- Joined
- Nov 25, 2013
- Messages
- 7,776
I have it exactly like this in /usr/local/etc/nginx/include - I leave the nginx.conf as is in all my installations if remotely possible and use the include directory for my system specific modifications.
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Can't install nextcloud behind nginx
- Thread starter Meya
- Start date
Yes, the plugin added https automatically:
I still want to try to manually install NC and use my domain to access it over the web.
Hello again!
This is what I'm trying to do, use a reverse proxy to handle all the traffic as well as update the certificates. What should I do next? This is where I'm at right now:
Jail 1: nginx jail that is the reversed proxy (has the fullchain.pem and privkey.pem to handle ssl)
Jail 2: Emby (working fine with mydomain.com)
Jail 3: New installation of Nextcloud (with its own nginx and all default right now - want to use mydomain.com/nextcloud to access it)
adrianwi
Guru
- Joined
- Oct 15, 2013
- Messages
- 1,231
You are going to need some nginx configuration in Jail 1 so it knows where to send what traffic. When I did this manually in a jail I liked having individual nginx.conf files, but it can be done in just one. My preference was service.domain.com too, so I needed different certificate files, but I think you can do it with one if you are using www.domain.com/service.
This > https://www.truenas.com/community/t...-to-reverse-proxy-your-jails-w-certbot.49876/ helped me out at the time, but is probably a little out of date now
This > https://www.truenas.com/community/t...-to-reverse-proxy-your-jails-w-certbot.49876/ helped me out at the time, but is probably a little out of date now
My issue is the last part of that guide: I have a running NC jail but when I add the proxy headers such as the following
Code:
location /nextcloud {
140 proxy_pass http://Jail's IP:80/nextcloud/;
141 proxy_redirect off;
142 proxy_set_header Host $host;
143 proxy_set_header X-Real-IP $remote_addr;
144 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
145 proxy_buffering off;
146 proxy_http_version 1.1;
147 proxy_set_header Upgrade $http_upgrade;
148 proxy_set_header Connection "Upgrade";
149 proxy_hide_header X-Powered-By;
150
151 }
I get this:
In the config.php for NC I of course added my trusted domain, restarted all services but nothing. Something to note is that when I enter
mydomain.com/nextcloud/ after a couple seconds it becomes mydomain.com/nextcloud//. Why isn't this working?
- Joined
- Nov 25, 2013
- Messages
- 7,776
I don't know but I never used Nextcloud with a subfolder as the base URL. I am not sure it is supported. Why don't you use something like https://nextcloud.mydomain.com ?
adrianwi
Guru
- Joined
- Oct 15, 2013
- Messages
- 1,231
To be honest, I'm not sure. I think I've seen people set it up in a directory from the domain (e.g. domain.com/service) but I think it makes the nginx configuration a little more complicated, and possibly some extra settings in the nextcloud config.php? I've always used service.domain.com, so in your case nextcloud.domain.com and emby.domain.com, and separate certificates for each service. It works well for me, and I have several other services on different domains working through the same reverse proxy.
I tried, maybe the configuration of the domain is different? Currently I have the domain as
mydomain.nextcloud.com. I created a new jail by using apache instead of nginx. Everything went well, installation and configuring NC via the GUI. What I can't do, is use a different domain (I created a new domain only for NC) since when I type mydomain.nextcloud.com I get re-routed to my Emby server!I should mention that I use No-Ip where I created a domain for Emby. I went back and created a new one for NC but don't know why is routing the traffic.
So just set up NC with its own nginx and set up nginx.conf (from inside NC) to use nextcloud.mydomain.com? I think this is a bit too complicated for me, so I rather set up a new jail with its own certificates as well as a new domain for nextcloud only. Can I ask you if you use a reverse proxy that handles all the certificates or do you have each jail do that on their own?
Last edited:
adrianwi
Guru
- Joined
- Oct 15, 2013
- Messages
- 1,231
Part of your problem might be the way No-Ip is redirecting things to your external IP address? I'm actually running a reverse proxy on a Raspberry Pi now, but before I was using a Jail. The jail was just running NGINX as a reverse proxy and Certbot to generate all of the SSL certificates for each service, about 12 in total. I had a unique configuration file for each service (e.g. emby.conf) with paths to the relevant certificates and redirection to the appropriate service (some in Jails, some in VMs) on FreeNAS. I have my own domains though, so was redirecting those to my IP address through DNS records, so emby.mydomain.com was directed to my IP address.
You need to make sure each of the services is working internally before you start to worry about the reverse proxy though! You should be able to access them all from the internal IP address as this is what you are going to redirect to from your reverse proxy jail.
You need to make sure each of the services is working internally before you start to worry about the reverse proxy though! You should be able to access them all from the internal IP address as this is what you are going to redirect to from your reverse proxy jail.
Last edited:
I have a total of 8 jails (one of them is nginx that works as a reversed proxy - handles certificates as well). I can access all of them in the format of
mydomain.com/radarr/ or mydomain.com/transmission/ for example without any issues over the internet or locally by using the jail's IP.I'm trying to do the same with NC but I just can't get nginx to communicate with NC properly and I don't know why. But I won't surrender!
- Joined
- Nov 25, 2013
- Messages
- 7,776
There are reverse proxy config examples in Nextcloud's documentation. Possibly you should take your problem to that community, because seemingly TrueNAS is working just as it should. While I use Nginx as the web server for my Nextcloud installation proper, I use Apache for all my reverse proxy needs and SSL handling. Intending to replace it with Caddy, but hey, only so much time ...
So while I cannot help you with the reverse proxy in Nginx maybe my Apache config gives you a hint or two.
Kind regards,
Patrick
P.S. You did consult the Nextcloud reverse proxy documentation, didn't you?
P.P.S. I always put links to official guides into my config files as comments, so years later I know where that came from.
So while I cannot help you with the reverse proxy in Nginx maybe my Apache config gives you a hint or two.
Kind regards,
Patrick
P.S. You did consult the Nextcloud reverse proxy documentation, didn't you?
P.P.S. I always put links to official guides into my config files as comments, so years later I know where that came from.
Code:
# HTTP default vhost handling - essentially Letsencrypt
<VirtualHost _default_:80>
# Permit access for Letsencrypt challenge/response
Alias /.well-known/acme-challenge /usr/local/www/dehydrated
<Directory /usr/local/www/dehydrated>
Options None
AllowOverride None
Require all granted
</Directory>
# Redirect all other requests to HTTPS
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
RewriteRule (.+) https://%{HTTP_HOST}$1 [L,R=301]
</VirtualHost>
# https://docs.nextcloud.com/server/21/admin_manual/configuration_server/reverse_proxy_configuration.html
<VirtualHost *:443>
ServerName cloud.my.domain
ProxyRequests Off
ProxyPreserveHost On
RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://192.168.1.53/
ProxyPassReverse / http://192.168.1.53/
<Location />
Require all granted
</Location>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
SSLEngine on
SSLCertificateFile "/usr/local/etc/dehydrated/certs/cloud.my.domain/cert.pem"
SSLCertificateChainFile "/usr/local/etc/dehydrated/certs/cloud.my.domain/chain.pem"
SSLCertificateKeyFile "/usr/local/etc/dehydrated/certs/cloud.my.domain/privkey.pem"
</VirtualHost>
adrianwi
Guru
- Joined
- Oct 15, 2013
- Messages
- 1,231
I think @Patrick M. Hausen idea is a good one - you might be better looking for help on the Nextcloud forum if it's just an issue with Nextcloud. I thought you were only running emby and Nextcloud, and couldn't get to Nextcloud. It sounds like everything is working for your other jails/services?
I haven't used this for at least 18 months, so probably back around Nextcloud 19, but it worked to redirect my external requests to nextcloud.mydomain.com through a NGINX reverse proxy jail to a Nextclould jail.
Good luck!
I haven't used this for at least 18 months, so probably back around Nextcloud 19, but it worked to redirect my external requests to nextcloud.mydomain.com through a NGINX reverse proxy jail to a Nextclould jail.
Code:
## Start nextcloud.mydomain.com
#server {
# listen 80;
# return 301 https://$host$request_uri;
#}
server {
listen 443 ssl;
ssl_certificate /usr/local/etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem;
ssl_dhparam /usr/local/etc/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # drop SSLv3 (POODLE vulnerability)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
add_header Content-Security-Policy "frame-ancestors mydomain.co.uk nextcloud.mydomain.com;"; #add your domainname and all subdomains listed on your cert
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header 'Referrer-Policy' 'no-referrer';
server_name nextcloud.mydomain.com;
set $upstream 192.168.168.17;
access_log /var/log/nginx/web.access.log;
error_log /var/log/nginx/web.error.log;
root /usr/local/www/nginx;
index index.html index.htm;
location / {
proxy_pass_header Authorization;
proxy_pass http://$upstream;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
# proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_http_version 1.1;
proxy_set_header Connection "";
client_max_body_size 0;
# proxy_ssl_session_reuse off;
proxy_read_timeout 36000s;
}
location /.well-known {
root /usr/local/www;
}
}
Good luck!
That's correct, all my jails are working fine. I wanted to add NC to the pool of jails. I tried installing NC with Apache as a standalone jail but when using
I really appreciate your help guys.
mydomain.nextcloud.com, I get redirected to the Emby jail. Take a look at my nginx.conf file:Code:
#user nobody;
worker_processes auto;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 8192;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
server_tokens off;
#log file for emby below
log_format emby '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';
log_format default '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile off;
gzip on; ## Compresses the content to the client, speeds up client browsing.
gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
proxy_connect_timeout 1h;
proxy_send_timeout 1h;
proxy_read_timeout 1h;
tcp_nodelay on; ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request.
## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443
server {
listen 80 default_server;
server_name xxxxxxxxxxxx;
location ^~ /.well-known/acme-challenge/ {
root /usr/local/www/nginx;
allow all;
}
location / {
root /usr/local/www/nginx;
index index.html;
return 301 https://$host$request_uri;
}
return 301 https://$host$request_uri;
}
## Start of actual server blocks
server {
listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled
listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled
proxy_buffering off; ## Sends data as fast as it can not buffering large chunks.
server_name xxxxxxxxxxxx; ## enter your service name and domain name here example emby.domainname.com
access_log logs/emby.log emby; ## Creates a log file with this name and the log info above.
## SSL SETTINGS ##
ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /usr/local/etc/letsencrypt/live/xxxxxxxxxxx/fullchain.pem; ## Location of your public PEM file.
ssl_certificate_key /usr/local/etc/letsencrypt/live/xxxxxxxxxxx/privkey.pem; ## Location of your private PEM file.
ssl_session_cache shared:SSL:10m;
location ^~ /swagger { ## Disables access to swagger interface
return 404;
}
resolver 192.168.1.1;
location / {
proxy_pass http://192.168.1.248:8096; ## Enter the IP and port of the backend emby server here.
proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys.
proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested.
proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested.
proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server.
#proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line.
proxy_set_header Host $host; ## Passes the requested domain name to the backend server.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.
## ADDITIONAL SECURITY SETTINGS ##
## Optional settings to improve security ##
## add these after you have completed your testing and ssl setup ##
## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ##
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header Strict-Transport-Security "max-age=15768000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
} # End of Emby ---
location /sonarr {
#Client headers
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options "ALLOW-FROM https://meyacloud.ddns.net";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Content-Security-Policy "frame-ancestors meyacloud.ddns.net;";
add_header Public-Key-Pins 'pin-sha256="FPSYXd/yg8ly96Pay6sslS5daMORQWPNUZd1aHtXZ0k="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; max-age=5184 000; includeSubDomains';
#Proxy settings
proxy_pass http://192.168.1.247:8989;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_hide_header X-Powered-By;
} # End of sonarr ---
location /transmission {
#Client headers
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options "ALLOW-FROM https://meyacloud.ddns.net";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Content-Security-Policy "frame-ancestors meyacloud.ddns.net;";
add_header Public-Key-Pins 'pin-sha256="FPSYXd/yg8ly96Pay6sslS5daMORQWPNUZd1aHtXZ0k="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; max-age=5184 000; includeSubDomains';
#Proxy settings
proxy_pass http://192.168.1.246:9091;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_hide_header X-Powered-By;
} # End of transmission ---
}
I really appreciate your help guys.
adrianwi
Guru
- Joined
- Oct 15, 2013
- Messages
- 1,231
I'm not even going to pretend to fully understand NGINX configuration, but I'm assuming this is your configuration for the reverse-proxy jail?
I can't see any block in there that would know where to direct your nextcloud traffic to the appropriate jail? And I'm struggling to see how you are getting to it from mydomain.nextcloud.com which is surely a subdomain for nextcloud.com?
I can't see any block in there that would know where to direct your nextcloud traffic to the appropriate jail? And I'm struggling to see how you are getting to it from mydomain.nextcloud.com which is surely a subdomain for nextcloud.com?
Code:
.
.
.
location / {
proxy_pass http://192.168.1.248:8096; ## Enter the IP and port of the backend emby server here.
.
.
.This will redirect / to Emby even if you have Apache running for Nextcloud.
I'm not sure if Emby will run off a subfolder /emby like Sonarr or Transmission in your conf but you might want to look into it. This will make it easier for nginx to leave / for Nextcloud.
Last edited:
Since the semester is over I can now devote more of my time to fixing this issue. What vidx said is correct and is how nginx redirects traffic to my jails. For example, when I type
mydomain.com I get redirected to Emby. If I type mydomain.com/radarr I get directed to the radarr page and is the same for the other jails.Question: I installed the plug-in version for now but I'm unable to upload big files. I know that I should change the .php file and increase the
max_upload_size but I can't find the file, is as if it does not exist!
adrianwi
Guru
- Joined
- Oct 15, 2013
- Messages
- 1,231
I still have some issues uploading large video files from my iOS device using the photo auto-upload, but I'm talking file sizes in the hundreds of GBs and only from iOS, as they upload fine from other devices.
I'm running a pretty standard jail config, and my php.ini file is in /usr/local/etc
I'm running a pretty standard jail config, and my php.ini file is in /usr/local/etc
I have not tried this but the documentation is at https://docs.nextcloud.com/server/l...tion_files/big_file_upload_configuration.html
There isn't a php.ini in the jail but I think these two are equivalent
Code:
root@nextcloud:~ # locate php.ini /usr/local/etc/php.ini-development /usr/local/etc/php.ini-production
