Summary
The default NEXTCLOUD_TRUSTED_PROXIES value trusts entire private network ranges instead of only the actual reverse proxy addresses.
Evidence
.env.example:200 defaults to 127.0.0.1 ::1 10.0.0.0/8 fc00::/7.configs/installer/nextcloud_setup_default.sh:128-135 applies this value directly to Nextcloud.
Risk
Any client reaching the service from those ranges can spoof forwarded-IP headers. That can affect logging, brute-force protection, and other proxy-aware security controls.
Suggested Remediation
- Default to loopback only, or to an empty value that must be set explicitly.
- Document that only the exact reverse proxy IPs or subnets should be trusted.
Summary
The default
NEXTCLOUD_TRUSTED_PROXIESvalue trusts entire private network ranges instead of only the actual reverse proxy addresses.Evidence
.env.example:200defaults to127.0.0.1 ::1 10.0.0.0/8 fc00::/7.configs/installer/nextcloud_setup_default.sh:128-135applies this value directly to Nextcloud.Risk
Any client reaching the service from those ranges can spoof forwarded-IP headers. That can affect logging, brute-force protection, and other proxy-aware security controls.
Suggested Remediation