I can successfully connect to my nextcloud via the reverse proxy. Thanks a lot for this guide :)
In the settings from nextcloud i get the following messages:
Der „X-XSS-Protection“-HTTP-Header ist nicht so konfiguriert, dass er „1; mode=block“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Robots-Tag“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Download-Options“-HTTP-Header ist nicht so konfiguriert, dass er „noopen“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Permitted-Cross-Domain-Policies“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
this problem has only existed since I installed the reverse proxy!
I had the same issue, turns out i had these headers set up in both my NC nginx.conf file and in my reverse proxy. Make sure the headers are in only ONE of the config files (try deleting them from the reverse proxy one). That fixed the issue for me. Restart your webservers when you're done.
I had the same issue, turns out i had these headers set up in both my NC nginx.conf file and in my reverse proxy. Make sure the headers are in only ONE of the config files (try deleting them from the reverse proxy one). That fixed the issue for me. Restart your webservers when you're done.
I have followed your advice. The only Headers I have added is now in my nc nginx.conf. Nothing in the proxy.conf and the nginx.conf of the proxy. But I have still this two issues:
Code:
Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of 'normal' same-site cookies.
I have followed your advice. The only Headers I have added is now in my nc nginx.conf. Nothing in the proxy.conf and the nginx.conf of the proxy. But I have still this two issues:
Code:
Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of 'normal' same-site cookies.
Thanks for the great guide on setting nginx as reverse proxy. I managed to implement it in my freenas setup. I want to use it for a couple of plugins or jails. Currently I have only Piwigo and Nexcloud.
I am seeing however a strange behavior and I think is something I missed or misunderstood regarding the different configs.
Issue is:
First time I open my https:/publicip.domain.org/nexcloud I get an error and the browser prompt changes to https:/publicip.domain.org:8081/nexcloud - the port the plugin is listening on. The if i remove it or manually write :443 it works. I added the option port_in_redirect off; however it doesn't help.
Here is my Nginx reverse proxy config for 1 of the plugins:
location /nextcloud {
proxy_pass http://192.168.1.91:8081;
proxy_redirect off;
port_in_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
upon the configuration of certbot, i'd like to make a suggestion :
i don't really like the fact that certbot answers in place of the web server when it's trying to renew certs.
So, i've set it up like this :
- create a folder in my www dir named letsencrypt :
- paste a include to that file in EACH server configuration
example :
Code:
server {
listen 80;
listen [::]:80;
server_name foo.bar.pasta;
include /usr/local/etc/nginx/letsencrypt.conf;
location / {
return 301 https://$Host/$URI;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name foo.bar.pasta;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
ssl_certificate /usr/local/etc/letsencrypt/live/foo.bar.pasta/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/foo.bar.pasta/privkey.pem;
ssl_certificate /usr/local/etc/nginx/certs_ecc/foo.bar.pasta/fullchain.pem; # these are acme.sh ECDHE keys
ssl_certificate_key /usr/local/etc/nginx/certs_ecc/foo.bar.pasta/key.pem; # """""
include /usr/local/etc/nginx/letsencrypt.conf;
location / {
proxy_pass http://10.0.0.1:80;
include /usr/local/etc/nginx/proxy-control.conf;
proxy_ssl_certificate /usr/local/etc/letsencrypt/live/foo.bar.pasta/fullchain.pem;
proxy_ssl_certificate_key /usr/local/etc/letsencrypt/live/foo.bar.pasta/privkey.pem;
}
- set certbot with that command for each subdomain : certbot certonly --webroot -w /usr/local/www/letsencrypt/ -d foo.bar.pasta -d other.foo.bar.pasta --rsa-key-size 4096
this should give you a renewal hook like this :
Code:
# cat /usr/local/etc/letsencrypt/renewal/foo.bar.pasta.conf
# renew_before_expiry = 30 days
version = 0.27.1
archive_dir = /usr/local/etc/letsencrypt/archive/foo.bar.pasta
cert = /usr/local/etc/letsencrypt/live/foo.bar.pasta/cert.pem
privkey = /usr/local/etc/letsencrypt/live/foo.bar.pasta/privkey.pem
chain = /usr/local/etc/letsencrypt/live/foo.bar.pasta/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/foo.bar.pasta/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
rsa_key_size = 4096
account = RANDOMNUMBER
renew_hook = /root/letsencrypt.sh
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
foo.bar.pasta = /usr/local/www/letsencrypt
other.foo.bar.pasta = /usr/local/www/letsencrypt
This will happily use the same directory over and over for EACH of your domains / subdomains without disrupting your web server
Hi, for reference, my NextCloud jail is configured as SSL on port 443, so i cannot replicate this without shutting my own server down.
But i have many other jails responding on a whole bunch of other ports without SSL and doing fine.
This is a proxy config file i use for all my location-using-proxy-pass parts :
The ones i put in bold may be the answer to your troubles with nextcloud
- err, no bold in code, duh.
well, try all the proxy_set_header X-, those are the ones i wanted to highlight.
The others may be usefull too
it should appear like this in your configs :
Code:
# HTTP server
server {
listen 80;
listen [::]:80;
server_name nextcloud.foo.bar;
include /usr/local/etc/nginx/letsencrypt.conf;
location / {
return 301 https://$Host/$URI;
}
}
# HTTPS server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nextcloud.foo.bar;
"SNIP irrelevant stuff"
location / {
proxy_pass https://192.168.1.202:443;
include /usr/local/etc/nginx/proxy.conf;
proxy_ssl_certificate /usr/local/etc/letsencrypt/live/nextcloud.foo.bar/fullchain.pem;
proxy_ssl_certificate_key /usr/local/etc/letsencrypt/live/nextcloud.foo.bar/privkey.pem;
}
}
Hi, for reference, my NextCloud jail is configured as SSL on port 443, so i cannot replicate this without shutting my own server down.
But i have many other jails responding on a whole bunch of other ports without SSL and doing fine.
A couple of questions though since my config files look a bit different.
1. My nextcloud was installed via plugin on Freenas 11.2. It has a /usr/local/etc/nginx/conf.d/nextcloud.conf file and /usr/local/etc/nginx/nginx.conf There I change only the listening port and the root path. Do I have to add somewhere that I am using reverse-proxy ?
2. The proxy.conf and nginx.conf/nextclud.conf you provided are from the nextcloud jail, right? Is https://192.168.1.202:443; the reverse proxy nginx server in your example ? My understanding for the issue is that after initial handshake the backend server is (i.e. nextcloud) is responding directly to the internet client and showing its listening port 8081. I do not have letsencrypt config on my nextcloud , only on the nginx reverse-proxy.
i've kept Nextcloud config files pretty much vanilla, only telling it its IP and that it should answer with SSL with the certificate i gave it (i mounted the proxy directory where the certs are stored on a ZFS storage so as to be used by other jails)
192.168.1.202 is my NextCloud jail IP
but as i just checked again... i think i found the source of your problem.
in your reverse proxy, you've told nginx that it's in /nextcloud
so, the nextcloud jail is trying to access its own /nextcloud subdirectory, but it doesn't exist.
> you should remake the location in Apache and tell it it's /nexcloud (in nextcloud jail)
And same for 555NAE :
your other jail must have nothing answering on /player, so it's reverting back to /
but / is allocated to the first location, so it finally goes there.
I think I have the right folder configured. As I mentioned the issue is only with the port. It is returned 8081 after I change it manually content is ok.
Came across this tidbit when trying to firm up my Nginx security. To help protect against DOS attacks, implement the following code into the server block in your .conf file.
Hi All - I followed this guide closely and have NGINX working well. Thanks a lot OP!
My one issue - I've been trying for the last day and I can't seem to figure out how to make this work with nextcloud. Can anyone offer any help? I'm running the latest FreeNAS 11.2 and installed the nextcloud plugin.
On my network, I can access nextcloud via LOCAL-IP-ADDRESS:80.
In my nginx.conf (NGINX Jail) file I added listen on 443 ssl and changed the server_name to the root of my website (just as shown in the guide).
I've been playing with the settings in the config.php file (Nextcloud jail: /usr/local/www/nextcloud/config/config.php), but I can't seem to get it right. I reverted everything in config.php for now, except I kept my domain as a trusted domain.
When attempting to connect today, I get a 404/Not Found. If I change the proxy_pass to LOCAL-IP-ADDRESS:8080, I get 502/Bad Gateway.
Anyone got a solution to this? I'm in the same boat with Jackosh. I have NGINX working great with every other service on my network. Can't seem to crack the nextcloud problem.
First of all, awesome guide, thanks a lot @ZodiacUHD !
@Maxobus I've had that problem too at some point, maybe my config below helps? I have two questions for you though, regarding Transmission. Are you able to use magnet torrents remote? I'm using the chrome extension Remote Torrent Adder, which works perfectly locally, but throws an error popup in Chrome when done remote:
How do you handle it? And second question, are there any advantages to subdomains compared to mydomain.com/transmission (e.g)?
My main reason for posting here is I'm having trouble with Plex. Funny enough, remote access only works using the WebUI, but the server is not accessible in my Android app, or my brother's Samsung TV app. Locally, my Android app works fine. Google only found solutions for the opposite case when the WebUI is not working. My config was inspired by the last post here: https://www.reddit.com/r/PleX/comments/3xz4ph/plex_behind_a_ssl_nginx_reverse_proxy/
Trying to connect with my android phone produces this error message in /var/log/nginx/error.log
Code:
2018/01/23 21:43:44 [error] 31721#101943: *765 open() "/usr/local/www/nginx/resources" failed (2: No such file or directory), client: xx.xx.xx.xx(<-- Android IP), server: my.server, request: "GET /resources?X-Plex-Token=jtz[...deleted...]PU HTTP/1.1", host: "my.server"
When connecting in local network, the same error message is produced, however the Plex app works normally.
Below are my configs:
Code:
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
#user nobody;
worker_processes 6;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# Plex jail IP
upstream plex {
server xx.xx.xx.37:32400;
}
# listen on port 80 -> redirect to 443
server {
listen 80;
return 301 https://$host$request_uri;
}
# listen on port 443 primarily
server {
listen 443 ssl;
server_name my.server;
include ssl_common.conf;
include proxy_setup.conf;
client_max_body_size 8196M;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /usr/local/www/nginx;
index index.html index.htm;
if ($args ~ (.*)X-Plex-Device(.*)) {
proxy_pass http://plex;
}
if ($http_referer ~ (.*)plex(.*)) {
proxy_pass http://plex;
}
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
}
@weingeist Did you get this figured out? I'm trying to do the same thing as you here and your modified code works great from my PC.
+EDIT+
Everything seems to be working correctly for me, my local sources pick up the Plex Server as local and the remote sources pick it up with the address...If anyone needs them I can post my configs.
I followed the guide, and it seems to work pretty well. Kind of. Almost.
I am trying to access my Nextcloud server, and I get the NC UI, the certificate seems ok, but no shares.
Could you try and help me figuring out what´s wrong?
First, on my nginx proxy, here´s some config:
nginx.conf:
Code:
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /usr/local/www/nginx;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
server {
listen 443 ssl;
server_name proxy.domain.com;
include ssl_common.conf;
include proxy_setup.conf;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
}
}
proxy_setup.conf
Code:
location /cloud {
proxy_pass https://192.168.1.235:443/; #(192.168.1.235 being LAN ip of NC server)
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
ssl_common.conf
Code:
# Thanks to https://cipherli.st/ for providing a great reference! Please check out their site
# to make sure your SSL Configuration is up to date with current standards! Be aware that in this
# example we use a slightly liberal cipherlist to allow for older browsers on older devices, Eg.
# IE8, android 2.4, etc
# Enable Perfect Forward Secrecy (PFS)
ssl_prefer_server_ciphers on;
ssl_certificate /usr/local/etc/letsencrypt/live/proxy.domain.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/proxy.domain.com/privkey.pem;
# Disable SSLv2 and SSLv3 (BEAST and POODLE attacks)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Enable our strong DH Key
ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
# Cipher-list for PFS.
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-G$
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on;
# Requires nginx >= 1.3.7
ssl_stapling_verify on;
# Requires nginx => 1.3.7
resolver 8.8.8.8 4.4.4.4 valid=300s;
resolver_timeout 5s;
# HSTS Support
add_header Strict-Transport-Security "max-age=63072000;includeSubdomains; preload";
# These headers can break applications, be careful!
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.