1. The problem I’m having:
After migrating from Apache2 to Caddy my Nextcloud (v29.0.2) installation “Administration settings” emits the following warning:
The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. nc.anpmech.com For more details see the [documentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-reverse-proxy)
Which links to the Nextcloud documentation 
, the source for the error is this line in the source.
My nextcloud config.php has not changed; the trusted_domains is still the correct domain name for the Nextcloud instance, itself.
The real problem is that this Nextcloud instance is not running behind a reverse proxy at all.
2. Error messages and/or full log output:
avuton@firecracker ~> curl -vvv https://nc.anpmech.com
* Host nc.anpmech.com:443 was resolved.
* IPv6: (none)
* IPv4: 76.121.230.144
* Trying 76.121.230.144:443...
* Connected to nc.anpmech.com (76.121.230.144) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none * TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / id-ecPublicKey * ALPN: server accepted h2
* Server certificate:
* subject: CN=nc.anpmech.com
* start date: Jun 11 11:44:59 2024 GMT
* expire date: Sep 9 11:44:58 2024 GMT
* subjectAltName: host "nc.anpmech.com" matched cert's "nc.anpmech.com"
* issuer: C=US; O=Let's Encrypt; CN=E5
* SSL certificate verify ok.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://nc.anpmech.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: nc.anpmech.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.8.0]
> Accept: */*
>
* Request completely sent off
< HTTP/2 302
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-store, no-cache, must-revalidate
< content-security-policy: default-src 'self'; script-src 'self' 'nonce-MzdORkJ3NGs5T2xQR0syNkpvakZqb2FIVFVHS2JtVGdMRkduZ29HNVJXYz06N2RnaFNIbEZqcjBMY0p5TlNNMjk3T3J0Q3lYTUhBYlRiMlhLN2UyS0FDaz
0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< content-type: text/html; charset=UTF-8
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< location: https://nc.anpmech.com/index.php/login
< pragma: no-cache
< referrer-policy: no-referrer
< server: Caddy
< set-cookie: oc_sessionPassphrase=vWef8pgy%2BJ9j6vK%2FofsR%2ByXBXlf%2BxwGRACUtbtqXo2g1GgFXsfZ%2BuErmtq0q5NyrMrRtpP6T0qzFuZ6kAr4UTfOb2gPrnUVw9AgZ00iJibq60qSjJpBQKYfZfZBT1Yxx; path=/; secure;
HttpOnly; SameSite=Lax
< set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< set-cookie: ocgdgj675i9h=deado4bk248lhrpuqh9a0m3v7a; path=/; secure; HttpOnly; SameSite=Lax
< status: 302 Found
< strict-transport-security: max-age=15552000;
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-robots-tag: noindex, nofollow
< x-xss-protection: 1; mode=block
< content-length: 0
< date: Fri, 21 Jun 2024 09:45:44 GMT
<
* Connection #0 to host nc.anpmech.com left intact
3. Caddy version:
caddy version 2.6.2
4. How I installed and ran Caddy:
a. System environment:
Debian x86_64
systemd 256 (256-1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT +LIBARCHIVE
No docker, nothing else I can think of being relevant.
b. Command:
root@kahn:~# systemctl status caddy
● caddy.service - Caddy
Loaded: loaded (/usr/lib/systemd/system/caddy.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-06-14 05:12:10 PDT; 6 days ago
Invocation: 658514cf4afe48bfa156995c2cb1e47c
Docs: https://caddyserver.com/docs/
Main PID: 162251 (caddy)
Tasks: 30 (limit: 76165)
Memory: 224.8M (peak: 287M)
CPU: 5min 29.418s
CGroup: /system.slice/caddy.service
└─162251 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
nc.anpmech.com {
root * /usr/share/nextcloud/base/
file_server
php_fastcgi unix//run/php/php-fpm.sock {
env PATH /usr/local/bin:/usr/bin:/bin
}
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
# Stop acccess from internet
@forbidden {
path /.htaccess
path /.xml
path /3rdparty/*
path /README
path /config/*
path /console.php
path /data/*
path /db_structure
path /lib/*
path /occ
path /templates/*
path /tests/*
}
respond @forbidden 404
header {
Strict-Transport-Security "max-age=15552000;"
X-Frame-Options "SAMEORIGIN" always
X-Permitted-Cross-Domain-Policies "none" always
X-Robots-Tag "none" always
X-XSS-Protection "1; mode=block" always
X-Content-Type-Options "nosniff" always
}
}
5. Links to relevant resources:
Can’t think of any.