Overblocking behind proxy

[pfrancks]

I have setup my nextcloud AIO behind a reverse proxy that terminates TLS and forwards to the nextcloud AIO apache (port 11000). The reverse proxy adapts the headers as following:

match request header "Host" value $nextcloud_domain forward to <nextcloud>
match response header remove "Server"    
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-Port" value "$REMOTE_PORT"

From time to time I have some people bruteforcing on the server. In the apache log container I can see then things like:

[Sun Jul 16 02:25:49 2023] [error] [(70008)Partial results are valid but processing is incomplete] [client: 213.109.202.**, 192.168.178.1] [AH01075: Error dispatching request to :443: (reading input brigade)] [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36]
[Sun Jul 16 09:03:50 2023] [error] [client: 213.109.202.**, 192.168.178.1] [AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)] [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36]

The IP 213.109.202.** is the attacker, the IP 192.168.178.1 is my reverse proxy. It seems like nextcloud adds also the reverse proxy to the blocking list. If I access my Nextcloud at the same time, I see the rate limiting on the login page (it says that it has detected many login attempts from my IP).

Nextcloud AIO should make sure that it does not block the proxy but the originating IP. Or am I doing something wrong with the proxy?

Peter

[Zoey2936]

please show your reverse proxy conf

[pfrancks]

Here is my config for relayd:

# Configuration of the Nextcloud AIO instance
table <nextcloud> { 192.168.178.2 }
nextcloud_port = "11000"
nextcloud_domain = "my.cloud"

http protocol "httpsproxy" {
    match request header "Host" value $nextcloud_domain forward to <nextcloud>
    match response header remove "Server"
    match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
    match request header append "X-Forwarded-Port" value "$REMOTE_PORT"

    match response header set "Referrer-Policy" value "no-referrer"
    match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
    match response header set "X-Content-Type-Options" value "nosniff"
    match response header set "X-Frame-Options" value "SAMEORIGIN"
    match response header set "X-XSS-Protection" value "1; mode=block"

    http websockets

    tls keypair $nextcloud_domain

    return error
    pass
}

relay "relayserver" {
    listen on egress port 443 tls
    protocol httpsproxy
    forward to <nextcloud> port $nextcloud_port check tcp
}

[Zoey2936]

what proxy software do you use?

[pfrancks]

Ah sorry, maybe I should write that a little more detailed as relayd is not very common.
https://man.openbsd.org/relayd.8
Relayd is the built in proxy in OpenBSD.

Is there an easy way to check on the nextcloud side how the headers look like and whether this is correct? I think it might be more efficient to do the debugging in this order.

[szaimen]

Hi, can you check if this makes it work?

match request header "X-Forwarded-For" value "$REMOTE_ADDR"
match request header "X-Forwarded-Port" value "$REMOTE_PORT"

(I removed the append).