502 Bad Gateway error when trying to access nextcloud plugin through nginx reverse proxy jail

[zombifiedpatato]

Hello everyone!

I am very new to all this and I am running in this problem setting up my nginx reverse proxy with the nextcloud plugin. First I had a direct connection to nextcloud which worked fine, but I decided to switch to a reverse proxy set up as I want to add more web based stuff in the future. When I access my nextcloud locally it still works but when I try to connect to it using the reverse proxy I get a 502 Bad Gateway error from nginx. I took a look at the logs and it says that the connection from the proxy to nextcloud is refused and I don't understand why. I hope you guys can help me out with this. My nextcloud and reverse proxy both use NAT, nextcloud on port 8282 (port 80) and 8283 (port 443) and the reverse proxy on 8280 (port 80) and 8281 (port 443), the ip of my truenas server inside my LAN is 192.168.178.60. You can see my config files below (I btw don't actually know what all the config options do so it is possible I completly messed them up, I was following 3 different tutorials trying to get it working). If you need any extra information let me know!

/usr/local/www/nextcloud/config/config.php

Code:

<?php
$CONFIG = array (
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 =>
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
  ),
  'passwordsalt' => 'password',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '192.168.178.60', #truenas ip
    3 => 'mysubdomain.mydomain.com',
  ),
  'datadirectory' => '/usr/local/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '24.0.1.1',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_ncadmin',
  'dbpassword' => 'W6w67jn6b17PwBCaL6kmH9vrLSMu5m',
  'installed' => true,
  'instanceid' => 'ocaqkrsk6q6t',
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'nextcloud',
  'mail_domain' => 'truenas.local',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'myemail@gmail.com',
  'mail_smtppassword' => 'mypassword',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'theme' => '',
  'loglevel' => 2,
  'maintenance' => false,
);

/usr/local/etc/nginx/nginx.conf

Code:

#user  nobody;
worker_processes  1;


# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#


#pid        logs/nginx.pid;




events {
    worker_connections  1024;
}




http {
    include       mime.types;
    default_type  application/octet-stream;


    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';


    #access_log  logs/access.log  main;


    sendfile        on;
    #tcp_nopush     on;


    #keepalive_timeout  0;
    keepalive_timeout  65;


    #gzip  on;


    server {
     # You would want to make a separate file with its own server block for each virtual domain
        # on your server and then include them.
        listen       80;
        #tells Nginx the hostname and the TCP port where it should listen for HTTP connections.
        # listen 80; is equivalent to listen *:80;


        return 301 https://$host$request_uri; #redirect to https


        #charset koi8-r;


        #access_log  logs/host.access.log  main;


        #error_page  404              /404.html;


        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }


    # HTTPS server
    # Proxy itself
    server {
        listen       443 ssl;
        server_name  domain.com;
    ssl_certificate /usr/local/etc/letsencrypt/live/domain.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /usr/local/etc/letsencrypt/live/domain.com-0001/privkey.pem; # managed by Certbot


        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;


        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;


        location / {
            root   html;
            index  index.html index.htm;
        }


}


# The real proxy
server {
        listen       443 ssl;
        server_name  nextcloud.domain.com;
        ssl_certificate /usr/local/etc/letsencrypt/live/domain.com-0001/fullchain.pem; # managed by Certbot
        ssl_certificate_key /usr/local/etc/letsencrypt/live/domain.com-0001/privkey.pem; # managed by Certbot


        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;


        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;


        location / {


                proxy_set_header Host $host;


                proxy_set_header X-Real-IP $remote_addr;


                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


                proxy_set_header X-Forwarded-Proto $scheme;


                proxy_pass https://192.168.178.60:8283; #address I use to locally access nextcloud


                proxy_read_timeout 90;


                proxy_redirect https://192.168.178.60:8283 https://nextcloud.domain.com; #Some redirect stuff, idk what for
        }

        # Documentation said this needs to be here
        location /.well-known/carddav {
                return 301 $scheme://$host/remote.php/dav;
        }


        location /.well-known/caldav {
                return 301 $scheme://$host/remote.php/dav;
        }
}


}

 

[sretalla]

'overwrite.cli.url' => 'http://localhost',

This won't be helping

You need to look for some examples of config files where the overwrites are done properly and copy them. (client URL, protocol and host... you may not need all 3 of them and actually maybe need to not have all 3).

Also, you will likely need to specify trusted proxies in addition to the trusted domains in a similar format.

 

[zombifiedpatato]

Thnx for your reply! I haven't figured it out yet, but I added these lines to my nextcloud config and tried different combinations for the overwrite parts:

Code:

'trusted_proxies' =>
  array (
    0 => '192.168.178.60', # Truenas LAN ip
    1 => 'nextcloud.domain.com',
  ),
  'overwrite.cli.url' => 'https://nextcloud.domain.com',
  'overwriteprotocol' => 'https',
  'overwritehost' => 'nextcloud.domain.com',

It does not seem to make a difference except that when I try to acces nextcloud locally I get redirected to nextcloud.domain.com and then get the same Bad Gateway error (Because of the overwritehost I assume).

 

[sretalla]

Trusted proxies needs to be the IP of your nginx reverse proxy server (and nothing else).

Like I said, I don't think specifying all 3 of those parameters is helpful... I would drop the cli.url and see if that helps.

 

[zombifiedpatato]

I have tried all the combinations of the parameters but nothing seems to change. Is it possible that it does not work since I use NAT for both nextcloud and the reverse proxy? So they both have local ip 192.168.178.60 but nextcloud is on ports 8282 and 8283 and the reverse proxy is on port 8280 and 8281. I btw also removed the domain from the trusted proxies, so only 192.168.178.60 is still there.

 

[sretalla]

Now that you're talking about that, I notice that you're missing a trailing slash in your nginx config...

proxy_pass https://192.168.178.60:8283;

should be

proxy_pass https://192.168.178.60:8283/;

Maybe the same for the redirect too.

 

[zombifiedpatato]

Hmm, that also didn't fix the problem. I did get it to work for 1 sec when I switched to DHCP instead of NAT, but when I tried to make it a static ip it failed again and when I switched it back to DHCP it also didn't work anymore.

 

[zombifiedpatato]

After some more messing around with static ip instead of NAT I managed to get it working(ish). I can access nextcloud now but it still shows not secure in the topleft of my browser. Maybe someone knows the reason for that?

 

[zombifiedpatato]

After 10 minutes of idling in nextcloud in my browser, it decided that it was secure after all. Thnx sretalla for your help!

 

[zombifiedpatato]

I told you guys it worked(ish), but actually I still have problems (but school came around so I decided to ignore it for a moment). On the moment it works about 70% of the time, but sometimes it still gives bad gateway errors. It seems I cannot find any errors on the nextcloud part and only this error on my reverse proxy:
2022/06/16 20:28:21 [error] 1733#101306: *11014 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: ip_of_router, server: nextcloud.domain.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://ip_of_truenas:8283/favicon.ico", host: "nextcloud.domain.com", referrer: "https://nextcloud.domain.com/"

I tried some other things that I found on the internet but nothing seems to change it. I did findanother config file (nginx config in nextcloud jail), but I don't know if that one will help. Do you guys have any ideas?