proxies' =>
array (
0 => 'nextcloud.mydomainname',
1 => 'x.x.x.x', #IP of the server
),

Can you help me to solve the problem ?

[susnux]

0 => 'nextcloud.mydomainname',

Remove that line, if you need that as a trusted proxy either use the static IP address of that server or try:

'trusted_proxies' => [
    gethostbyname('your.domain'),
    'ip.of.your.server'
]

This field only supports IP addresses, no hostnames so you need to resolve any hostname previously.

[Nini150]

Thanks I found a solution.
But now I have another problem :(

Have you ever encountered this problem ?