How do I change Cloudflare Remote IP to Real IP in owncloud log?

gdi0110 · September 10, 2024, 8:54pm

I am running ownCloud 10.15 community in a docker container. Owncloud has a Caddy reverse proxy in front of it and all external access is done via Cloudflare Proxy

I can access owncloud and have no issues there, but I am trying to setup Fail2Ban and the owncloud log is only showing the remoteIP as an IP from CloudFlare

Here is part of my Caddy config:

owncloud.mydomain.com:2096 {
        log {
          level INFO
          output file /data/logs/caddy.log {
            roll_size 10MB
            roll_keep 10
          }
        }

        reverse_proxy http://docker02.mydomain.com8080 {
                header_up X-Real-IP {http.request.header.Cf-Connecting-IP}
        }
        tls /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem
}

When entering wrong credentials for ownCloud I see in the Caddy log the remote IP (CloudFlare) proxy and X-Forwarded-For (real client IP). But when I look at the owncloud.log file the IP is the Cloudflare proxy, which I pasted below.

I saw some other posts about changing the apache2.conf logging pattern from %h to %a but that appears to be already changed.

How do I get the owncloud.log to show the real remote IP address rather than Cloudflare?

Server configuration

Operating system:
Debian 12

Web server:
Apache2

Database:
mariadb

PHP version:
7.4.3

ownCloud version: (see ownCloud admin page)
10.15

Updated from an older ownCloud or fresh install:
Fresh install

Where did you install ownCloud from:
Docker Hub
image: owncloud/server:10.15

Signing status (ownCloud 9.0 and above):
No errors have been found.

The content of config/config.php:

{
    "system": {
        "apps_paths": [
            {
                "path": "\/var\/www\/owncloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/owncloud\/custom",
                "url": "\/custom",
                "writable": true
            }
        ],
        "trusted_domains": [
            "owncloud.mydomain.com"
        ],
        "trusted_proxies": [
            "173.245.48.0\/20",
            "103.21.244.0\/22",
            "103.22.200.0\/22",
            "103.31.4.0\/22",
            "141.101.64.0\/18",
            "108.162.192.0\/18",
            "190.93.240.0\/20",
            "188.114.96.0\/20",
            "197.234.240.0\/22",
            "198.41.128.0\/17",
            "162.158.0.0\/15",
            "104.16.0.0\/13",
            "104.24.0.0\/14",
            "172.64.0.0\/13",
            "131.0.72.0\/22"
        ],
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR"
        ],
        "datadirectory": "\/mnt\/data\/files",
        "dbtype": "mysql",
        "dbhost": "mariadb",
        "dbname": "owncloud",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "log_type": "owncloud",
        "supportedDatabases": [
            "sqlite",
            "mysql",
            "pgsql"
        ],
        "upgrade.disable-web": true,
        "default_language": "en",
        "overwrite.cli.url": "http:\/\/localhost:8080\/",
        "htaccess.RewriteBase": "\/",
        "logfile": "\/mnt\/data\/files\/owncloud.log",
        "loglevel": "0",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "mysql.utf8mb4": true,
        "filelocking.enabled": true,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "redis",
            "port": "6379"
        },
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "version": "10.15.0.2",
        "dbconnectionstring": "",
        "allow_user_to_change_mail_address": "",
        "logtimezone": "America\/Los_Angeles",
        "installed": true,
        "instanceid": "ocx1falg7l6w",
        "singleuser": false
    }
}

List of activated apps:

Enabled:
  - activity:
    - Version: 2.7.2
    - Path: /var/www/owncloud/apps/activity
  - bookmarks:
    - Version: 0.10.6
    - Path: /var/www/owncloud/custom/bookmarks
  - calendar:
    - Version: 2.0.0
    - Path: /var/www/owncloud/custom/calendar
  - comments:
    - Version: 0.3.0
    - Path: /var/www/owncloud/apps/comments
  - configreport:
    - Version: 0.3.0
    - Path: /var/www/owncloud/apps/configreport
  - contacts:
    - Version: 1.5.5
    - Path: /var/www/owncloud/custom/contacts
  - dav:
    - Version: 0.7.0
    - Path: /var/www/owncloud/apps/dav
  - diagnostics:
    - Version: 0.2.1
    - Path: /var/www/owncloud/apps/diagnostics
  - drawio:
    - Version: 1.0.1
    - Path: /var/www/owncloud/apps/drawio
  - encryption:
    - Version: 1.6.1
    - Path: /var/www/owncloud/apps/encryption
  - federatedfilesharing:
    - Version: 0.5.0
    - Path: /var/www/owncloud/apps/federatedfilesharing
  - federation:
    - Version: 0.1.0
    - Path: /var/www/owncloud/apps/federation
  - files:
    - Version: 1.6.0
    - Path: /var/www/owncloud/apps/files
  - files_external:
    - Version: 0.9.0
    - Path: /var/www/owncloud/apps/files_external
  - files_mediaviewer:
    - Version: 1.0.5
    - Path: /var/www/owncloud/apps/files_mediaviewer
  - files_pdfviewer:
    - Version: 1.0.2
    - Path: /var/www/owncloud/apps/files_pdfviewer
  - files_sharing:
    - Version: 0.14.0
    - Path: /var/www/owncloud/apps/files_sharing
  - files_texteditor:
    - Version: 2.6.1
    - Path: /var/www/owncloud/apps/files_texteditor
  - files_trashbin:
    - Version: 0.9.1
    - Path: /var/www/owncloud/apps/files_trashbin
  - files_versions:
    - Version: 1.3.0
    - Path: /var/www/owncloud/apps/files_versions
  - firstrunwizard:
    - Version: 1.3.0
    - Path: /var/www/owncloud/apps/firstrunwizard
  - gallery:
    - Version: 16.1.2
    - Path: /var/www/owncloud/custom/gallery
  - market:
    - Version: 0.9.0
    - Path: /var/www/owncloud/apps/market
  - music:
    - Version: 2.0.0
    - Path: /var/www/owncloud/custom/music
  - notes:
    - Version: 2.0.6
    - Path: /var/www/owncloud/custom/notes
  - notifications:
    - Version: 0.6.0
    - Path: /var/www/owncloud/apps/notifications
  - onlyoffice:
    - Version: 9.3.1
    - Path: /var/www/owncloud/custom/onlyoffice
  - provisioning_api:
    - Version: 0.5.0
    - Path: /var/www/owncloud/apps/provisioning_api
  - systemtags:
    - Version: 0.3.0
    - Path: /var/www/owncloud/apps/systemtags
  - tasks:
    - Version: 0.9.7
    - Path: /var/www/owncloud/custom/tasks
  - twofactor_totp:
    - Version: 0.9.0
    - Path: /var/www/owncloud/custom/twofactor_totp
  - updatenotification:
    - Version: 0.2.1
    - Path: /var/www/owncloud/apps/updatenotification
Disabled:
  - admin_audit:
    - Path: /var/www/owncloud/apps/admin_audit
  - announcementcenter:
    - Path: /var/www/owncloud/apps/announcementcenter
  - customgroups:
    - Path: /var/www/owncloud/apps/customgroups
  - enterprise_key:
    - Path: /var/www/owncloud/apps/enterprise_key
  - external:
    - Path: /var/www/owncloud/apps/external
  - files_antivirus:
    - Path: /var/www/owncloud/apps/files_antivirus
  - files_classifier:
    - Path: /var/www/owncloud/apps/files_classifier
  - files_external_dropbox:
    - Path: /var/www/owncloud/apps/files_external_dropbox
  - files_external_ftp:
    - Path: /var/www/owncloud/apps/files_external_ftp
  - files_ldap_home:
    - Path: /var/www/owncloud/apps/files_ldap_home
  - files_lifecycle:
    - Path: /var/www/owncloud/apps/files_lifecycle
  - files_primary_s3:
    - Path: /var/www/owncloud/apps/files_primary_s3
  - firewall:
    - Path: /var/www/owncloud/apps/firewall
  - graphapi:
    - Path: /var/www/owncloud/apps/graphapi
  - guests:
    - Path: /var/www/owncloud/apps/guests
  - impersonate:
    - Path: /var/www/owncloud/apps/impersonate
  - kerberos:
    - Path: /var/www/owncloud/apps/kerberos
  - metrics:
    - Path: /var/www/owncloud/apps/metrics
  - oauth2:
    - Path: /var/www/owncloud/apps/oauth2
  - openidconnect:
    - Path: /var/www/owncloud/apps/openidconnect
  - password_policy:
    - Path: /var/www/owncloud/apps/password_policy
  - ransomware_protection:
    - Path: /var/www/owncloud/apps/ransomware_protection
  - sharepoint:
    - Path: /var/www/owncloud/apps/sharepoint
  - systemtags_management:
    - Path: /var/www/owncloud/apps/systemtags_management
  - templateeditor:
    - Path: /var/www/owncloud/apps/templateeditor
  - theme-enterprise:
    - Path: /var/www/owncloud/apps/theme-enterprise
  - user_external:
    - Path: /var/www/owncloud/apps/user_external
  - user_ldap:
    - Path: /var/www/owncloud/apps/user_ldap
  - user_shibboleth:
    - Path: /var/www/owncloud/apps/user_shibboleth
  - web:
    - Path: /var/www/owncloud/apps/web
  - windows_network_drive:
    - Path: /var/www/owncloud/apps/windows_network_drive
  - wopi:
    - Path: /var/www/owncloud/apps/wopi
  - workflow:
    - Path: /var/www/owncloud/apps/workflow

Are you using external storage, if yes which one: local/smb/sftp/…
SMB

Are you using encryption:
No

Are you using an external user-backend, if yes which one:
No

Client configuration

Browser:
Brave

Operating system:
Windows 10

Logs

Web server error log

Not sure which file this is

ownCloud log (data/owncloud.log)

{"reqId":"dP3IczmeTSouhdkiZKPb","level":2,"time":"2024-09-10T13:55:10-07:00","remoteAddr":"172.69.134.47","user":"--","app":"core","method":"POST","url":"\/login?user=greg","message":"Login failed: 'greg' (Remote IP: '172.69.134.47')"}

Browser log

No errors in browser console log

gdi0110 · September 10, 2024, 9:44pm

I think I resolved my issue. I changed my Caddy config from:

header_up X-Real-IP {http.request.header.Cf-Connecting-IP}

to:

header_up X-Forwarded-For {http.request.header.Cf-Connecting-IP}

I’m going to do a fresh install and make sure!

EDIT: I removed all the persisted data and ran a new container. The above Caddy config fixed my issue!

LinkP · September 11, 2024, 12:27am

Be aware that using fail2ban locally against remote IPs that are proxied will have no effect since the connection at the IP layer will always come from a Cloudflare proxy IP. Your fail2ban action would need to apply updates to rules in your Cloudflare instance to make any real impact.

gdi0110 · September 11, 2024, 6:40pm

Gotcha! I’m using a cloudflare action in fail2ban to push the client IP to cloudflare. Makes it very handy!

tom42 · September 13, 2024, 5:54pm

Hey,

i think the ownCloud documentation is also mentioning that ownCloud is using the X-Forwarded-For by default:

so i think this solution is correct.

gdi0110 · September 17, 2024, 2:31pm

@tom42 I removed this section from the ownCloud config.php, as X-Forwarded-For is used by default

        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR"
        ],

But I still need to keep this line in Caddy, as if I remove this line in Caddy the ownCloud log keeps showing the Proxy IP

header_up X-Forwarded-For {http.request.header.Cf-Connecting-IP}

Is the Trusted Proxies in my posted config.php not correct?

tom42 · September 18, 2024, 7:49pm

Hey,

i think it could be possible that it is required to consult the Caddy support on questions about the requirements on the Caddy configuration because i think it could be possible that the ownCloud community can’t give support due to the lack of knowledge on the web server specifics.