Merge pull request #830 from nextcloud/enh/828/trusted-proxies

fix trusted_proxies for caddy in case of a reverse proxy situation
2025-02-24 22:06:00 +08:00 · 2022-06-22 14:27:57 +02:00 · 2022-06-22 14:27:57 +02:00 · dc4e251b05
commit dc4e251b05
parent 686128c9d4 f0ddf95a3e
3 changed files with 36 additions and 8 deletions
--- a/Containers/apache/Caddyfile
+++ b/Containers/apache/Caddyfile
@ -11,24 +11,34 @@
    # Notify Push
    route /push/* {
        uri strip_prefix /push
-        reverse_proxy {$NEXTCLOUD_HOST}:7867
+        reverse_proxy {$NEXTCLOUD_HOST}:7867 {
+            # trusted_proxies placeholder
+        }
    }

    # Talk
    route /standalone-signaling/* {
        uri strip_prefix /standalone-signaling
-        reverse_proxy {$TALK_HOST}:8081
+        reverse_proxy {$TALK_HOST}:8081 {
+            # trusted_proxies placeholder
+        }
    }

    # Collabora
    route /browser/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
    }
    route /hosting/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
    }
    route /cool/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
    }

    # Onlyoffice
@ -37,6 +47,7 @@
        reverse_proxy {$ONLYOFFICE_HOST}:80 {
            header_up X-Forwarded-Host {http.request.host}/onlyoffice
            header_up X-Forwarded-Proto https
+            # trusted_proxies placeholder
        }
    }

@ -45,7 +56,10 @@
        rewrite /.well-known/carddav /remote.php/dav
        rewrite /.well-known/caldav /remote.php/dav
        header Strict-Transport-Security max-age=31536000;
-        reverse_proxy localhost:8000
+        reverse_proxy localhost:8000 {
+            # See https://github.com/nextcloud/all-in-one/issues/828
+            # trusted_proxies placeholder
+        }
    }

    # TLS options
--- a/Containers/apache/start.sh
+++ b/Containers/apache/start.sh
@ -21,17 +21,30 @@ if [ -z "$APACHE_PORT" ]; then
    export APACHE_PORT="443"
 fi

-# Change the Caddyfile
+# Change variables in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
    export PROTOCOL="http"
    export NC_DOMAIN=""
-    CADDYFILE="$(sed 's|auto_https.*|auto_https off|' /Caddyfile)"
 else
    export PROTOCOL="https"
+fi
+
+# Change the auto_https in case of reverse proxies
+if [ "$APACHE_PORT" != '443' ]; then
+    CADDYFILE="$(sed 's|auto_https.*|auto_https off|' /Caddyfile)"
+else
    CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
 echo "$CADDYFILE" > /Caddyfile

+# Change the trusted_proxies in case of reverse proxies
+if [ "$APACHE_PORT" != '443' ]; then
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies private_ranges|' /Caddyfile)"
+else
+    CADDYFILE="$(sed 's|trusted_proxies private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
+fi
+echo "$CADDYFILE" > /Caddyfile
+
 # Add caddy path
 mkdir -p /mnt/data/caddy/

--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@ -307,6 +307,7 @@ else
    php /var/www/html/occ app:update notify_push
 fi
 php /var/www/html/occ config:system:set trusted_proxies 0 --value="127.0.0.1"
+php /var/www/html/occ config:system:set trusted_proxies 1 --value="::1"
 php /var/www/html/occ config:app:set notify_push base_endpoint --value="https://$NC_DOMAIN/push"

 # Collabora