Score:0

Nextcloud with Docker Compose behind reverse proxy (nginx) with proxy_pass (leaking images)

cn flag

I have Nextcloud running with the following docker-compose.yml file and I use Plesk with nginx as a reverse proxy.

My problem is that the images are accessible without a login. I can open a image with the following url https://nc.mydomain.com/core/preview?fileId=30&x=2880&y=1800&a=true

I tried the nginx directives from the Nextcloud docker-compose example on Github. Problem here is it does not work, because i have to use proxy_pass http://127.0.0.1:8080/;

Can someone help, to prevent accessing the images without the login?

version: '3'

services:
  db:
    image: mariadb:10.5
    container_name: nextcloud-mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    environment:
      - MARIADB_AUTO_UPGRADE=1
      - MARIADB_DISABLE_UPGRADE_BACKUP=1
    env_file:
      - db.env
    volumes:
      - volumes/mariadb:/var/lib/mysql

  redis:
    image: redis:alpine
    container_name: nextcloud-redis
    restart: always
    command: /bin/sh -c "redis-server --requirepass $$REDIS_HOST_PASSWORD"
    env_file:
      - redis.env

  app:
    image: nextcloud:apache
    container_name: nextcloud-app
    restart: always
    ports:
      - 127.0.0.1:8080:80
    volumes:
      - volumes/nextcloud:/var/www/html
    depends_on:
      - db
      - redis
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - NEXTCLOUD_TRUSTED_DOMAINS=nc.mydomain.com
    env_file:
      - db.env
      - redis.env

  cron:
    image: nextcloud:apache
    container_name: nextcloud-cron
    restart: always
    volumes:
      - volumes/nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

volumes:
  db:
  nextcloud:

"Additional nginx directives" in the Plesk settings for the Nextcloud Subdomain (leaking images).

location / {
  proxy_set_header    Host $host;
  proxy_set_header    X-Real-IP $remote_addr;
  proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header    X-Forwarded-Proto $scheme;
  proxy_pass          http://127.0.0.1:8080/;
  proxy_read_timeout  36000s;
  #Only use secure connection
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
  #Allow big files to upload
  client_max_body_size 0;
}

location /.well-known/carddav {
  return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}
Score:0
cn flag

The browser cached the image.
That's why it was possible to open the image without login to Nextcloud.

Open the URL https://nc.mydomain.com/core/preview?fileId=30&x=2880&y=1800&a=true in a different Browser, or clear the cache after logout and the images was not accessible anymore.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.