Reverse Proxy help

Status
Not open for further replies.

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
I created an iocage jail following this guide. I'm using a dynamic DNS for now and have my pfsense router pointing port 80 and 443 to the IP address of my reverse proxy jail. I want to have 2 nextcloud jails so I can experiment with the nextcloudMan jail and not worry about messing up the main nextcloud jail. Not sure why the reverse proxy isn't working as expected.

When I goto https://mydomain.ddns.net/nextcloud I get the server on 192.168.5.91
When I goto https://mydomain.ddns.net/nextcloudMan I get :
Internal Server Error
The server was unable to complete your request.
If this happens again, please send the technical details below to the server administrator.
More details can be found in the server log.

When I goto https://mydomain.ddns.net/sab I get 404 not found

my proxy_setup.conf
Code:
location /nextcloud {
	 proxy_pass http://192.168.5.91;
	 proxy_redirect off;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 }

location /nextcloudMan {
	 proxy_pass http://192.168.5.96;
	 proxy_redirect off;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 }

location /sab {
	 proxy_pass http://192.168.5.75:8080;
	 proxy_redirect off;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 }

my nginx.conf server block has:
Code:
 server {
		listen	   80;
		listen 443 ssl;
		  server_name  mydomain.ddns.net;
		  include ssl_common.conf;
		  include proxy_setup.conf;


my ssl_common.conf
Code:
# Thanks to https://cipherli.st/ for providing a great reference! Please check out their site
# to make sure your SSL Configuration is up to date with current standards! Be aware that in this
# example we use a slightly liberal cipherlist to allow for older browsers on older devices, Eg.
# IE8, android 2.4, etc
# Enable Perfect Forward Secrecy (PFS)
ssl_prefer_server_ciphers on;
ssl_certificate /usr/local/etc/letsencrypt/live/mydomain.ddns.net/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/mydomain.ddns.net/privkey.pem;
# Disable SSLv2 and SSLv3 (BEAST and POODLE attacks)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Enable our strong DH Key
ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
# Cipher-list for PFS.
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AE$
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on;
# Requires nginx >= 1.3.7
ssl_stapling_verify on;
# Requires nginx => 1.3.7
resolver 8.8.8.8 4.4.4.4 valid=300s;
resolver_timeout 5s;
# HSTS Support
add_header Strict-Transport-Security "max-age=63072000;includeSubdomains; preload";
# These headers can break applications, be careful!
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,556
Don’t use location to reverse proxy, use servers.
Eg https://nextcloud.domain.io

That will make life a lot easier as you don’t have to rewrite all the requests. You do need to match the url on Nextcloud. The dynDns won’t work unless you can find a way to rewrite the request.

Then you need to tell Nextcloud what servers are used for reverse proxy’ing otherwise it won’t play ball. Check out the manual at https://docs.nextcloud.com/server/1...ation_server/reverse_proxy_configuration.html
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
Don’t use location to reverse proxy, use servers.
Eg https://nextcloud.domain.io

That will make life a lot easier as you don’t have to rewrite all the requests. You do need to match the url on Nextcloud. The dynDns won’t work unless you can find a way to rewrite the request.

Then you need to tell Nextcloud what servers are used for reverse proxy’ing otherwise it won’t play ball. Check out the manual at https://docs.nextcloud.com/server/1...ation_server/reverse_proxy_configuration.html

I checkout the link you provided but it's confusing to someone new to the concept. Any chance you could share a redacted copy of your config.php and proxy_setup.conf or show me what it would look like with my parameters?

Couldn't the dynDNS just refer to the proxy server and the server send to the appropriate jail?
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
I've got mine setup as @garm suggested, with the service prefixing the domain e.g. service.domain.com. I'm using Nginx and have a sites-enabled folder with individual service.conf files for each one I'm redirecting. Not sure this is best practice, but it keeps things nice and simple for me and has been working pretty well for a number of months. I even rebuilt the jail using iocage this weekend which was surprisingly straightforward, installing from ports and then copying across the .conf files and letsencrypt folder from the old warden jail. Here's my nextcloud.conf file, with personal details removed. Some of the lines are hashed out as I don't use them in this .conf file, but I do in some of the others. I've tried to keep the files the same as much as I can:

Code:
## Start nextcloud.domain.com																							  
																																	
#server {																														   
#	listen 80;																													 
#	return 301 https://$host$request_uri;																						 
#}																																
																																   
server {																															
	   listen 443 ssl;																											 
	   ssl_certificate /usr/local/etc/letsencrypt/live/nextcloud.domain.com/file.pem;								
	   ssl_certificate_key /usr/local/etc/letsencrypt/live/nextcloud.domain.com/key.pem;							 
	   ssl_dhparam /usr/local/etc/ssl/dhparam.pem;																				 
	   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # drop SSLv3 (POODLE vulnerability)													
	   ssl_session_cache shared:SSL:10m;																						   
	   ssl_session_timeout 10m;																									
	   ssl_prefer_server_ciphers on;																							   
	   ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-S$
																																   
#	   add_header Content-Security-Policy "frame-ancestors domain.com nextcloud.domain.com;";   #add your domain$
	   add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;										 
#	   add_header X-Frame-Options "SAMEORIGIN" always;																			 
#	   add_header X-Xss-Protection "1; mode=block" always;																		 
#	   add_header X-Content-Type-Options "nosniff" always;																		 
#	   add_header 'Referrer-Policy' 'no-referrer';																				 
																																   
	   server_name nextcloud.domain.com;																				 
	   set $upstream JAIL_IP;																							   
																																   
	   access_log /var/log/nginx/web.access.log;																				   
	   error_log /var/log/nginx/web.error.log;																					 
	   root /usr/local/www/nginx;																								 
	   index index.html index.htm;

	   location / {																												
			   proxy_pass_header Authorization;																					
			   proxy_pass http://$upstream;																						
			   proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;							   
#			   proxy_redirect off;																								 
			   proxy_buffering off;																								
			   proxy_request_buffering off;																						
			   proxy_set_header		Host			$host;																	 
			   proxy_set_header		X-Real-IP	   $remote_addr;															   
			   proxy_set_header		X-Forward-For   $proxy_add_x_forwarded_for;												 
#			   proxy_set_header		X-Frame-Options SAMEORIGIN;																 
			   proxy_http_version 1.1;																							 
			   proxy_set_header Connection "";																					 
			   client_max_body_size 0;																							 
#			   proxy_ssl_session_reuse off;																						
			   proxy_read_timeout 36000s;																						 
	   }																														   
																																   
	   location /.well-known {																									 
			   root /usr/local/www;																								
	   }																														   
}																																   
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,556
The request needs to include the right server. I’m roaming so I cannot access my servers, but I can maybe write a short guide in the next few days
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
The request needs to include the right server. I’m roaming so I cannot access my servers, but I can maybe write a short guide in the next few days
I look forward to your guide when you have time. Thanks.
 
Status
Not open for further replies.
Top