TRUSTED_PROXIES doesn't evaluate gethostbyname
#2218
Comments
|
There's an open issue, nextcloud/server#7005, about the same issue. Not sure if the docker image should implement a workaround or just try to get upstream support for hostnames in the trusted_proxies config option. I was experimenting with some Nextcloud docker configuration setup which implements the naive fix (link), but given the issues mentioned in the nextcloud/server issue I'm not using it on my live server just yet. |
joshtrichards
added
enhancement
feature: auto config (environment variables)
Have you tried using an auto config hook script to set it entirely via https://github.com/nextcloud/docker#auto-configuration-via-hook-folders The point of the the hook script support is to permit any |
|
In majority of cases you can simply add the docker subnet range (172.16.0.0/12) - this will cover all reverse proxies running on the same host. The most "open" approach is to add all private non-routable IP ranges this will accept all reverse proxies from internal network but still reject headers from public IPs. Definitely little less secure than exact assignment should be good for most installations. |
Thanks for the advice. I've currently migrated away from the Docker installation, but I might migrate back and test this when I have some more time this summer, due to an issue with OnlyOffice & Nextcloud not being able to save a file in a bare-metal installation. Would it be best to keep this open for now? |
|
I would leave this open since the solution above is more of a bandaid fix to make the warning disappear. An alternative to that would simply be to give the reverse proxy a fixed IP in docker and just add the IP. But none of these solutions are completely portable as just gethostbyname('') working. |
|
If I am reading this correctly TRUSTED_PROXIES is still not fixed to evaluate host names. Looking at the linked thread from nextcloud, it does not look like they are going to do anything about it. Is there any possibility some one will fix this or are we just stuck wit the workaround? Thanks |
joshtrichards
added
the
needs review
When setting the
TRUSTED_PROXIESenvironment variable as shown in nextcloud/server#44495 (comment)(TRUSTED_PROXIES=gethostbyname('nginx-proxy'), I get the warningYour "trusted_proxies" setting is not correctly set, it should be an array of IP addresses - optionally with range in CIDR notation.and when executingphp occ config:system:get trusted_proxies, the result isgethostbyname('proxy'). When manually editingconfig.php, the result ofphp occ config:system:get trusted_proxieswill be the IP of the proxy as thegethostbynamefunction will get evaluated correctly.Since it's best practice to not assign static IP's in a compose file, being able to evaluate
gethostbynamewhen using the TRUSTED_PROXIES environment variable is quite important especially for the Nextcloud Docker image.As @xeluior mentioned in this comment, we might be able to naively apply
gethostbynameto all trusted proxies when the container starts, however container restarts would likely break this, and I'm not sure if Nextcloud's config works across container restarts withgethostbynameeither.Furthermore, it might be good to also discuss if we want to only evaluate
gethostbynameor if we should evaluate the exact same way as config.php does for consistency.The text was updated successfully, but these errors were encountered: