What is a reverse proxy and how to use it
- Security:
- HTTPS encryption (TLS offloading/TLS termination)
- some reverse proxies like traefik and Caddy could automatically enroll TLS cerificates (others like Apache and Nginx require additional software)
- filtering malicious traffic
- rate limiting
- Management
- Single Entry Point: The reverse proxy acts as a single entry point for all your web applications, simplifying administration and configuration.
- URL Rewriting: You can use the reverse proxy to rewrite URLs for a cleaner and more user-friendly experience.
- Content Control: The proxy can be configured to restrict access to certain content based on user roles or IP addresses.
architecture
Configuration on Nextcloud:
As there is no direct connection from the client, the application could not determine IP address of the client and the domain it wants to access. This results in proxy warnings. The proxy must add specific headers with information about the client and the resource/URL it accessed initially. But Nextcloud doesn’t trust such headers per se but only in case the initiating system is configured as trusted_proxy
, otherwise malicious actor could spoof the headers and overcome protective measures like brute-force protection.
- Trusted Proxies: Define the IP addresses or hostnames of your reverse proxy servers in
config.php
for security reasons (only trusted endpoints can inject information about accessing device). - Proxy Headers: Nextcloud uses
X-Forwarded-For
header by default to retrieve client IP address behind the proxy.- You can configure other headers if needed
- Overwrite Parameters: If Nextcloud doesn’t automatically detect hostname, protocol, or webroot path,
- use overwritehost, overwriteprotocol, and overwritewebroot options in
config.php
- use environment variables for containers (All-inOne and community microservice)
- use overwritehost, overwriteprotocol, and overwritewebroot options in
official reverse proxy documentation