TheNASnovice
Dabbler
- Joined
- Feb 2, 2021
- Messages
- 20
Hello everybody,
I am running a Nextcloud-Jail (NC version 20.0.6) on a TrueNAS system (192.168.2.205) with Apache web server.
Installed according to these instructions: https://www.samueldowling.com/2020/...n-freenas-iocage-jail-with-hardened-security/
I also have a reverse proxy jail on the same TrueNAS system (192.168.2.206) with Nginx.
Installed according to these instructions: https://www.truenas.com/community/t...-to-reverse-proxy-your-jails-w-certbot.49876/
Both are relatively freshly installed, but I am new to this subject and would need help on the last few meters to reach my destination.
To the current status:
Nextcloud works great if you only use http and the IP of the internal network. However, I would like to access the Internet via https.
A free Selfhost account should be used for this - let's just call the appropriate subdomain my-sub.selfhost.co (as there is actually a hyphen in the name).
Selfhost is a DynDNS provider and the IP update through my FritzBox also works fine.
The URL to the Nextcloud should be:
my-sub.selfhost.co/nextcloud
An SSL certificate has been created and apparently works. The problem seems to be the interaction between reverse proxy and NC in my opinion.
Either I get a 404 (depending on how I played in the config.php) but apparently from the Nginx of the reverse proxy ("Nginx" is on the 404 page) or the website tells me that the redirect went wrong is.
After several attempts (also with the help of the following website):
I have to slowly give in to defeat and hope for your patience and willingness to help.
So the problem is summarized:
I don't get the Nextcloud start page that I get offered with the appropriate configuration using simple http and network-internal IP (http://192.168.2.205/).
My configuration files currently look like this:
Nextcloud - config.php
Reverse Proxy - nginx.conf
Reverse Proxy - ssl_common.conf
Reverse Proxy - proxy_setup.conf
I am running a Nextcloud-Jail (NC version 20.0.6) on a TrueNAS system (192.168.2.205) with Apache web server.
Installed according to these instructions: https://www.samueldowling.com/2020/...n-freenas-iocage-jail-with-hardened-security/
I also have a reverse proxy jail on the same TrueNAS system (192.168.2.206) with Nginx.
Installed according to these instructions: https://www.truenas.com/community/t...-to-reverse-proxy-your-jails-w-certbot.49876/
Both are relatively freshly installed, but I am new to this subject and would need help on the last few meters to reach my destination.
To the current status:
Nextcloud works great if you only use http and the IP of the internal network. However, I would like to access the Internet via https.
A free Selfhost account should be used for this - let's just call the appropriate subdomain my-sub.selfhost.co (as there is actually a hyphen in the name).
Selfhost is a DynDNS provider and the IP update through my FritzBox also works fine.
The URL to the Nextcloud should be:
my-sub.selfhost.co/nextcloud
An SSL certificate has been created and apparently works. The problem seems to be the interaction between reverse proxy and NC in my opinion.
Either I get a 404 (depending on how I played in the config.php) but apparently from the Nginx of the reverse proxy ("Nginx" is on the 404 page) or the website tells me that the redirect went wrong is.
After several attempts (also with the help of the following website):
I have to slowly give in to defeat and hope for your patience and willingness to help.
So the problem is summarized:
I don't get the Nextcloud start page that I get offered with the appropriate configuration using simple http and network-internal IP (http://192.168.2.205/).
My configuration files currently look like this:
Nextcloud - config.php
Code:
<?php $CONFIG = array ( 'instanceid' => 'INSTANCEID', 'passwordsalt' => 'SALT', 'secret' => 'SECRET', 'trusted_domains' => array ( 0 => 'my-sub.selfhost.co', 1 => '192.168.2.205', 2 => 'localhost', ), 'trusted_proxies' => ['192.168.2.206'], #'overwritehost' => 'my-sub.selfhost.co', 'overwriteprotocol' => 'https', 'overwritewebroot' => '/', 'overwritecondaddr' => '^192\.168\.2\.206$', 'config_is_read_only' => true, 'default_language' => 'de', 'default_locale' => 'de_DE', 'datadirectory' => '/mnt/data', 'dbtype' => 'mysql', 'version' => '20.0.6.1', 'dbname' => 'nextcloud', 'dbhost' => 'localhost:/tmp/mysql.sock', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'USERNAME', 'dbpassword' => 'PASSWORD', 'installed' => true, 'redis' => array ( 'host' => '/var/run/redis/redis.sock', 'port' => 0, ), 'memcache.local' => '\\OC\\Memcache\\APCu', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'app_install_overwrite' => array ( 0 => 'occweb', ), 'mail_smtpmode' => 'smtp', 'mail_smtpsecure' => 'ssl', 'mail_sendmailmode' => 'smtp', 'mail_from_address' => 'USERNAME-EMAIL', 'mail_domain' => 'MAILSERVICE', 'mail_smtpauth' => 1, 'mail_smtpauthtype' => 'LOGIN', 'mail_smtphost' => 'SMTP.MAILSERVICE.TLD', 'mail_smtpport' => '465', 'mail_smtpname' => 'MY-EMAIL', 'mail_smtppassword' => 'MY-EMAIL-PASSWORD', );
Reverse Proxy - nginx.conf
Code:
#user nobody; worker_processes 1; # This default error log path is compiled-in to make sure configuration parsing # errors are logged somewhere, especially during unattended boot when stderr # isn't normally logged anywhere. This path will be touched on every nginx # start regardless of error log location configured here. See # https://trac.nginx.org/nginx/ticket/147 for more info. # error_log /var/log/nginx/error.log; # #pidlogs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfileon; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 443 ssl; server_name my-sub.selfhost.co; include ssl_common.conf; include proxy_setup.conf; #charset koi8-r; #access_log logs/host.access.log main; location / { root /usr/local/www/nginx; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/local/www/nginx-dist; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { #proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { #root html; #fastcgi_pass 127.0.0.1:9000; #fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; #includefastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { #deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { #listen 8000; #listen somename:8080; #server_name somename alias another.alias; #location / { #root html; #index index.html index.htm; #} #} # HTTPS server # #server { #listen 443 ssl; #server_name my-sub.selfhost.co; #include ssl_common.conf; #include proxy_setup.conf; #ssl_certificate cert.pem; #ssl_certificate_key cert.key; #ssl_session_cacheshared:SSL:1m; #ssl_session_timeout 5m; #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; #location / { #root html; #index index.html index.htm; #} #} }
Reverse Proxy - ssl_common.conf
Code:
# Thanks to https://cipherli.st/ for providing a great reference! Please check out their site # to make sure your SSL Configuration is up to date with current standards! Be aware that in this # example we use a slightly liberal cipherlist to allow for older browsers on older devices, Eg. # IE8, android 2.4, etc # Enable Perfect Forward Secrecy (PFS) ssl_prefer_server_ciphers on; ssl_certificate /usr/local/etc/letsencrypt/live/my-sub.selfhost.co/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/my-sub.selfhost.co/privkey.pem; # Disable SSLv2 and SSLv3 (BEAST and POODLE attacks) ssl_protocols TLSv1.2; # Enable our strong DH Key ssl_dhparam /usr/local/etc/ssl/dhparams.pem; # Cipher-list for PFS. ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES25> ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 8.8.8.8 4.4.4.4 valid=300s; resolver_timeout 5s; # HSTS Support add_header Strict-Transport-Security "max-age=63072000;includeSubdomains; preload"; # These headers can break applications, be careful! add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;
Reverse Proxy - proxy_setup.conf
Code:
location /nextcloud { proxy_pass http://192.168.2.205:80; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /octopi { proxy_pass http://192.168.2.75:80; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /plex { proxy_pass http://192.168.2.201:32400/web/index.html; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
Last edited: