I am running this docker image: https://github.com/nextcloud/docker with a cloudflare tunnel, meaning the webserver would see all the traffic coming from a single ip in 172.16.0.0/12 .

The documentation says:

The apache image will replace the remote addr (IP address visible to Nextcloud) with the IP address from X-Real-IP if the request is coming from a proxy in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 by default

So I thought that this is a not a problem, as other docker images can also automagically figure out the real IP address from traffic coming from cloudflare tunnels.

In the beginning it worked fine, then it was SLOW. Like 2 full minutes to load new feeds on news, waiting ages to complete a sync, and so on. I rebooted the server on those instances, and then it worked fine for a day.

So because at the time i was running it on unraid, i blamed the lag on that OS + my weird array of HDDs with decades of usage on them. Migrated to debian on a nvme array and… same lag!

Wasted hours trying to use caddy+fpm instead of apache and it’s the same, worked fine for a day, then it was slow again.

Then I wondered: what if the program is “smart” and throttles it by itself without any warning to the admin if it thinks that an ip address is sending too many requests?

Modified the docker compose like this:

  nextcloud:
    image: nextcloud

became

  nextcloud:
    build: .

and I created a Dockerfile with

FROM nextcloud
RUN apt update -y && apt upgrade -y
RUN apt install -y libbz2-dev
RUN docker-php-ext-install bz2
RUN a2enmod rewrite remoteip
COPY remoteip.conf /etc/apache2/conf-enabled/remoteip.conf

with this as the content of remoteip.conf

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 10.0.0.0/8
RemoteIPTrustedProxy 172.16.0.0/12
RemoteIPTrustedProxy 192.168.0.0/16
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/12
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32

and now because nextcloud is seeing all the different ip addresses it doesn’t throttle the connections anymore!

  • lemmyvore@feddit.nl
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    4
    ·
    9 months ago

    They think the free CF tier offers DDoS protection, which (a) will never happen to their server and (b) if it ever happened would consist of CF disconnecting their tunnel and black-holing their IP and domain until it blows over.

    They also think CDN helps when your services are behind authentication.

    Some of them just find it convenient that CF is registrar, DNS provider and sets up reverse proxy for them so they never stop to think too much about it.

    • rufus@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      9 months ago

      Thanks. I read a lot of people recommending cloudflare. I believe a substantial amount of that group is on the free tier and not exactly making informed choices. Being a registrar, DNS provider and offering tunneling / port forwarding or some mechanism to traverse your home NAT are valid use-cases.

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      Some of them just find it convenient that CF is registrar, DNS provider and sets up reverse proxy

      You should never put all your eggs in one basket. Using one company for all three of these essentially gives them full control of your domain.

      It’s a best practice to use separate companies for registrar and website/proxy. If there’s ever some sort of dispute about the contents of the site, you can change the DNS to point to a different host. That’s not always possible when the same company handles both.