What is a reverse proxy and how to use it

• Security:
  • HTTPS encryption (TLS offloading/TLS termination)
  • some reverse proxies like traefik and Caddy could automatically enroll TLS cerificates (others like Apache and Nginx require additional software)
  • filtering malicious traffic
  • rate limiting
• Management
  • Single Entry Point: The reverse proxy acts as a single entry point for all your web applications, simplifying administration and configuration.
  • URL Rewriting: You can use the reverse proxy to rewrite URLs for a cleaner and more user-friendly experience.
  • Content Control: The proxy can be configured to restrict access to certain content based on user roles or IP addresses.

architecture for a single application

a reverse proxy is sitting in front of the application is managing TLS certificates (free Let’s Encrypt are most common and recommended), receives incoming requests, optionally performs additional security checks and sanitation.

flowchart LR
  client(client)
  rp(reverse proxy<br>192.168.1.24:443<br>TLS certificate for https:// myurl.tld<br>'TLS offloading' or 'TLS termination')
 	Nextcloud(Nextcloud)
    client -- https:// myurl.tld<br>to reverse proxy ---> rp;
    rp -- http:// 172.30.11.22:80<br>internal **plain http** connection<br>to application --> Nextcloud(Nextcloud<br>incoming connection from reverse proxy ip<br>proxy headers required to know<br>the initial IP and domain);

reverse proxy for overview

architecture for multiple applications

especially in self-hosting scenario it’s hard to have dedicated public IP for each application so reverse proxy is used as a single point of entry and distributes incoming requests to different applications based on rules like different hostnames https://app1.mydomain.tld, https://nextcloud.mydomain.tld or URL patterns like https://mydomain.tld/app1, https://mydomain.tld/app2, https://mydomain.tld/nextcloud

flowchart LR
  fritz.box-- port forward<br>tcp/80+tcp/443 -->RP;
   fritz.box(router<br>192.168.179.1);
        RP[reverse proxy<br>:80 + :443<br>nc.mydomain.tld<br>collabora.mydomain.tld<br>application1.mydomain.tld<br>application2.mydomain.tld] 
        subgraph nc.mydomain.tld
            NC[NC<br>:80]-->NCDB[(mariadb)];
        end
        subgraph collabora.mydomain.tld
          CODE[Collabora<br>:9980]
        end
        subgraph application1.mydomain.tld
          app1[app1<br>:80]-->APP1DB[(postgres)]
        end
        RP--http-->NC & CODE & app1

reverse proxy for multiple applications

Nextcloud configuration

With reverse proxy in place there is no direct connection from the client, all connections arrive from the reverse proxy and the application can not determine IP address of the client real-ip and the domain it wants to access. This results in proxy warnings and bruteforce protection could engage. To address this situation reverse proxy can add specific headers with information about the client and the resource/URL accessed initially. But Nextcloud doesn’t trust such headers for security reasons by default and requires a trusted_proxy configuration, otherwise malicious actor could spoof the headers and overcome protective measures like brute-force protection.

• Trusted Proxies:
  • Define the IP addresses or hostnames of your reverse proxy servers for security reasons (only trusted endpoints can inject information about accessing device). trusted proxies can be set in in config.php or using occ command occ config:system:set trusted_proxies 1 --value='127.0.0.1' (add as many you want)
• Proxy Headers: Nextcloud uses X-Forwarded-For header by default to retrieve client IP address behind the proxy → real-ip
  • You can configure other headers if needed e,g, X-RealIp
• Overwrite Parameters: If Nextcloud doesn’t automatically detect hostname, protocol, or webroot path,
  • use overwritehost, overwriteprotocol, and overwritewebroot options in config.php
  • use environment variables for containers (All-inOne and community microservice)

official reverse proxy documentation

Popular Reverse Proxy Options:

• Apache → apache
• NGINX → nginx
• Traefik → traefik
• Caddy → caddy

Additional Resources:

• Using Nginx proxy manager with an already NCP installation (no docker)
• Putting Nextcloud snap behind a reverse proxy
• AiO Reverse Proxy Documentation