Nextcloud https SSL

[VD_BE]

Hi all,

I am kind of new with TrueNAS/FreeNAS.

TrueNAS is installed completely, made a pool etc, Installed NextCloud, Ca's and Certificates at least I tried.
But I cannot approach my Nextcloud from outside the network, at my "outside" IP.

The warnings NextCloud gives me are;
There are some warnings regarding your setup.

• You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read the documentation page about this.
• Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead, as described in the security tips ↗.
• Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
• Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

Please double check the installation guides ↗, and check for any errors or warnings in the log.

Check the security of your Nextcloud over our security scan ↗.



Although I was following few threads here about SSL and HTTPS but when I perform them then nothing is working anymore.
Is there not a easy howto since this is a Plug-In?

 

[VD_BE]

I was following this guideline;

Installing NextCloud Plugin on Freenas 11.3-U1 and upgrading to the latest NextCloud Version - Programming with Fahad

NextCloud on Freenas 11.3 Replace Google Drive, DropBox and the like by hosting your own data! By Fahad Usman What is a NextCloud?You can share and

fahadusman.com

but I got stuck at several points...

Step 1 – Create Dataset via Storage Pool:

Create a new dataset in your existing pool within FreeNas. I like to have my data outside the jail. Edit permissions and assign the “USER” as “www” because that’s what NextCloud (NX hereafter) uses.

www already existed in mine?

Step 3 – Mount Storage:

You need to first Stop the Plugin. Then mount the internal dataset you just created to: /usr/local/www/nextcloud/data/nextclouddata

How do I mount? I enter it there this line or...?

Step 4 – Enable HTTPS:

You will need to create self signed SSL certificate and the private key first. For this, you will have to login via ssh into the FreeNas. Then type: jls to list the running jails on your FreeNas Box. Note the number that corresponds to nextcloud and then enter: jexec jail# tcsh.

This will change the prompt to nextcloud. This means that you’re inside the nextcloud jail, ready to make changes specifically to nextcloud.

Goto the Location: /usr/local/etc/ssl

This I also couldn't do for some reason maybe I don't understand it...

And now I can't access the Nexcloud managing thing anymore...

Also I had to use
vi /usr/local/etc/nginx/conf.d/nextcloud.conf
to edit these files but also those aren't easy.

Maybe I am too new in this.

 

[ddaenen1]

• Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
• Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

This is an interesting one. I only have this notification when i use firefox. I don't have it when i use safari. I haven't noticed any issues with NC either although i do not use the calendar function of NC.

 

[ddaenen1]

Hi all,

I am kind of new with TrueNAS/FreeNAS.

TrueNAS is installed completely, made a pool etc, Installed NextCloud, Ca's and Certificates at least I tried.
But I cannot approach my Nextcloud from outside the network, at my "outside" IP.

The warnings NextCloud gives me are;
There are some warnings regarding your setup.

• You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read the documentation page about this.
• Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead, as described in the security tips ↗.

There are a number of approaches to this. Do you want to use an FQDN (domain name) or just your providers external IP? Did you add your external IP (and/or FQDN) to 'trusted domains' in config.php? Did you set the https flag in config.php to 'true'? Remember, if you do this, you cannot access through the internal IP address anymore.

Last but not least, are you planning to set up CA's inside NC? I did not do this. I used pfsense to set up certificates using ACME Letsencrypt certificates and then created a reverse proxy using haproxy inside pfsense. This way, i never am dependent on anything inside my network and another advantage is that you can access multiple servers from outside through the same external IP address.

 

[Moluccan]

I was following this guideline;

Installing NextCloud Plugin on Freenas 11.3-U1 and upgrading to the latest NextCloud Version - Programming with Fahad

NextCloud on Freenas 11.3 Replace Google Drive, DropBox and the like by hosting your own data! By Fahad Usman What is a NextCloud?You can share and

fahadusman.com

but I got stuck at several points...

Step 1 – Create Dataset via Storage Pool:

Create a new dataset in your existing pool within FreeNas. I like to have my data outside the jail. Edit permissions and assign the “USER” as “www” because that’s what NextCloud (NX hereafter) uses.

www already existed in mine?

Step 3 – Mount Storage:

You need to first Stop the Plugin. Then mount the internal dataset you just created to: /usr/local/www/nextcloud/data/nextclouddata

How do I mount? I enter it there this line or...?

Step 4 – Enable HTTPS:

You will need to create self signed SSL certificate and the private key first. For this, you will have to login via ssh into the FreeNas. Then type: jls to list the running jails on your FreeNas Box. Note the number that corresponds to nextcloud and then enter: jexec jail# tcsh.

This will change the prompt to nextcloud. This means that you’re inside the nextcloud jail, ready to make changes specifically to nextcloud.

Goto the Location: /usr/local/etc/ssl

This I also couldn't do for some reason maybe I don't understand it...

And now I can't access the Nexcloud managing thing anymore...

Also I had to use
vi /usr/local/etc/nginx/conf.d/nextcloud.conf
to edit these files but also those aren't easy.

Maybe I am too new in this.

Hi I am also new to this, but I have access to my Nextcloud via a internal and external (non-secure) address.

I am using:

• TrueNAS Core 2020
• NextCloud plugin version 20.0.1

Local access NextCloud through the following address:

• http://192.168.1.2:8282/

External access NextCloud through the following address:

• http://<my_domain_name>:8282/

So I have requested a domain name.
And in my router/gateway I did the following:

• Added the firewall rule: forward from any_address (*) | port 8282 to address 192.168.1.2 | port 8282
• so external traffic to <my_domain_name>:8282 will be forwarded to my local address
  http://192.168.1.2:8282/

And I don't like this non-secure external approach, but I don't know how to setup a https-connection, I am stucked with setting up the certificates.
I tried to use acme versus nginx instructions, but I am getting the following error in the shell of my jail:

• verify error:invalid response from http
• acme-challenge issue

 

[ddaenen1]

What i don't really get is why you didn't configure NC to get a dedicated IP from your router instead of a port? Your first ambition should be to be able to access Nextcloud via your external IP, regardless of security. This is important to understand the routing path from external IP to the internal IP of Nextcloud.

My setup is as follows:

- dedicated FQDN, linked to my external ISP IP address
- Port forwarding in my ISP router to the internal router (pfsense) DHCP address
- In pfsense, have set up HAproxy, a reverse proxy similar to nginx with a forwarding rule of the FQDN to the internal IP address
- In pfsense, configured ACME to generate lets encrypt certificates for my FQDN
- configured HAproxy to use certificates to set up SSL

Be advised though that when you set up FQDN SSL, you need to modify config.php to route https, which basically means you can only use the FQDN to access Nextcloud. In essence, this is not an issue because your browser doesn't care whether you use your internal IP or the FQDN.

So, at which point are you right now?

 

[Moluccan]

What i don't really get is why you didn't configure NC to get a dedicated IP from your router instead of a port? Your first ambition should be to be able to access Nextcloud via your external IP, regardless of security. This is important to understand the routing path from external IP to the internal IP of Nextcloud.

My setup is as follows:

- dedicated FQDN, linked to my external ISP IP address
- Port forwarding in my ISP router to the internal router (pfsense) DHCP address
- In pfsense, have set up HAproxy, a reverse proxy similar to nginx with a forwarding rule of the FQDN to the internal IP address
- In pfsense, configured ACME to generate lets encrypt certificates for my FQDN
- configured HAproxy to use certificates to set up SSL

Be advised though that when you set up FQDN SSL, you need to modify config.php to route https, which basically means you can only use the FQDN to access Nextcloud. In essence, this is not an issue because your browser doesn't care whether you use your internal IP or the FQDN.

So, at which point are you right now?

What i don't really get is why you didn't configure NC to get a dedicated IP from your router instead of a port?

• Let me start with this first
• This will solve a lot of issues, I am having issues with accessing NextCloud with https://192.168.1.2/, this will lead me to TrueNAS only.
• I allready created certificates and I have updated /usr/local/etc/nginx/conf.d/nextcloud.conf, but this update wont work because TrueNAS is using the IP 192.168.1.2 and NextCloud was only accessible trough port 8282 on the same IP.

 

[Moluccan]

What i don't really get is why you didn't configure NC to get a dedicated IP from your router instead of a port? Your first ambition should be to be able to access Nextcloud via your external IP, regardless of security. This is important to understand the routing path from external IP to the internal IP of Nextcloud.

My setup is as follows:

- dedicated FQDN, linked to my external ISP IP address
- Port forwarding in my ISP router to the internal router (pfsense) DHCP address
- In pfsense, have set up HAproxy, a reverse proxy similar to nginx with a forwarding rule of the FQDN to the internal IP address
- In pfsense, configured ACME to generate lets encrypt certificates for my FQDN
- configured HAproxy to use certificates to set up SSL

Be advised though that when you set up FQDN SSL, you need to modify config.php to route https, which basically means you can only use the FQDN to access Nextcloud. In essence, this is not an issue because your browser doesn't care whether you use your internal IP or the FQDN.

So, at which point are you right now?

• ok installed NextCloud and assigned the application to a dedicated ip-address 192.168.1.248
• added the ip-address to "/usr/local/www/nextcloud/config/config.php" as an trusted domain
• now I was able to open the GUI under http://192.168.1.248
• dedicated FQDN, linked to my external ISP IP address
• Created a port fowarding in Unifi Network; From * | Port 443 destination 192.168.1.248:443

I am not using pfsense, I am using Unifi hardware, but I tried to use acme but I think it didn't work correctly.

I have tried the following on my Unifi Security Gateway:

• curl https://get.acme.sh | sh (to install acme and that was succesfull)
• acme.sh --issue -d <FQDN> -w /home/wwwroot/<FQDN> (this didnn't work, so I have added https:// to the FQDN
• the results were three files: .conf .csr.conf and .key

https://<FQDN>/ works now but it says it's not safe because of the missing certificates.

Do I need to use the ceritificates on my gateway-server or in the NextCloud Jail?

 

[ddaenen1]

• ok installed NextCloud and assigned the application to a dedicated ip-address 192.168.1.248
• added the ip-address to "/usr/local/www/nextcloud/config/config.php" as an trusted domain
• now I was able to open the GUI under http://192.168.1.248
• dedicated FQDN, linked to my external ISP IP address
• Created a port fowarding in Unifi Network; From * | Port 443 destination 192.168.1.248:443

I am not using pfsense, I am using Unifi hardware, but I tried to use acme but I think it didn't work correctly.

I have tried the following on my Unifi Security Gateway:

• curl https://get.acme.sh | sh (to install acme and that was succesfull)
• acme.sh --issue -d <FQDN> -w /home/wwwroot/<FQDN> (this didnn't work, so I have added https:// to the FQDN
• the results were three files: .conf .csr.conf and .key

https://<FQDN>/ works now but it says it's not safe because of the missing certificates.

Do I need to use the ceritificates on my gateway-server or in the NextCloud Jail?

Happy you got this far already. Personally, i have no experience of setting up certificates in Unifi or NC itself. I used pfsense because it allows more flexibility towards the future and it enables me to access more than one server through the same IP with HAproxy and last but not least, it is very low maintenance. There are a couple of threads that talk about setting up certificates in NC. Good luck with that.

 

[Moluccan]

Happy you got this far already. Personally, i have no experience of setting up certificates in Unifi or NC itself. I used pfsense because it allows more flexibility towards the future and it enables me to access more than one server through the same IP with HAproxy and last but not least, it is very low maintenance. There are a couple of threads that talk about setting up certificates in NC. Good luck with that.

Hi yes thanks for the help and the advices!!!

Will find out how to setup the certificates in Unifi or NC.
Will there be no difference to the certificates in the beginning (Unifi) or almost at the end (NC Jail)?

Thanks again.

 

[TheBuckSergeant]

did you found a solution ? i also have a UDM pro and got a VM of ubuntu runing NGINX proxy manager in docker got the ssl and redirection but after it hit NC for my understanding the connection get refused ... :p if i set it up directly works but i want the security already been attack from different countries trying to gain access ... just a note for udm pro owners .... gosh i hope they made the vpn setup easier its not intuitive but i got it working cheers

 

[TheBuckSergeant]

did you found a solution ? i also have a UDM pro and got a VM of ubuntu runing NGINX proxy manager in docker got the ssl and redirection but after it hit NC for my understanding the connection get refused ... :p if i set it up directly works but i want the security already been attack from different countries trying to gain access ... just a note for udm pro owners .... gosh i hope they made the vpn setup easier its not intuitive but i got it working cheers

Just an update while i was on true nas i used ngix to get the ssl then froward to the nextcloud instance in core now i am on true nas scale and way happier but ngix is not recommended apparently on scale so i am looking for options

 

[sretalla]

now i am on true nas scale and way happier but ngix is not recommended apparently on scale so i am looking for options

Look for the guide on how to do Traefik with TrueCharts apps... it's already more-or-less just Next...next... finish and you're done.

08 - Installing Traefik - TrueCharts

Project Documentation for TrueCharts

truecharts.org

 

[TheBuckSergeant]

Look for the guide on how to do Traefik with TrueCharts apps... it's already more-or-less just Next...next... finish and you're done.

08 - Installing Traefik - TrueCharts

Project Documentation for TrueCharts

truecharts.org

appreciated its on the list to be added to the charts app will wait for it cheers

 

[sretalla]

If you're talking about Nextcloud, it's already there in TrueCharts.

It's also possible to use Traefik from TrueCharts to publish apps created from "Launch Docker Image".

See the other Quick-start videos on the same site I linked.

 

[TheBuckSergeant]

If you're talking about Nextcloud, it's already there in TrueCharts.

It's also possible to use Traefik from TrueCharts to publish apps created from "Launch Docker Image".

See the other Quick-start videos on the same site I linked.

I got it done thanks