[Bug]: NC 24 Trusted domain error. "X.X.X.X tried to access using "X.X.X.X" as host.

[ghost]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Ever since NC 24 my log gets spammed with Trusted domain error. "192.241.216.39" tried to access using "X.X.X.X" as host.
Is there a way to turn these warnings off ON NC 23 and below only got the warnings if someone trys to log and it was incorrect

Steps to reproduce

Ever since NC 24 my log gets spammed with Trusted domain error. "192.241.216.39" tried to access using "X.X.X.X" as host.
Is there a way to turn these warnings off ON NC 23 and below only got the warnings if someone trys to log and it was incorrect

Expected behavior

Ever since NC 24 my log gets spammed with Trusted domain error. "192.241.216.39" tried to access using "X.X.X.X" as host.
Is there a way to turn these warnings off ON NC 23 and below only got the warnings if someone trys to log and it was incorrect

Installation method

Manual installation

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

No response

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "24.0.1.1",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "simpleSignUpLink.shown": false,
        "trashbin_retention_obligation": "auto,30",
        "skeletondirectory": "",
        "default_phone_region": "US",
        "allow_local_remote_servers": true,
        "preview_max_memory": 1280,
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_smtpport": "587",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "maintenance": false,
        "updater.release.channel": "stable",
        "theme": "",
        "loglevel": 2,
        "versions_retention_obligation": "auto,30",
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - encryption: 2.12.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_external: 1.16.1
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - impersonate: 1.11.0
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - nextcloud_announcements: 1.13.0
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - officeonline: 1.1.3
  - password_policy: 1.14.0
  - photos: 1.6.0
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - text: 3.5.1
  - theming: 1.15.0
  - twofactor_admin: 3.2.0
  - twofactor_backupcodes: 1.13.0
  - twofactor_totp: 6.3.0-beta.1
  - updatenotification: 1.14.0
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - circles: 23.0.0
  - user_ldap

Nextcloud Signing status

No response

Nextcloud Logs

Additional info

No response

[BJKle]

Same here. Very annoying. You don’t see real errors anymore because the log is full of it.
I get between 30-40 messages from different IP-addresses.

[ghost]

I hope they make a change or give an option to turn this option off.

[kamanwu]

add IP address after "using..." into trusted_domains.

[ghost]

add IP address after "using..." into trusted_domains.

This fixed the issue for me. Im not sure if this would still be an bug or a configuration issue?

[abysso2]

add IP address after "using..." into trusted_domains.

Why should i add an ip from north kansas to my german nextcloud instance?

[Wotisrv]

Do NOT add those IP's to your NC instance. I get those messages too. They try to get access. Use fail2ban to ban them and GeoIP addon to block IP's from countries outside Germany i.e.
2FA authentication recommends too 😊

[BJKle]

Too many different IP addresses every day. Can’t keep up. This isn’t a solution.
Why isn’t it with version < 24.
What has changed?
Can’t it get reversed?
This is really annoying. I can’t see important errors/warning,…

[Wotisrv]

I don't know if it is the same situation as I had. My Nextcloud instance was not on the last patch level and it was hit by this vulnerability

GHSA-24pm-rjfv-23mh

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0912

I got exact the same log entries like you, with a lot of IP addresses which tried to get access. I figured out that it came from my own instance. The file permissions of some directories and files have been set to 43. Furthermore, fail2ban was compromised, so that incoming IP addresses were no longer banned. In addition, another port was opened that communicated with an unknown IP. I had to reinstall everything and now the log is silent again.

[BJKle]

I have it on different instances of Nextcloud with different OS and hardware. Both were „silent“ until I upgraded them to the latest server version.
Mail isn’t installed.
When I check the source code of NC there is a comment where this error is generated, to remove it.
Hmmm.

[MrRinkana]

There is some confusion in the comments.

This is a configuration issue, your config.php is missing your public ip in the trusted domains (the blurred IPs in the image provided by andyxheli).

Do NOT add the different IPs that are not your public IP (the IP addresses that come right after "Trusted domain error.").

You might be getting spammed by these errors as bots scan your IP (and enter the IP directly instead of the URL, which you already might have in your trusted domains).

Explained by example

• I have a server at nextcloud.example.com.

• My server sits at the ip of 1.2.3.4.

• I have added nextcloud.example.com to the trusted domains in my config.php but NOT the ip 1.2.3.4.

• Humans will use the URL and everything will work fine.

• Bots will use the IP, and get blocked, generating the error:
  Trusted domain error. "8.8.8.8 tried to access using "1.2.3.4" as host.

This can be solved by either:

• Adding your public IP (1.2.3.4 in this example) to the trusted domains. If you have a dynamic IP you will have to update this every time your IP changes.
• Selecting a lower log level (level 3 och 4) to ignore the warnings.

[BJKle]

Thank you for that information.
Maybe I don't understand it. Has it changed from version 23 to 24?
Because I, and probably many of us, don't have a fixed public IP.
I get a new one every day and use a DynDNS Service.
To change my config.php every day is not feasible.

[MrRinkana]

Thank you for that information. Maybe I don't understand it. Has it changed from version 23 to 24? Because I, and probably many of us, don't have a fixed public IP. I get a new one every day and use a DynDNS Service. To change my config.php every day is not feasible.

To my knowledge this behaviour has not changed between nc23 to nc24. The errors might have started popping up after upgrade simply because it coincided with bots starting to scan your IP.

It is completely fine to not add the public ip to the config, users will still be able to connect if they enter the URL (example "mynextcloud.dyndns.com") provided by your dynamic dns (assuming you have added that to your config).

The only thing that happens without the IP in the config - is that whoever enters the IP address (example "1.2.3.4") directly in the address bar will not be able to connect. Since no humans will use the IP directly, especially if it changes often, no actual user will have issues.

If you are getting these warnings (and a lot of them): bots are scanning your IP. This is probably nothing to worry about, but take it as a reminder to keep your machine and NC updated so no old vulnerabilities can be used.

Hope this clears it up!

Disclaimer:

Theoretically there could be an app or something a user uses to connect to the NC that could use the IP directly, and thus have issues without the IP in the config (trusted domains), but its a weird way to do that. I have not found any that would connect in that way, nor do the official apps. If you find an app that can't connect without the public IP in the trusted domains, you could probably take that with the developer of that app (it should probably not be done that way).

ps. You can try the behaviour yourself, by opening two browser windows and writing your URL in one and your current public IP in the other one. If your IP is not in the trusted domains, that one will show an "untrusted domain" page, but the one using the URL should work fine (as long as the URL is in the trusted domains).

[BJKle]

Well, I could figure it out. It was introduced in version 24.

Here is the change: e6d9ef2

when it is a "normal behaviour" that bots scan it (and they will do), it should be an info and not a warning.
I don't look at "info" but "warning" and find a solution for that. But as you wrote, there isn't a solution, except rolling back this change.

[ghost]

I created a pull request to revert it back to info. Lets see what happens.

[BJKle]

I created a pull request to revert it back to info. Lets see what happens.

Unfortunately nothing happened. :-(

[ghost]

Hey all! Pull request has been merged

[BJKle]

unfortunately it didn't make it to NC 25 RC3

[ghost]

Yes, you're right its not in 24.0.6 also. Please see my reply #33737 (comment)

[BJKle]

I did the two reviews.
It is a really easy change and cannot harm anything.
Anyone else please, in order to get it merged to the current active branches.
Thank you

[ghost]

Closing since pull request has been merged

[alghanim-lab]

it looks like the problem has finally been solved with new update 24.0.8.2