Nextcloud reports reverse proxy issue when no reverse proxy

1. The problem I’m having:

After migrating from Apache2 to Caddy my Nextcloud (v29.0.2) installation “Administration settings” emits the following warning:

The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. For more details see the [documentation ↗](

Which links to the Nextcloud documentation :arrow_upper_right:, the source for the error is this line in the source.

My nextcloud config.php has not changed; the trusted_domains is still the correct domain name for the Nextcloud instance, itself.

The real problem is that this Nextcloud instance is not running behind a reverse proxy at all.

2. Error messages and/or full log output:

avuton@firecracker ~> curl -vvv
* Host was resolved.
* IPv6: (none)          
* IPv4:
*   Trying
* Connected to ( port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt                                                  
*  CApath: none                                                                                                                                                                               * TLSv1.3 (IN), TLS handshake, Server hello (2):                                                                                                                                              
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):  
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / id-ecPublicKey                                                                                                             * ALPN: server accepted h2
* Server certificate:                                                                                                                                                                         
*  subject:                                                                                                                                                                 
*  start date: Jun 11 11:44:59 2024 GMT                                                        
*  expire date: Sep  9 11:44:58 2024 GMT
*  subjectAltName: host "" matched cert's ""
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2                       
* [HTTP/2] [1] OPENED stream for
* [HTTP/2] [1] [:method: GET]                                                                  
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority:]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.8.0]
> Accept: */*
* Request completely sent off
< HTTP/2 302 
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-store, no-cache, must-revalidate
< content-security-policy: default-src 'self'; script-src 'self' 'nonce-MzdORkJ3NGs5T2xQR0syNkpvakZqb2FIVFVHS2JtVGdMRkduZ29HNVJXYz06N2RnaFNIbEZqcjBMY0p5TlNNMjk3T3J0Q3lYTUhBYlRiMlhLN2UyS0FDaz
0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< content-type: text/html; charset=UTF-8
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< location:
< pragma: no-cache
< referrer-policy: no-referrer
< server: Caddy
< set-cookie: oc_sessionPassphrase=vWef8pgy%2BJ9j6vK%2FofsR%2ByXBXlf%2BxwGRACUtbtqXo2g1GgFXsfZ%2BuErmtq0q5NyrMrRtpP6T0qzFuZ6kAr4UTfOb2gPrnUVw9AgZ00iJibq60qSjJpBQKYfZfZBT1Yxx; path=/; secure;
 HttpOnly; SameSite=Lax
< set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< set-cookie: ocgdgj675i9h=deado4bk248lhrpuqh9a0m3v7a; path=/; secure; HttpOnly; SameSite=Lax
< status: 302 Found
< strict-transport-security: max-age=15552000;
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-robots-tag: noindex, nofollow
< x-xss-protection: 1; mode=block
< content-length: 0
< date: Fri, 21 Jun 2024 09:45:44 GMT
* Connection #0 to host left intact

3. Caddy version:

caddy version 2.6.2

4. How I installed and ran Caddy:

a. System environment:

Debian x86_64

systemd 256 (256-1)

No docker, nothing else I can think of being relevant.

b. Command:

root@kahn:~# systemctl status caddy
● caddy.service - Caddy
     Loaded: loaded (/usr/lib/systemd/system/caddy.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-06-14 05:12:10 PDT; 6 days ago
 Invocation: 658514cf4afe48bfa156995c2cb1e47c
   Main PID: 162251 (caddy)
      Tasks: 30 (limit: 76165)
     Memory: 224.8M (peak: 287M)
        CPU: 5min 29.418s
     CGroup: /system.slice/caddy.service
             └─162251 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:


d. My complete Caddy config: {
        root * /usr/share/nextcloud/base/
        php_fastcgi unix//run/php/php-fpm.sock {
                env PATH /usr/local/bin:/usr/bin:/bin

        redir /.well-known/carddav /remote.php/dav/ 301
        redir /.well-known/caldav /remote.php/dav/ 301

        # Stop acccess from internet
        @forbidden {
                path /.htaccess
                path /.xml
                path /3rdparty/*
                path /README
                path /config/*
                path /console.php
                path /data/*
                path /db_structure
                path /lib/*
                path /occ
                path /templates/*
                path /tests/*
        respond @forbidden 404

        header {
                Strict-Transport-Security "max-age=15552000;"
                X-Frame-Options "SAMEORIGIN" always
                X-Permitted-Cross-Domain-Policies "none" always
                X-Robots-Tag "none" always
                X-XSS-Protection "1; mode=block" always
                X-Content-Type-Options "nosniff" always

5. Links to relevant resources:

Can’t think of any.

Caddy is the reverse proxy. Even when running with PHP-FPM, it’s still acting like a reverse proxy.

Make sure to configure trusted proxies in Nextcloud, so that it trusts connections coming from Caddy.

That’s quite an old Caddy version. Please use the latest, v2.8.4. Please follow our official installation instructions. Install — Caddy Documentation

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.