Nextcloud, bruteforce attacks and reverse proxy

Nextcloud 10 introduced several security improvements : noteworthily a protection against bruteforce attacks. Simple process: if Nextcloud detects several login attemps from a same IP address then all future auth requests from that subnet will be slower (up to 30 seconds of lag time).

In the logs, we will see:

{"reqId":"b4hUi89HUuji","remoteAddr":"","app":"core","message":"Bruteforce attempt from "" detected for action "login".","level":1,"time":"2016-10-17T04:08:55+00:00","method":"PROPFIND","url":"\/remote.php\/carddav\/","user":"--"}

and then we know that the IP address is presumably trying to bruteforce our Nextcloud! Interestingly, we may also ban this IP with Fail2ban.

Behind a reverse proxy?

If the connections to Nextcloud are managed by a reverse proxy (e.g. Pound or Nginx), then Nextcloud should be properly configured to use as remote address the true remote address and not the address from the reverse proxy! If not the case, all connections will be slowed by the brute force mitigation system!

We explain how to properly configure Nextcloud in the next section.

Nextcloud and X-Forwarded-For

Let's say the reverse proxy is and it is set-up to forward the original address in the X-Forwarded-For header.

We need to open Nextcloud config file (e.g. /var/www/nextcloud/config/config.php) and add two lines:

  'trusted_proxies' => array(''),
  'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),

The first line identifies the trusted proxy (only when the requests come from a trusted proxy will their headers be studied, this prevents headers forgery to escape brute force protection). The second line indicates which header should be taken as the remote address: X-Forwarded-For is HTTP_X_FORWARDED_FOR when exposed through $_SERVER to Nextcloud.

This is it! Now Nextcloud properly takes into account the remote address when served by a reverse proxy.


Here is the commit that added the X-forwarded-for capacity to ownCloud/Nextcloud: