aboutsummaryrefslogtreecommitdiffstats
path: root/apps/settings/lib
diff options
context:
space:
mode:
authorCôme Chilliet <91878298+come-nc@users.noreply.github.com>2023-11-21 09:50:38 +0100
committerGitHub <noreply@github.com>2023-11-21 09:50:38 +0100
commit24c2c09aeae1e99f9d6f1dff0103db3b6198cb4f (patch)
tree9b13480ab888dc66a332396f952b00d82cb308d3 /apps/settings/lib
parent0e433501bbe68b42bd466c43bfb8ef0afb75c820 (diff)
parentad372869bc803c3540fd8657c4fcb643d3db5b08 (diff)
downloadnextcloud-server-24c2c09aeae1e99f9d6f1dff0103db3b6198cb4f.tar.gz
nextcloud-server-24c2c09aeae1e99f9d6f1dff0103db3b6198cb4f.zip
Merge pull request #41438 from nextcloud/feat/migrate-forwarded-for-headers-check
Migrate forwarded for headers check
Diffstat (limited to 'apps/settings/lib')
-rw-r--r--apps/settings/lib/AppInfo/Application.php2
-rw-r--r--apps/settings/lib/Controller/CheckSetupController.php26
-rw-r--r--apps/settings/lib/SetupChecks/BruteForceThrottler.php14
-rw-r--r--apps/settings/lib/SetupChecks/ForwardedForHeaders.php94
4 files changed, 105 insertions, 31 deletions
diff --git a/apps/settings/lib/AppInfo/Application.php b/apps/settings/lib/AppInfo/Application.php
index 6f4a94bdda9..d694e650b48 100644
--- a/apps/settings/lib/AppInfo/Application.php
+++ b/apps/settings/lib/AppInfo/Application.php
@@ -53,6 +53,7 @@ use OCA\Settings\SetupChecks\CheckUserCertificates;
use OCA\Settings\SetupChecks\DefaultPhoneRegionSet;
use OCA\Settings\SetupChecks\EmailTestSuccessful;
use OCA\Settings\SetupChecks\FileLocking;
+use OCA\Settings\SetupChecks\ForwardedForHeaders;
use OCA\Settings\SetupChecks\InternetConnectivity;
use OCA\Settings\SetupChecks\LegacySSEKeyFormat;
use OCA\Settings\SetupChecks\MemcacheConfigured;
@@ -162,6 +163,7 @@ class Application extends App implements IBootstrap {
$context->registerSetupCheck(DefaultPhoneRegionSet::class);
$context->registerSetupCheck(EmailTestSuccessful::class);
$context->registerSetupCheck(FileLocking::class);
+ $context->registerSetupCheck(ForwardedForHeaders::class);
$context->registerSetupCheck(InternetConnectivity::class);
$context->registerSetupCheck(LegacySSEKeyFormat::class);
$context->registerSetupCheck(MemcacheConfigured::class);
diff --git a/apps/settings/lib/Controller/CheckSetupController.php b/apps/settings/lib/Controller/CheckSetupController.php
index 6d74a670a07..13e54063d8a 100644
--- a/apps/settings/lib/Controller/CheckSetupController.php
+++ b/apps/settings/lib/Controller/CheckSetupController.php
@@ -247,31 +247,6 @@ class CheckSetupController extends Controller {
}
/**
- * Check if the reverse proxy configuration is working as expected
- *
- * @return bool
- */
- private function forwardedForHeadersWorking(): bool {
- $trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
- $remoteAddress = $this->request->getHeader('REMOTE_ADDR');
-
- if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') {
- return false;
- }
-
- if (\is_array($trustedProxies)) {
- if (\in_array($remoteAddress, $trustedProxies, true) && $remoteAddress !== '127.0.0.1') {
- return $remoteAddress !== $this->request->getRemoteAddress();
- }
- } else {
- return false;
- }
-
- // either not enabled or working correctly
- return true;
- }
-
- /**
* Checks if the correct memcache module for PHP is installed. Only
* fails if memcached is configured and the working module is not installed.
*
@@ -721,7 +696,6 @@ Raw output
'cronErrors' => $this->getCronErrors(),
'isFairUseOfFreePushService' => $this->isFairUseOfFreePushService(),
'isUsedTlsLibOutdated' => $this->isUsedTlsLibOutdated(),
- 'forwardedForHeadersWorking' => $this->forwardedForHeadersWorking(),
'reverseProxyDocs' => $this->urlGenerator->linkToDocs('admin-reverse-proxy'),
'isCorrectMemcachedPHPModuleInstalled' => $this->isCorrectMemcachedPHPModuleInstalled(),
'hasPassedCodeIntegrityCheck' => $this->checker->hasPassedCheck(),
diff --git a/apps/settings/lib/SetupChecks/BruteForceThrottler.php b/apps/settings/lib/SetupChecks/BruteForceThrottler.php
index 6c1efd56bc1..3fbdf2d788a 100644
--- a/apps/settings/lib/SetupChecks/BruteForceThrottler.php
+++ b/apps/settings/lib/SetupChecks/BruteForceThrottler.php
@@ -53,17 +53,21 @@ class BruteForceThrottler implements ISetupCheck {
public function run(): SetupResult {
$address = $this->request->getRemoteAddress();
if ($address === '') {
- return SetupResult::info(
- $this->l10n->t('Your remote address could not be determined.')
- );
+ if (\OC::$CLI) {
+ /* We were called from CLI */
+ return SetupResult::info($this->l10n->t('Your remote address could not be determined.'));
+ } else {
+ /* Should never happen */
+ return SetupResult::error($this->l10n->t('Your remote address could not be determined.'));
+ }
} elseif ($this->throttler->showBruteforceWarning($address)) {
return SetupResult::error(
- $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', $address),
+ $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', [$address]),
$this->urlGenerator->linkToDocs('admin-reverse-proxy')
);
} else {
return SetupResult::success(
- $this->l10n->t('Your remote address "%s" is not bruteforce throttled.', $address)
+ $this->l10n->t('Your remote address "%s" is not bruteforce throttled.', [$address])
);
}
}
diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php
new file mode 100644
index 00000000000..3572feabb1f
--- /dev/null
+++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php
@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2023 Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @author Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Settings\SetupChecks;
+
+use OCP\IConfig;
+use OCP\IL10N;
+use OCP\IRequest;
+use OCP\IURLGenerator;
+use OCP\SetupCheck\ISetupCheck;
+use OCP\SetupCheck\SetupResult;
+
+class ForwardedForHeaders implements ISetupCheck {
+ public function __construct(
+ private IL10N $l10n,
+ private IConfig $config,
+ private IURLGenerator $urlGenerator,
+ private IRequest $request,
+ ) {
+ }
+
+ public function getCategory(): string {
+ return 'security';
+ }
+
+ public function getName(): string {
+ return $this->l10n->t('Forwared for headers');
+ }
+
+ public function run(): SetupResult {
+ $trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
+ $remoteAddress = $this->request->getHeader('REMOTE_ADDR');
+ $detectedRemoteAddress = $this->request->getRemoteAddress();
+
+ if (!\is_array($trustedProxies)) {
+ return SetupResult::error($this->l10n->t('Your trusted_proxies setting is not correctly set, it should be an array.'));
+ }
+
+ if (($remoteAddress === '') && ($detectedRemoteAddress === '')) {
+ if (\OC::$CLI) {
+ /* We were called from CLI */
+ return SetupResult::info($this->l10n->t('Your remote address could not be determined.'));
+ } else {
+ /* Should never happen */
+ return SetupResult::error($this->l10n->t('Your remote address could not be determined.'));
+ }
+ }
+
+ if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') {
+ return SetupResult::error(
+ $this->l10n->t('The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'),
+ $this->urlGenerator->linkToDocs('admin-reverse-proxy')
+ );
+ }
+
+ if (\in_array($remoteAddress, $trustedProxies, true) && ($remoteAddress !== '127.0.0.1')) {
+ if ($remoteAddress !== $detectedRemoteAddress) {
+ /* Remote address was successfuly fixed */
+ return SetupResult::success($this->l10n->t('Your IP address was resolved as %s', [$detectedRemoteAddress]));
+ } else {
+ return SetupResult::warning(
+ $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'),
+ $this->urlGenerator->linkToDocs('admin-reverse-proxy')
+ );
+ }
+ }
+
+ /* Either not enabled or working correctly */
+ return SetupResult::success();
+ }
+}