TrueNAS CORE -> Nextcloud -> Cloudflare Tunnel Troubleshooting

[confusedtruenoob]

Hi everyone,

Complete noob to self-hosting/networking anything. I have successfully installed TrueNAS CORE (13.0) on an old computer and get it running on my local network. I'm now trying to move on to installing Nextcloud.

Unfortunately, at this point in time, when I try to access my nextcloud, I'm getting a timeout error.

Here are the steps that I have completed:

1. Registered a domain with Cloudflare
2. Followed the official nextcloud installation guide on the TrueNAS youtube channel (here), including disabling hardware offloading. I used default nextcloud plugin installation parameters.
3. Followed this guide exactly, starting from step 2 (as recommended in this thread). For the URL in the last part of step 3, I used HTTP localhost. For the nextcloud plugin, do I need to do localhost:80 or some other specific port? For step 4, I used the command echo "/usr/local/bin/cloudflared tunnel run --token YOUR-TOKEN >/dev/null 2>/dev/null &" > /etc/rc.local as instructed. Did I have to change anything for my use case?
   

In my internet searching, I also found this guide on nextcloud installation. I didn't want to use it because I do not want to open my ports to the public, which I understand cloudflare tunneling is supposed to help me avoid. Is there a different recommended method?

What other information can I provide to be helpful? I'm more familiar with reddit, so I decided to post here instead of the forum, but should I make the same post there?

Thank you so much in advance!

 

[victort]

What are your clouflare settings looking like?
You need to have proper edge certificates set up.

I got a jail up and using the tunnel in less than 5 min.

 

[confusedtruenoob]

Thanks for the response! I have default settings on cloudflare. I do not have Origin Server enabled:

As for edge certificates, these are my settings:

Total TLS: off
Always Use HTTPS: off
HTTP Strict Transport Security (HSTS): off
Minimum TLS Version: TLS 1.0 (default)
Opportunistic Encryption: on
TLS 1.3: on
Automatic HTTPS Rewrites: on
Certificate Transparency Monitoring: off
Disable Universal SSL: off

As for my tunnel, I have the URL set to HTTP://localhost. If I do the SSL settings, do I need to change it to HTTPS?

 

[victort]

Did you install nextcloud using the plugin?

Also what about the SSL/TLS Overview. Is that set to full (strict)?

 

[confusedtruenoob]

I used the plugin install method. Default settings. I noticed the guide was DHCP, but I used NAT. Will this make a difference?

SSL/TLS Overview was flexible. Besides changing it to full (strict), do I need to change other settings?

If I enable these certificates/security features, will I need to install corresponding certificates on the devices I want to use to access nextcloud?

 

[confusedtruenoob]

Forgot to add, my SSL/TLS Recommender is off

 

[victort]

I used the plugin install method. Default settings. I noticed the guide was DHCP, but I used NAT. Will this make a difference?

SSL/TLS Overview was flexible. Besides changing it to full (strict), do I need to change other settings?

If I enable these certificates/security features, will I need to install corresponding certificates on the devices I want to use to access nextcloud?

Yes. You need to use DHCP or set a static IP. Using NAT will mean the localhost address will resolve to your NAS IP and not the Nextcloud.

Setting to Full (strict) should work.

No you don’t need to install any certificates.

 

[victort]

Forgot to add, my SSL/TLS Recommender is off

Leave it there.

 

[victort]

Once you have installed, post screenshots of your jails page in TrueNAS.

 

[confusedtruenoob]

I have changed the SSL/TLS Overview to Full (Strict). To clarify, do I need to do anything beyond changing the mode? Is there anything I need to install on my truenas to make it compatible with this new setting?

Changed the jail setting from NAT to DHCP.

I have changed no other settings in the jail, so they should be defaults. I hid the mac and hostid settings. Are those id's sensitive information? Here are the screenshots of my jails page:

 

[victort]

1 install cloudflared in jail
2 set up tunnel. In the tunnel you should be able to put HTTP://192.168.1.27
3 run the command from the other thread with your tunnel token
4 restart jail

 

[confusedtruenoob]

I have completed the steps above.

When I type http://nextcloud.abc.xyz into my browser, I am redirected to https://nextcloud.abc.xyz:8283, but still time out.

I think I am getting closer, but not quite there yet

 

[confusedtruenoob]

Since I've changed SSL/TLS to Full (strict), do I need to create/add an origin certificate to my truenas server?

Additionally, after I changed NAT->DHCP, when I try to open the manage panel of nextcloud (through the truenas plugin page), I am getting an error of "Access through untrusted domain." I will need to address this later, but is this problem preventing me from seeing the same error page when I try to access through the cloudflare tunnel?

 

[confusedtruenoob]

Was able to fix local access of nextcloud manager by following this comment.

Is there any set up I need to perform in nextcloud itself for the above steps to work properly?

 

[victort]

Since I've changed SSL/TLS to Full (strict), do I need to create/add an origin certificate to my truenas server?

No. Cloudflare handles that.

Additionally, after I changed NAT->DHCP, when I try to open the manage panel of nextcloud (through the truenas plugin page), I am getting an error of "Access through untrusted domain." I will need to address this later, but is this problem preventing me from seeing the same error page when I try to access through the cloudflare tunnel?

Oh. I thought you were reinstalling. You might need to edit your config.php to allow the 192.168.1.27 address that it now has.

 

[victort]

Or you could try setting it back to NAT, then in Cloudflare instead of localhost you would do localhost:8283 or whatever port the Nextcloud is set to run on.

 

[wgb920]

1 install cloudflared in jail

I guess I'm more of a noob than confusedtruenoob.

How do I install cloudflared in a jail? I tried the instructions here under "build from source," but when I got to "make cloudflared" I got a bunch of messages that said, "invalid line type" along with other warnings.

make: "/root/cloudflared/Makefile" line 6: Invalid line type
make: "/root/cloudflared/Makefile" line 9: Invalid line type
make: "/root/cloudflared/Makefile" line 11: warning: duplicate script for target "ifeq" ignored
make: "Makefile" line 8: warning: using previous script for "ifeq" defined here

 

[victort]

I guess I'm more of a noob than confusedtruenoob.

How do I install cloudflared in a jail? I tried the instructions here under "build from source," but when I got to "make cloudflared" I got a bunch of messages that said, "invalid line type" along with other warnings.

make: "/root/cloudflared/Makefile" line 6: Invalid line type
make: "/root/cloudflared/Makefile" line 9: Invalid line type
make: "/root/cloudflared/Makefile" line 11: warning: duplicate script for target "ifeq" ignored
make: "Makefile" line 8: warning: using previous script for "ifeq" defined here

From the jail

Code:

pkg install cloudflared

 

[wgb920]

Thank You! I believe I set it all up correctly, but when I navigate to my site on an incognito browser I get ERR_TOO_MANY_REDIRECTS.

Is that a problem with the tunnel setup or something else?

 

[victort]

It depends on how you have your server set up.
HTTP or HTTPS
Self signed cert, no cert, stand-alone or dns cert.

I wrote a guide here, it’s for caddy though, but the part about the certificates is the same. Depending on which cert you have, you will need to adjust some settings in the tunnel settings.