Bruteforce protection and Reverse Proxies
Nextcloud offers native support against brute force protection attacks, thus significantly enhancing your users' security.
The protection works on a per IP basis; this means that once a single IP address has performed too many invalid logins attempts the IP address in question will is throttled. The throttling is applied to multiple security related endpoints such as the login interface.
To work correctly, your Nextcloud server needs to be able to read the end-users IP address. If no reverse proxy is used then the
$_SERVER['REMOTE_ADDR'] variable is used for this. This variable contains the IP address of the connecting client. In regular scenarios without reverse proxy this is already sufficient and no further configuration is required.
In case a reverse proxy is used it is required to configure your reverse proxy to pass the original client IP address in an HTTP header. Otherwise, your users may encounter slowness in case of a bruteforce attack. Below you can find configuration samp