Nextcloud (jail) behind a reverse proxy (other jail) - configuration problems

TheNASnovice

Dabbler
Joined
Feb 2, 2021
Messages
20
Hello everybody,

I am running a Nextcloud-Jail (NC version 20.0.6) on a TrueNAS system (192.168.2.205) with Apache web server.
Installed according to these instructions: https://www.samueldowling.com/2020/...n-freenas-iocage-jail-with-hardened-security/

I also have a reverse proxy jail on the same TrueNAS system (192.168.2.206) with Nginx.
Installed according to these instructions: https://www.truenas.com/community/t...-to-reverse-proxy-your-jails-w-certbot.49876/

Both are relatively freshly installed, but I am new to this subject and would need help on the last few meters to reach my destination.

To the current status:
Nextcloud works great if you only use http and the IP of the internal network. However, I would like to access the Internet via https.
A free Selfhost account should be used for this - let's just call the appropriate subdomain my-sub.selfhost.co (as there is actually a hyphen in the name).
Selfhost is a DynDNS provider and the IP update through my FritzBox also works fine.
The URL to the Nextcloud should be:
my-sub.selfhost.co/nextcloud

An SSL certificate has been created and apparently works. The problem seems to be the interaction between reverse proxy and NC in my opinion.
Either I get a 404 (depending on how I played in the config.php) but apparently from the Nginx of the reverse proxy ("Nginx" is on the 404 page) or the website tells me that the redirect went wrong is.

After several attempts (also with the help of the following website):

I have to slowly give in to defeat and hope for your patience and willingness to help.

So the problem is summarized:
I don't get the Nextcloud start page that I get offered with the appropriate configuration using simple http and network-internal IP (http://192.168.2.205/).



My configuration files currently look like this:
Nextcloud - config.php

Code:
<?php
$CONFIG = array (
  'instanceid' => 'INSTANCEID',
  'passwordsalt' => 'SALT',
  'secret' => 'SECRET',
  'trusted_domains' =>
  array (
0 => 'my-sub.selfhost.co',
1 => '192.168.2.205',
2 => 'localhost',
  ),
  'trusted_proxies'   => ['192.168.2.206'],
  #'overwritehost' => 'my-sub.selfhost.co',
  'overwriteprotocol' => 'https',
  'overwritewebroot'  => '/',
  'overwritecondaddr' => '^192\.168\.2\.206$',
  'config_is_read_only' => true,
  'default_language' => 'de',
  'default_locale' => 'de_DE',
  'datadirectory' => '/mnt/data',
  'dbtype' => 'mysql',
  'version' => '20.0.6.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'USERNAME',
  'dbpassword' => 'PASSWORD',
  'installed' => true,
  'redis' =>
  array (
'host' => '/var/run/redis/redis.sock',
'port' => 0,
  ),
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'app_install_overwrite' =>
  array (
0 => 'occweb',
  ),
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'USERNAME-EMAIL',
  'mail_domain' => 'MAILSERVICE',
  'mail_smtpauth' => 1,
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtphost' => 'SMTP.MAILSERVICE.TLD',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'MY-EMAIL',
  'mail_smtppassword' => 'MY-EMAIL-PASSWORD',
);




Reverse Proxy - nginx.conf
Code:
#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
error_log  /var/log/nginx/error.log;
#

#pidlogs/nginx.pid;


events {
worker_connections  1024;
}


http {
include   mime.types;
default_type  application/octet-stream;

#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#  '$status $body_bytes_sent "$http_referer" '
#  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfileon;
#tcp_nopush on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

server {
listen   443 ssl;
server_name  my-sub.selfhost.co;
include ssl_common.conf;
include proxy_setup.conf;

#charset koi8-r;

#access_log  logs/host.access.log  main;

location / {
root   /usr/local/www/nginx;
index  index.html index.htm;
}

#error_page  404  /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
root   /usr/local/www/nginx-dist;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
#proxy_pass   http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#root   html;
#fastcgi_pass   127.0.0.1:9000;
#fastcgi_index  index.php;
#fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
#includefastcgi_params;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
#deny  all;
#}
}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#listen   8000;
#listen   somename:8080;
#server_name  somename  alias  another.alias;

#location / {
#root   html;
#index  index.html index.htm;
#}
#}


# HTTPS server
#
#server {
#listen   443 ssl;
#server_name  my-sub.selfhost.co;
#include ssl_common.conf;
#include proxy_setup.conf;

#ssl_certificate  cert.pem;
#ssl_certificate_key  cert.key;

#ssl_session_cacheshared:SSL:1m;
#ssl_session_timeout  5m;

#ssl_ciphers  HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers  on;

#location / {
#root   html;
#index  index.html index.htm;
#}
#}

}




Reverse Proxy - ssl_common.conf
Code:
# Thanks to https://cipherli.st/ for providing a great reference! Please check out their site
# to make sure your SSL Configuration is up to date with current standards! Be aware that in this
# example we use a slightly liberal cipherlist to allow for older browsers on older devices, Eg.
# IE8, android 2.4, etc
# Enable Perfect Forward Secrecy (PFS)
ssl_prefer_server_ciphers on;
ssl_certificate /usr/local/etc/letsencrypt/live/my-sub.selfhost.co/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/my-sub.selfhost.co/privkey.pem;
# Disable SSLv2 and SSLv3 (BEAST and POODLE attacks)
ssl_protocols TLSv1.2;
# Enable our strong DH Key
ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
# Cipher-list for PFS.
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES25>
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on;
# Requires nginx >= 1.3.7
ssl_stapling_verify on;
# Requires nginx => 1.3.7
resolver 8.8.8.8 4.4.4.4 valid=300s;
resolver_timeout 5s;
# HSTS Support
add_header Strict-Transport-Security "max-age=63072000;includeSubdomains; preload";
# These headers can break applications, be careful!
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;




Reverse Proxy - proxy_setup.conf
Code:
location /nextcloud {
proxy_pass http://192.168.2.205:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /octopi {
proxy_pass http://192.168.2.75:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /plex {
proxy_pass http://192.168.2.201:32400/web/index.html;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
 
Last edited:

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
Hey, glad you found my Nextcloud guide useful. It might be worth checking out my reverse proxy guide as well. This is how I've configured it and it works well :)

See signature for link.

Nothing immediately jumps out at me as incorrect in your config - perhaps you're missing some required headers. For awareness, the headers that I use in my config are:

Code:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;


Also, incidentally, you don't need to specify port 80 in your IP addresses - this is implied by the http protocol. For completeness, https implies port 443.
 

TheNASnovice

Dabbler
Joined
Feb 2, 2021
Messages
20
Hey Samuel,
glad you found this thread and weren't put off by too much reading (as seems to be the case with the rest, unfortunately :wink:).

Don't ask me what I did (I did 2 or 3 intesive days) and now it works BUT:
When I try to update my Nextcloud to newest version (20.0.7 has been released) I get an error (please feel free to watch the attached picture).
Since the 404 page of my nginx is very familiar to me by now, I guess the proxy is misdirecting or the Nextcloud is generating wrong URLs in some other way.

I have attached my config files that are actually running fine (except updating Nextcloud and problems with plex - but one after another).

Do you have an Idea to fix this?
Thanks!


Greetings
TheNASnovice
 

Attachments

  • Update.png
    Update.png
    462.2 KB · Views: 291
  • configs.zip
    12.6 KB · Views: 308
Top