Nextcloud with Docker Compose behind reverse proxy (nginx) with proxy_pass (leaking images)

Question

I have Nextcloud running with the following docker-compose.yml file and I use Plesk with nginx as a reverse proxy.

My problem is that the images are accessible without a login. I can open a image with the following url https://nc.mydomain.com/core/preview?fileId=30&x=2880&y=1800&a=true

I tried the nginx directives from the Nextcloud docker-compose example on Github. Problem here is it does not work, because i have to use proxy_pass http://127.0.0.1:8080/;

Can someone help, to prevent accessing the images without the login?

• make the nginx settings work with proxy_pass, but how.

version: '3'

services:
  db:
    image: mariadb:10.5
    container_name: nextcloud-mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    environment:
      - MARIADB_AUTO_UPGRADE=1
      - MARIADB_DISABLE_UPGRADE_BACKUP=1
    env_file:
      - db.env
    volumes:
      - volumes/mariadb:/var/lib/mysql

  redis:
    image: redis:alpine
    container_name: nextcloud-redis
    restart: always
    command: /bin/sh -c "redis-server --requirepass $$REDIS_HOST_PASSWORD"
    env_file:
      - redis.env

  app:
    image: nextcloud:apache
    container_name: nextcloud-app
    restart: always
    ports:
      - 127.0.0.1:8080:80
    volumes:
      - volumes/nextcloud:/var/www/html
    depends_on:
      - db
      - redis
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - NEXTCLOUD_TRUSTED_DOMAINS=nc.mydomain.com
    env_file:
      - db.env
      - redis.env

  cron:
    image: nextcloud:apache
    container_name: nextcloud-cron
    restart: always
    volumes:
      - volumes/nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

volumes:
  db:
  nextcloud:

"Additional nginx directives" in the Plesk settings for the Nextcloud Subdomain (leaking images).

location / {
  proxy_set_header    Host $host;
  proxy_set_header    X-Real-IP $remote_addr;
  proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header    X-Forwarded-Proto $scheme;
  proxy_pass          http://127.0.0.1:8080/;
  proxy_read_timeout  36000s;
  #Only use secure connection
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
  #Allow big files to upload
  client_max_body_size 0;
}

location /.well-known/carddav {
  return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}

Answer 1

The browser cached the image.
That's why it was possible to open the image without login to Nextcloud.

Open the URL https://nc.mydomain.com/core/preview?fileId=30&x=2880&y=1800&a=true in a different Browser, or clear the cache after logout and the images was not accessible anymore.